.semgrep_rules.yml

rules:
- id: python.lang.security.audit.dangerous-os-exec.dangerous-os-exec
  languages:
  - python
  message: Found dynamic content when spawning a process. This is dangerous if external
    data can reach this function call because it allows a malicious actor to execute
    commands. Ensure no external data reaches here.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/L8BX
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec.dangerous-os-exec
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not: os.$METHOD("...", ...)
    - pattern: os.$METHOD(...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)
  - patterns:
    - pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...)
    - pattern: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (execv|execve|execvp|execvpe)
    - metavariable-regex:
        metavariable: $BASH
        regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
  - patterns:
    - pattern-not: os.$METHOD("...", $PATH, "...", "...",...)
    - pattern: os.$METHOD($BASH, $PATH, "-c", $CMD,...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (execl|execle|execlp|execlpe)
    - metavariable-regex:
        metavariable: $BASH
        regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
  severity: ERROR
- id: python.lang.security.audit.dangerous-spawn-process.dangerous-spawn-process
  languages:
  - python
  message: Found dynamic content when spawning a process. This is dangerous if external
    data can reach this function call because it allows a malicious actor to execute
    commands. Ensure no external data reaches here.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/OPYB
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process.dangerous-spawn-process
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not: os.$METHOD($MODE, "...", ...)
    - pattern: os.$METHOD(...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)
  - patterns:
    - pattern-not: os.$METHOD($MODE, "...", ["...","...",...], ...)
    - pattern: os.$METHOD($MODE, $BASH, ["-c",$CMD,...],...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)
    - metavariable-regex:
        metavariable: $BASH
        regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
  - patterns:
    - pattern-not: os.$METHOD($MODE, "...", "...", "...", ...)
    - pattern: os.$METHOD($MODE, $BASH, "-c", $CMD,...)
    - metavariable-regex:
        metavariable: $METHOD
        regex: (spawnl|spawnle|spawnlp|spawnlpe)
    - metavariable-regex:
        metavariable: $BASH
        regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
  severity: ERROR
- id: python.django.performance.access-foreign-keys.access-foreign-keys
  languages:
  - python
  message: You should use ITEM.user_id rather than ITEM.user.id to prevent running
    an extra query.
  metadata:
    category: performance
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/XBoB
    source: https://semgrep.dev/r/python.django.performance.access-foreign-keys.access-foreign-keys
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern-inside: |
        from django.$Y import $Z
        ...
    - pattern-inside: |
        import django
        ...
  - pattern: $X.user.id
  - pattern-not: request.user.id
  severity: WARNING
- id: python.django.security.injection.command.command-injection-os-system.command-injection-os-system
  languages:
  - python
  message: Request data detected in os.system. This could be vulnerable to a command
    injection and should be avoided. If this must be done, use the 'subprocess' module
    instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection
    for more information.
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Command_Injection
    shortlink: https://sg.run/Gen2
    source: https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: os.system(..., request.$W.get(...), ...)
    - pattern: os.system(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: os.system(..., $S % request.$W.get(...), ...)
    - pattern: os.system(..., f"...{request.$W.get(...)}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        os.system(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        os.system(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        os.system(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        os.system(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        os.system(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: $A = os.system(..., request.$W.get(...), ...)
    - pattern: $A = os.system(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: $A = os.system(..., $S % request.$W.get(...), ...)
    - pattern: $A = os.system(..., f"...{request.$W.get(...)}...", ...)
    - pattern: return os.system(..., request.$W.get(...), ...)
    - pattern: return os.system(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: return os.system(..., $S % request.$W.get(...), ...)
    - pattern: return os.system(..., f"...{request.$W.get(...)}...", ...)
    - pattern: os.system(..., request.$W(...), ...)
    - pattern: os.system(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: os.system(..., $S % request.$W(...), ...)
    - pattern: os.system(..., f"...{request.$W(...)}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        os.system(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        os.system(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        os.system(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        os.system(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        os.system(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: $A = os.system(..., request.$W(...), ...)
    - pattern: $A = os.system(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: $A = os.system(..., $S % request.$W(...), ...)
    - pattern: $A = os.system(..., f"...{request.$W(...)}...", ...)
    - pattern: return os.system(..., request.$W(...), ...)
    - pattern: return os.system(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: return os.system(..., $S % request.$W(...), ...)
    - pattern: return os.system(..., f"...{request.$W(...)}...", ...)
    - pattern: os.system(..., request.$W[...], ...)
    - pattern: os.system(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: os.system(..., $S % request.$W[...], ...)
    - pattern: os.system(..., f"...{request.$W[...]}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        os.system(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        os.system(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        os.system(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        os.system(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        os.system(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: $A = os.system(..., request.$W[...], ...)
    - pattern: $A = os.system(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: $A = os.system(..., $S % request.$W[...], ...)
    - pattern: $A = os.system(..., f"...{request.$W[...]}...", ...)
    - pattern: return os.system(..., request.$W[...], ...)
    - pattern: return os.system(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: return os.system(..., $S % request.$W[...], ...)
    - pattern: return os.system(..., f"...{request.$W[...]}...", ...)
    - pattern: os.system(..., request.$W, ...)
    - pattern: os.system(..., $S.format(..., request.$W, ...), ...)
    - pattern: os.system(..., $S % request.$W, ...)
    - pattern: os.system(..., f"...{request.$W}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        os.system(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        os.system(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        os.system(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        os.system(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        os.system(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        os.system(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        os.system(..., $INTERM, ...)
    - pattern: $A = os.system(..., request.$W, ...)
    - pattern: $A = os.system(..., $S.format(..., request.$W, ...), ...)
    - pattern: $A = os.system(..., $S % request.$W, ...)
    - pattern: $A = os.system(..., f"...{request.$W}...", ...)
    - pattern: return os.system(..., request.$W, ...)
    - pattern: return os.system(..., $S.format(..., request.$W, ...), ...)
    - pattern: return os.system(..., $S % request.$W, ...)
    - pattern: return os.system(..., f"...{request.$W}...", ...)
  severity: ERROR
- id: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization
  languages:
  - python
  message: Avoid using insecure deserialization library, backed by `pickle`, `_pickle`,
    `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code
    execution vulnerabilities.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    shortlink: https://sg.run/9oyr
    source: https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization
    technology:
    - django
  mode: taint
  pattern-sinks:
  - pattern-either:
    - patterns:
      - pattern-either:
        - pattern: |
            pickle.$PICKLEFUNC(...)
        - pattern: |
            _pickle.$PICKLEFUNC(...)
        - pattern: |
            cPickle.$PICKLEFUNC(...)
        - pattern: |
            shelve.$PICKLEFUNC(...)
      - metavariable-regex:
          metavariable: $PICKLEFUNC
          regex: dumps|dump|load|loads
    - patterns:
      - pattern: dill.$DILLFUNC(...)
      - metavariable-regex:
          metavariable: $DILLFUNC
          regex: dump|dump_session|dumps|load|load_session|loads
    - patterns:
      - pattern: yaml.$YAMLFUNC(...)
      - metavariable-regex:
          metavariable: $YAMLFUNC
          regex: dump|dump_all|load|load_all
  pattern-sources:
  - pattern-either:
    - patterns:
      - pattern-inside: |
          def $INSIDE(..., $PARAM, ...):
            ...
      - pattern-either:
        - pattern: request.$REQFUNC(...)
        - pattern: request.$REQFUNC.get(...)
        - pattern: request.$REQFUNC[...]
  severity: ERROR
- id: python.bokeh.maintainability.deprecated.deprecated_apis.bokeh-deprecated-apis
  languages:
  - python
  message: These APIs are deprecated in Bokeh see https://docs.bokeh.org/en/latest/docs/releases.html#api-deprecations
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/7ok2
    source: https://semgrep.dev/r/python.bokeh.maintainability.deprecated.deprecated_apis.bokeh-deprecated-apis
    technology:
    - bokeh
  pattern-either:
  - pattern: |
      import bokeh.layouts.widgetbox
  - pattern: |
      import bokeh.models.graphs.from_networkx
  severity: WARNING
- id: python.click.best-practice.echo-style.use-click-secho
  languages:
  - python
  message: Use `click.secho($X)` instead. It combines click.echo() and click.style().
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/8ywN
    source: https://semgrep.dev/r/python.click.best-practice.echo-style.use-click-secho
    technology:
    - click
  pattern: click.echo(click.style($X, ...))
  severity: ERROR
- id: python.django.best-practice.upsell_django_environ.use-django-environ
  languages:
  - python
  message: You are using environment variables inside django app. Use `django-environ`
    as it a better alternative for deployment.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/DoQP
    source: https://semgrep.dev/r/python.django.best-practice.upsell_django_environ.use-django-environ
    technology:
    - django
  patterns:
  - pattern-not-inside: |
      import environ
      ...
  - pattern-either:
    - pattern: |
        import django
        ...
        import os
        ...
        $FOO = $M.environ[...]
    - pattern: |
        import os
        ...
        import django
        ...
        $FOO = $M.environ[...]
  severity: ERROR
- id: python.django.compatibility.django-2_0-compat.django-compat-2_0-signals-weak
  languages:
  - python
  message: The weak argument to django.dispatch.signals.Signal.disconnect() is removed
    in Django 2.0.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/0Qjj
    source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-signals-weak
    technology:
    - django
  pattern: django.dispatch.signals.Signal.disconnect(..., weak=$X, ...)
  severity: WARNING
- id: python.django.compatibility.django-2_0-compat.django-compat-2_0-extra-forms
  languages:
  - python
  message: The django.forms.extras package is removed in Django 2.0.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/qx07
    source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-extra-forms
    technology:
    - django
  pattern-either:
  - pattern: from django.forms import extras
  - pattern: from django.forms.extras import $X
  - pattern: from django.forms import extras as $Y
  - pattern: from django.forms.extras import $X as $Y
  - pattern: import django.forms.extras
  - pattern: import django.forms.extras.$X
  - pattern: import django.forms.extras as $Y
  - pattern: import django.forms.extras.$X as $Y
  severity: WARNING
- id: python.django.compatibility.django-2_0-compat.django-compat-2_0-assignment-tag
  languages:
  - python
  message: The assignment_tag helper is removed in Django 2.0.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/l2RE
    source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-assignment-tag
    technology:
    - django
  pattern-either:
  - pattern: $X.assignment_tag(...)
  - pattern: assignment_tag(...)
  severity: WARNING
- id: python.django.compatibility.django-2_0-compat.django-compat-2_0-assert-redirects-helper
  languages:
  - python
  message: The host argument to assertRedirects is removed in Django 2.0.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/YvQy
    source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-assert-redirects-helper
    technology:
    - django
  pattern-either:
  - pattern: $X.assertRedirects(..., host=$Y, ...)
  - pattern: assertRedirects(..., host=$Y, ...)
  severity: WARNING
- id: python.django.correctness.model-save.django-db-model-save-super
  languages:
  - python
  message: Detected a django model `$MODEL` is not calling super().save() inside of
    the save method.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/6nN1
    source: https://semgrep.dev/r/python.django.correctness.model-save.django-db-model-save-super
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $MODEL(django.db.models.Model):
          ...
  - pattern-not: |
      def save(self, ...):
        ...
        super($MODEL, self).save(...)
  - pattern-not: |
      def save(self, ...):
        ...
        super().save(...)
  - pattern: |
      def save(self, ...):
        ...
  severity: WARNING
- id: python.django.correctness.string-field-null-checks.string-field-must-set-null-true
  languages:
  - python
  message: If a text field declares unique=True and blank=True, null=True must also
    be set to avoid unique constraint violations when saving multiple objects with
    blank values.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/pxPZ
    source: https://semgrep.dev/r/python.django.correctness.string-field-null-checks.string-field-must-set-null-true
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $M(...):
        ...
  - pattern-not: $F = django.db.models.CharField(..., unique=True, blank=True, null=True,
      ...)
  - pattern-not: $F = django.db.models.TextField(..., unique=True, blank=True, null=True,
      ...)
  - pattern-either:
    - pattern: $F = django.db.models.CharField(..., unique=True, blank=True, ...)
    - pattern: $F = django.db.models.TextField(..., unique=True, blank=True, ...)
  severity: ERROR
- id: python.django.correctness.use-decimalfield-for-money.use-decimalfield-for-money
  languages:
  - python
  message: Found a FloatField used for variable $F. Use DecimalField for currency
    fields to avoid float-rounding errors.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/2xzL
    source: https://semgrep.dev/r/python.django.correctness.use-decimalfield-for-money.use-decimalfield-for-money
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $M(...):
        ...
  - pattern: $F = django.db.models.FloatField(...)
  - metavariable-regex:
      metavariable: $F
      regex: .*([pP][rR][iI][cC][eE]|[aA][mM][oO][uU][nN][tT]|[sS][uU][bB][tT][oO][tT][aA][lL]|[dD][oO][nN][aA][tT][iI][oO][nN]|[fF][eE][eE]|[sS][aA][lL][aA][rR][yY]|[pP][rR][eE][cC][iI][oO]).*
  severity: ERROR
- id: python.django.performance.upsell-count.use-count-method
  languages:
  - python
  message: Looks like you need to determine the number of records. Django provides
    the count() method which is more efficient than .len(). See https://docs.djangoproject.com/en/3.0/ref/models/querysets/
  metadata:
    category: performance
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/jRdN
    source: https://semgrep.dev/r/python.django.performance.upsell-count.use-count-method
    technology:
    - django
  pattern-either:
  - pattern: $X.objects.$FUNC(...).len()
  - pattern: $X.objects.$FUNC(...).$FILTER().len()
  - pattern: $X.objects.$FUNC(...).$FILTER().$UPDATE(...).len()
  severity: ERROR
- id: python.django.performance.upsell_earliest_latest.use-earliest-or-latest
  languages:
  - python
  message: Looks like you are only accessing first element of an ordered QuerySet.
    Use `latest()` or `earliest()` instead. See https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.latest
  metadata:
    category: performance
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/1ZoG
    source: https://semgrep.dev/r/python.django.performance.upsell_earliest_latest.use-earliest-or-latest
    technology:
    - django
  pattern-either:
  - pattern: $X.objects.order_by(...)[0]
  - pattern: $X.objects.$FUNC(...).order_by(...)[0]
  - pattern: $X.objects.$FUNC(...).$FILTER(...).order_by(...)[0]
  severity: ERROR
- id: python.django.security.audit.query-set-extra.avoid-query-set-extra
  languages:
  - python
  message: QuerySet.extra' does not provide safeguards against SQL injection and requires
    very careful use. SQL injection can lead to critical data being stolen by attackers.
    Instead of using '.extra', use the Django ORM and parameterized queries such as
    `People.objects.get(name='Bob')`.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra
    - https://blog.r2c.dev/2020/preventing-sql-injection-a-django-authors-perspective/
    shortlink: https://sg.run/kXZP
    source: https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html
    technology:
    - django
  patterns:
  - pattern: $MODEL.extra(...)
  - pattern-not-inside: '$MODEL.extra(select = {$KEY: "..."})'
  severity: WARNING
- id: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open
  languages:
  - python
  message: Found request data in a call to 'open'.  Ensure the request data is validated
    or sanitized,  otherwise it could result in path traversal attacks and  therefore
    sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath
    or the pathlib library.
  metadata:
    category: security
    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
      Traversal'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Path_Traversal
    shortlink: https://sg.run/W8qg
    source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: open(..., request.$W.get(...), ...)
    - pattern: open(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: open(..., $S % request.$W.get(...), ...)
    - pattern: open(..., f"...{request.$W.get(...)}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        open(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        open(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        open(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        open(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        open(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: $A = open(..., request.$W.get(...), ...)
    - pattern: $A = open(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: $A = open(..., $S % request.$W.get(...), ...)
    - pattern: $A = open(..., f"...{request.$W.get(...)}...", ...)
    - pattern: return open(..., request.$W.get(...), ...)
    - pattern: return open(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: return open(..., $S % request.$W.get(...), ...)
    - pattern: return open(..., f"...{request.$W.get(...)}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        with open(..., $DATA, ...) as $FD:
          ...
    - pattern: open(..., request.$W(...), ...)
    - pattern: open(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: open(..., $S % request.$W(...), ...)
    - pattern: open(..., f"...{request.$W(...)}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        open(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W(...)
        ...
        open(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W(...)
        ...
        open(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W(...)
        ...
        open(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W(...)
        ...
        open(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: $A = open(..., request.$W(...), ...)
    - pattern: $A = open(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: $A = open(..., $S % request.$W(...), ...)
    - pattern: $A = open(..., f"...{request.$W(...)}...", ...)
    - pattern: return open(..., request.$W(...), ...)
    - pattern: return open(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: return open(..., $S % request.$W(...), ...)
    - pattern: return open(..., f"...{request.$W(...)}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        with open(..., $DATA, ...) as $FD:
          ...
    - pattern: open(..., request.$W[...], ...)
    - pattern: open(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: open(..., $S % request.$W[...], ...)
    - pattern: open(..., f"...{request.$W[...]}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        open(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W[...]
        ...
        open(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W[...]
        ...
        open(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W[...]
        ...
        open(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W[...]
        ...
        open(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: $A = open(..., request.$W[...], ...)
    - pattern: $A = open(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: $A = open(..., $S % request.$W[...], ...)
    - pattern: $A = open(..., f"...{request.$W[...]}...", ...)
    - pattern: return open(..., request.$W[...], ...)
    - pattern: return open(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: return open(..., $S % request.$W[...], ...)
    - pattern: return open(..., f"...{request.$W[...]}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        with open(..., $DATA, ...) as $FD:
          ...
    - pattern: open(..., request.$W, ...)
    - pattern: open(..., $S.format(..., request.$W, ...), ...)
    - pattern: open(..., $S % request.$W, ...)
    - pattern: open(..., f"...{request.$W}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        open(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W
        ...
        open(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W
        ...
        open(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W
        ...
        open(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: |
        $DATA = request.$W
        ...
        open(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        open(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        with open(..., $INTERM, ...) as $FD:
          ...
    - pattern: $A = open(..., request.$W, ...)
    - pattern: $A = open(..., $S.format(..., request.$W, ...), ...)
    - pattern: $A = open(..., $S % request.$W, ...)
    - pattern: $A = open(..., f"...{request.$W}...", ...)
    - pattern: return open(..., request.$W, ...)
    - pattern: return open(..., $S.format(..., request.$W, ...), ...)
    - pattern: return open(..., $S % request.$W, ...)
    - pattern: return open(..., f"...{request.$W}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        with open(..., $DATA, ...) as $FD:
          ...
  severity: WARNING
- id: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse
  languages:
  - python
  message: Found user-controlled request data passed into HttpResponse. This could
    be vulnerable to XSS, leading to attackers gaining access to user cookies and
    protected information. Ensure that the request data is properly escaped or sanitzed.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
    shortlink: https://sg.run/BkvA
    source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: django.http.HttpResponse(..., $S.format(..., request.$W.get(...), ...),
        ...)
    - pattern: django.http.HttpResponse(..., $S % request.$W.get(...), ...)
    - pattern: django.http.HttpResponse(..., f"...{request.$W.get(...)}...", ...)
    - pattern: django.http.HttpResponse(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponse(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponse(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponse(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponse(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponse(..., request.$W.get(...), ...)
    - pattern: return django.http.HttpResponse(..., request.$W.get(...), ...)
    - pattern: django.http.HttpResponse(..., $S.format(..., request.$W(...), ...),
        ...)
    - pattern: django.http.HttpResponse(..., $S % request.$W(...), ...)
    - pattern: django.http.HttpResponse(..., f"...{request.$W(...)}...", ...)
    - pattern: django.http.HttpResponse(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponse(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponse(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponse(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponse(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponse(..., request.$W(...), ...)
    - pattern: return django.http.HttpResponse(..., request.$W(...), ...)
    - pattern: django.http.HttpResponse(..., $S.format(..., request.$W[...], ...),
        ...)
    - pattern: django.http.HttpResponse(..., $S % request.$W[...], ...)
    - pattern: django.http.HttpResponse(..., f"...{request.$W[...]}...", ...)
    - pattern: django.http.HttpResponse(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponse(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponse(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponse(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponse(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponse(..., request.$W[...], ...)
    - pattern: return django.http.HttpResponse(..., request.$W[...], ...)
    - pattern: django.http.HttpResponse(..., $S.format(..., request.$W, ...), ...)
    - pattern: django.http.HttpResponse(..., $S % request.$W, ...)
    - pattern: django.http.HttpResponse(..., f"...{request.$W}...", ...)
    - pattern: django.http.HttpResponse(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponse(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponse(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponse(..., f"...{$DATA}...", ...)
    - pattern: $A = django.http.HttpResponse(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        $A = django.http.HttpResponse(..., $INTERM, ...)
    - pattern: return django.http.HttpResponse(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponse(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponse(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponse(..., $INTERM, ...)
  severity: WARNING
- id: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest
  languages:
  - python
  message: Found user-controlled request data passed into a HttpResponseBadRequest.
    This could be vulnerable to XSS, leading to attackers gaining access to user cookies
    and protected information. Ensure that the request data is properly escaped or
    sanitzed.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
    shortlink: https://sg.run/DoZP
    source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseBadRequest(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
    - pattern: return django.http.HttpResponseBadRequest(..., request.$W.get(...),
        ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W(...)}...",
        ...)
    - pattern: django.http.HttpResponseBadRequest(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseBadRequest(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W(...), ...)
    - pattern: return django.http.HttpResponseBadRequest(..., request.$W(...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...)
    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W[...]}...",
        ...)
    - pattern: django.http.HttpResponseBadRequest(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseBadRequest(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W[...], ...)
    - pattern: return django.http.HttpResponseBadRequest(..., request.$W[...], ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W,
        ...), ...)
    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W, ...)
    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W}...", ...)
    - pattern: django.http.HttpResponseBadRequest(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseBadRequest(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseBadRequest(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W, ...)
    - pattern: return django.http.HttpResponseBadRequest(..., request.$W, ...)
  severity: WARNING
- id: python.django.security.injection.request-data-fileresponse.request-data-fileresponse
  languages:
  - python
  message: Found user-controlled request data being passed into a file open, which
    is them passed as an argument into  the FileResponse. This is dangerous because
    an attacker could specify an arbitrary file to read, which could result in leaking
    important data. Be sure to validate or sanitize the user-inputted filename in
    the request data before using it in FileResponse.
  metadata:
    category: security
    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
      Traversal'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
    shortlink: https://sg.run/W862
    source: https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: django.http.FileResponse(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.FileResponse(..., open($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = open($DATA, ...)
        ...
        django.http.FileResponse(..., $INTERM, ...)
    - pattern: $A = django.http.FileResponse(..., request.$W.get(...), ...)
    - pattern: return django.http.FileResponse(..., request.$W.get(...), ...)
    - pattern: django.http.FileResponse(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.FileResponse(..., open($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = open($DATA, ...)
        ...
        django.http.FileResponse(..., $INTERM, ...)
    - pattern: $A = django.http.FileResponse(..., request.$W(...), ...)
    - pattern: return django.http.FileResponse(..., request.$W(...), ...)
    - pattern: django.http.FileResponse(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.FileResponse(..., open($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = open($DATA, ...)
        ...
        django.http.FileResponse(..., $INTERM, ...)
    - pattern: $A = django.http.FileResponse(..., request.$W[...], ...)
    - pattern: return django.http.FileResponse(..., request.$W[...], ...)
    - pattern: django.http.FileResponse(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.FileResponse(..., open($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = open($DATA, ...)
        ...
        django.http.FileResponse(..., $INTERM, ...)
    - pattern: $A = django.http.FileResponse(..., request.$W, ...)
    - pattern: return django.http.FileResponse(..., request.$W, ...)
  severity: WARNING
- id: python.django.security.injection.request-data-write.request-data-write
  languages:
  - python
  message: Found user-controlled request data passed into '.write(...)'. This could
    be dangerous if a malicious actor is able to control data into sensitive files.
    For example, a malicious actor could force rolling of critical log files, or cause
    a denial-of-service by using up available disk space. Instead, ensure that request
    data is properly escaped or sanitized.
  metadata:
    category: security
    cwe: 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/0Q6j
    source: https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write
    technology:
    - django
  pattern-either:
  - pattern: $F.write(..., request.$W.get(...), ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $F.write(..., $DATA, ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $INTERM = $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $F.write(..., $B.$C(..., $DATA, ...), ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $INTERM = $B.$C(..., $DATA, ...)
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $F.write(..., $STR % $DATA, ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $INTERM = $STR % $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $F.write(..., f"...{$DATA}...", ...)
  - pattern: |
      $DATA = request.$W.get(...)
      ...
      $INTERM = f"...{$DATA}..."
      ...
      $F.write(..., $INTERM, ...)
  - pattern: $A = $F.write(..., request.$W.get(...), ...)
  - pattern: return $F.write(..., request.$W.get(...), ...)
  - pattern: $F.write(..., request.$W(...), ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $F.write(..., $DATA, ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $INTERM = $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $F.write(..., $B.$C(..., $DATA, ...), ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $INTERM = $B.$C(..., $DATA, ...)
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $F.write(..., $STR % $DATA, ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $INTERM = $STR % $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $F.write(..., f"...{$DATA}...", ...)
  - pattern: |
      $DATA = request.$W(...)
      ...
      $INTERM = f"...{$DATA}..."
      ...
      $F.write(..., $INTERM, ...)
  - pattern: $A = $F.write(..., request.$W(...), ...)
  - pattern: return $F.write(..., request.$W(...), ...)
  - pattern: $F.write(..., request.$W[...], ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $F.write(..., $DATA, ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $INTERM = $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $F.write(..., $B.$C(..., $DATA, ...), ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $INTERM = $B.$C(..., $DATA, ...)
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $F.write(..., $STR % $DATA, ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $INTERM = $STR % $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $F.write(..., f"...{$DATA}...", ...)
  - pattern: |
      $DATA = request.$W[...]
      ...
      $INTERM = f"...{$DATA}..."
      ...
      $F.write(..., $INTERM, ...)
  - pattern: $A = $F.write(..., request.$W[...], ...)
  - pattern: return $F.write(..., request.$W[...], ...)
  - pattern: $F.write(..., request.$W, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $F.write(..., $DATA, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $INTERM = $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $F.write(..., $B.$C(..., $DATA, ...), ...)
  - pattern: |
      $DATA = request.$W
      ...
      $INTERM = $B.$C(..., $DATA, ...)
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $F.write(..., $STR % $DATA, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $INTERM = $STR % $DATA
      ...
      $F.write(..., $INTERM, ...)
  - pattern: |
      $DATA = request.$W
      ...
      $F.write(..., f"...{$DATA}...", ...)
  - pattern: |
      $DATA = request.$W
      ...
      $INTERM = f"...{$DATA}..."
      ...
      $F.write(..., $INTERM, ...)
  - pattern: $A = $F.write(..., request.$W, ...)
  - pattern: return $F.write(..., request.$W, ...)
  severity: WARNING
- id: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where
  languages:
  - python
  message: User-controlled data from a request is passed to 'extra()'. This could
    lead to a SQL injection and therefore protected information could be leaked. Instead,
    use parameterized queries or escape the user-controlled data by using `params`
    and not using quote placeholders in the SQL string.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra
    shortlink: https://sg.run/0Ql5
    source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W.get(...),
        ...), ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W.get(...), ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W.get(...)}...",
        ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...],
        ...)
    - pattern: return $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W(...),
        ...), ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W(...), ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W(...)}...", ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...)
    - pattern: return $MODEL.objects.extra(..., where=[..., request.$W(...), ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W[...],
        ...), ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W[...], ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W[...]}...", ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...)
    - pattern: return $MODEL.objects.extra(..., where=[..., request.$W[...], ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W, ...),
        ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W, ...], ...)
    - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W}...", ...],
        ...)
    - pattern: $MODEL.objects.extra(..., where=[..., request.$W, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W, ...], ...)
    - pattern: return $MODEL.objects.extra(..., where=[..., request.$W, ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)
  severity: WARNING
- id: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql
  languages:
  - python
  message: User-controlled data from request is passed to 'RawSQL()'. This could lead
    to a SQL injection and therefore protected information could be leaked. Instead,
    use parameterized queries or escape the user-controlled data by using `params`
    and not using quote placeholders in the SQL string.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL
    shortlink: https://sg.run/Kl4X
    source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W.get(...),
        ...)
    - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: django.db.models.expressions.RawSQL(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W.get(...),
        ...)
    - pattern: return django.db.models.expressions.RawSQL(..., request.$W.get(...),
        ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W(...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W(...)}...",
        ...)
    - pattern: django.db.models.expressions.RawSQL(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W(...), ...)
    - pattern: return django.db.models.expressions.RawSQL(..., request.$W(...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W[...], ...)
    - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W[...]}...",
        ...)
    - pattern: django.db.models.expressions.RawSQL(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W[...], ...)
    - pattern: return django.db.models.expressions.RawSQL(..., request.$W[...], ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W,
        ...), ...)
    - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W, ...)
    - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W}...", ...)
    - pattern: django.db.models.expressions.RawSQL(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.db.models.expressions.RawSQL(..., $INTERM, ...)
    - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W, ...)
    - pattern: return django.db.models.expressions.RawSQL(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL($INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL($INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL($INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        django.db.models.expressions.RawSQL($INTERM, ...)
  severity: WARNING
- id: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute
  languages:
  - python
  message: User-controlled data from a request is passed to 'execute()'. This could
    lead to a SQL injection and therefore protected information could be leaked. Instead,
    use django's QuerySets, which are built with query parameterization  and therefore
    not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection
    shortlink: https://sg.run/qx7y
    source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: $CURSOR.execute(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: $CURSOR.execute(..., $S % request.$W.get(...), ...)
    - pattern: $CURSOR.execute(..., f"...{request.$W.get(...)}...", ...)
    - pattern: $CURSOR.execute(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: $A = $CURSOR.execute(..., request.$W.get(...), ...)
    - pattern: return $CURSOR.execute(..., request.$W.get(...), ...)
    - pattern: $CURSOR.execute(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: $CURSOR.execute(..., $S % request.$W(...), ...)
    - pattern: $CURSOR.execute(..., f"...{request.$W(...)}...", ...)
    - pattern: $CURSOR.execute(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: $A = $CURSOR.execute(..., request.$W(...), ...)
    - pattern: return $CURSOR.execute(..., request.$W(...), ...)
    - pattern: $CURSOR.execute(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: $CURSOR.execute(..., $S % request.$W[...], ...)
    - pattern: $CURSOR.execute(..., f"...{request.$W[...]}...", ...)
    - pattern: $CURSOR.execute(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: $A = $CURSOR.execute(..., request.$W[...], ...)
    - pattern: return $CURSOR.execute(..., request.$W[...], ...)
    - pattern: $CURSOR.execute(..., $S.format(..., request.$W, ...), ...)
    - pattern: $CURSOR.execute(..., $S % request.$W, ...)
    - pattern: $CURSOR.execute(..., f"...{request.$W}...", ...)
    - pattern: $CURSOR.execute(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        $CURSOR.execute(..., $INTERM, ...)
    - pattern: $A = $CURSOR.execute(..., request.$W, ...)
    - pattern: return $CURSOR.execute(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $CURSOR.execute($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $CURSOR.execute($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $CURSOR.execute($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $CURSOR.execute($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $CURSOR.execute($INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $CURSOR.execute($INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $CURSOR.execute($INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $CURSOR.execute($INTERM, ...)
  severity: WARNING
- id: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw
  languages:
  - python
  message: Data that is possible user-controlled from a python request is passed to
    `raw()`. This could lead to SQL injection and attackers gaining access to protected
    information. Instead, use django's QuerySets, which are built with query parameterization
    and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection
    shortlink: https://sg.run/l2v9
    source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: $MODEL.objects.raw(..., $S % request.$W.get(...), ...)
    - pattern: $MODEL.objects.raw(..., f"...{request.$W.get(...)}...", ...)
    - pattern: $MODEL.objects.raw(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: $A = $MODEL.objects.raw(..., request.$W.get(...), ...)
    - pattern: return $MODEL.objects.raw(..., request.$W.get(...), ...)
    - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: $MODEL.objects.raw(..., $S % request.$W(...), ...)
    - pattern: $MODEL.objects.raw(..., f"...{request.$W(...)}...", ...)
    - pattern: $MODEL.objects.raw(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: $A = $MODEL.objects.raw(..., request.$W(...), ...)
    - pattern: return $MODEL.objects.raw(..., request.$W(...), ...)
    - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: $MODEL.objects.raw(..., $S % request.$W[...], ...)
    - pattern: $MODEL.objects.raw(..., f"...{request.$W[...]}...", ...)
    - pattern: $MODEL.objects.raw(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: $A = $MODEL.objects.raw(..., request.$W[...], ...)
    - pattern: return $MODEL.objects.raw(..., request.$W[...], ...)
    - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W, ...), ...)
    - pattern: $MODEL.objects.raw(..., $S % request.$W, ...)
    - pattern: $MODEL.objects.raw(..., f"...{request.$W}...", ...)
    - pattern: $MODEL.objects.raw(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        $MODEL.objects.raw(..., $INTERM, ...)
    - pattern: $A = $MODEL.objects.raw(..., request.$W, ...)
    - pattern: return $MODEL.objects.raw(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $MODEL.objects.raw($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $MODEL.objects.raw($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $MODEL.objects.raw($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $MODEL.objects.raw($STR % (..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.raw($INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.raw($INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.raw($INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % (..., $DATA, ...)
        ...
        $MODEL.objects.raw($INTERM, ...)
  severity: WARNING
- id: python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler
  languages:
  - python
  message: Accessing request object inside a route handle for HTTP GET command will
    throw due to missing request body.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/1ZYv
    source: https://semgrep.dev/r/python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler
    technology:
    - flask
  patterns:
  - pattern-inside: |
      @app.route(..., method="GET")
      def $X(...):
        ...
  - pattern-either:
    - pattern: |
        $Y = flask.request.json
    - pattern: |
        $Y = flask.request.form
    - pattern: |
        $Y = flask.request.data
  severity: WARNING
- id: python.flask.correctness.same-handler-name.flask-duplicate-handler-name
  languages:
  - python
  message: Looks like `$R` is a flask function handler that registered to two different
    routes. This will cause a runtime error
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/9o18
    source: https://semgrep.dev/r/python.flask.correctness.same-handler-name.flask-duplicate-handler-name
    technology:
    - flask
  pattern: |
    @app.route("...", ...)
    def $R(...):
        ...
    ...
    @app.route("...", ...)
    def $R(...):
        ...
  severity: WARNING
- id: python.flask.maintainability.deprecated.deprecated-apis.flask-deprecated-apis
  languages:
  - python
  message: deprecated Flask API
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/rdLR
    source: https://semgrep.dev/r/python.flask.maintainability.deprecated.deprecated-apis.flask-deprecated-apis
    technology:
    - flask
  pattern-either:
  - pattern: |
      $F = Flask(...)
      ...
      $F.open_session(...)
  - pattern: |
      $F = Flask(...)
      ...
      $F.save_session(...)
  - pattern: |
      $F = Flask(...)
      ...
      $F.make_null_session(...)
  - pattern: |
      $F = Flask(...)
      ...
      $F.init_jinja_globals(...)
  - pattern: |
      $F = Flask(...)
      ...
      $F.request_globals_class(...)
  - pattern: |
      $F = Flask(...)
      ...
      $F.static_path(...)
  - pattern: app.open_session(...)
  - pattern: app.save_session(...)
  - pattern: app.make_null_session(...)
  - pattern: app.init_jinja_globals(...)
  - pattern: app.request_globals_class(...)
  - pattern: app.static_path(...)
  - pattern: app.config.from_json(...)
  - pattern: flask.json_available
  - pattern: flask.request.module
  - pattern: flask.testing.make_test_environ_builder(...)
  severity: WARNING
- id: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host
  languages:
  - python
  message: Running flask app with host 0.0.0.0 could expose the server publicly.
  metadata:
    category: security
    cwe: 'CWE-668: Exposure of Resource to Wrong Sphere'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    shortlink: https://sg.run/eLby
    source: https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host
    technology:
    - flask
  pattern-either:
  - pattern: app.run(..., host="0.0.0.0", ...)
  - pattern: app.run(..., "0.0.0.0", ...)
  severity: WARNING
- id: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly
  languages:
  - python
  message: top-level app.run(...) is ignored by flask. Consider putting app.run(...)
    behind a guard, like inside a function
  metadata:
    category: security
    cwe: 'CWE-668: Exposure of Resource to Wrong Sphere'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    shortlink: https://sg.run/vz5b
    source: https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly
    technology:
    - flask
  patterns:
  - pattern-not-inside: |
      if __name__ == '__main__':
        ...
  - pattern-not-inside: |
      def $X(...):
        ...
  - pattern: app.run(...)
  severity: WARNING
- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING
  languages:
  - python
  message: Hardcoded variable `TESTING` detected. Use environment variables or config
    files instead
  metadata:
    category: security
    cwe: 'CWE-489: Active Debug Code'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://bento.dev/checks/flask/avoid-hardcoded-config/
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
    shortlink: https://sg.run/ndZ2
    source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING
    technology:
    - flask
  pattern-either:
  - pattern: $M.config['TESTING'] = True
  - pattern: $M.config['TESTING'] = False
  - pattern: $M.update(TESTING=True, ...)
  - pattern: $M.update(TESTING=False, ...)
  severity: WARNING
- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY
  languages:
  - python
  message: Hardcoded variable `SECRET_KEY` detected. Use environment variables or
    config files instead
  metadata:
    category: security
    cwe: 'CWE-798: Use of Hard-coded Credentials'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://bento.dev/checks/flask/avoid-hardcoded-config/
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
    shortlink: https://sg.run/Ekde
    source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY
    technology:
    - flask
  pattern-either:
  - pattern: $M.update(SECRET_KEY="=~/.*/")
  - pattern: $M.config['SECRET_KEY'] = "=~/.*/"
  severity: ERROR
- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV
  languages:
  - python
  message: Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment
    variable
  metadata:
    category: security
    cwe: 'CWE-489: Active Debug Code'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://bento.dev/checks/flask/avoid-hardcoded-config/
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
    shortlink: https://sg.run/7oXW
    source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV
    technology:
    - flask
  pattern-either:
  - pattern: $M.update(ENV="=~/^development|production$/")
  - pattern: $M.config['ENV'] = "=~/^development|production$/"
  severity: WARNING
- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG
  languages:
  - python
  message: Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment
    variable
  metadata:
    category: security
    cwe: 'CWE-489: Active Debug Code'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://bento.dev/checks/flask/avoid-hardcoded-config/
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values
    - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features
    shortlink: https://sg.run/LwPo
    source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG
    technology:
    - flask
  pattern-either:
  - pattern: $M.update(DEBUG=True)
  - pattern: $M.update(DEBUG=False)
  - pattern: $M.config['DEBUG'] = True
  - pattern: $M.config['DEBUG'] = False
  severity: WARNING
- id: python.flask.security.injection.os-system-injection.os-system-injection
  languages:
  - python
  message: User data detected in os.system. This could be vulnerable to a command
    injection and should be avoided. If this must be done, use the 'subprocess' module
    instead and pass the arguments as a list.
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Command_Injection
    shortlink: https://sg.run/4xzz
    source: https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection
    technology:
    - flask
  pattern-either:
  - patterns:
    - pattern: os.system(...)
    - pattern-either:
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            os.system(..., <... $ROUTEVAR ...>, ...)
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            $INTERM = <... $ROUTEVAR ...>
            ...
            os.system(..., <... $INTERM ...>, ...)
  - pattern: os.system(..., <... flask.request.$W.get(...) ...>, ...)
  - pattern: os.system(..., <... flask.request.$W[...] ...>, ...)
  - pattern: os.system(..., <... flask.request.$W(...) ...>, ...)
  - pattern: os.system(..., <... flask.request.$W ...>, ...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        os.system(<... $INTERM ...>)
    - pattern: os.system(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        os.system(<... $INTERM ...>)
    - pattern: os.system(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        os.system(<... $INTERM ...>)
    - pattern: os.system(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        os.system(<... $INTERM ...>)
    - pattern: os.system(...)
  severity: ERROR
- id: python.jwt.security.jwt-none-alg.jwt-python-none-alg
  languages:
  - python
  message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm
    assumes the integrity of the token has already been verified. This would allow
    a malicious actor to forge a JWT token that will automatically be verified. Do
    not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    shortlink: https://sg.run/Yvp4
    source: https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg
    source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    technology:
    - jwt
  pattern-either:
  - pattern: |
      jwt.encode(...,algorithm="none",...)
  - pattern: jwt.decode(...,algorithms=[...,"none",...],...)
  severity: ERROR
- id: python.lang.best-practice.manual-collections-create.manual-defaultdict-set-create
  languages:
  - python
  message: manually creating a defaultdict - use collections.defaultdict(set)
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/2xXD
    source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-set-create
    technology:
    - python
  pattern-either:
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          if $KEY not in $DICT:
              ...
              $DICT[$KEY] = set()
              ...
          $DICT[$KEY].add(...)
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          $DICT.setdefault($KEY, set()).add(...)
  severity: WARNING
- id: python.lang.best-practice.manual-collections-create.manual-defaultdict-list-create
  languages:
  - python
  message: manually creating a defaultdict - use collections.defaultdict(list)
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/XBzb
    source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-list-create
    technology:
    - python
  pattern-either:
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          if $KEY not in $DICT:
              ...
              $DICT[$KEY] = []
              ...
          $DICT[$KEY].append(...)
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          $DICT.setdefault($KEY, []).append(...)
  severity: WARNING
- id: python.lang.best-practice.missing-hash-with-eq.missing-hash-with-eq
  languages:
  - python
  message: 'Class `$A` has defined `__eq__` which means it should also have defined
    `__hash__`; '
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/1Z2v
    source: https://semgrep.dev/r/python.lang.best-practice.missing-hash-with-eq.missing-hash-with-eq
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      class A(...):
          ...
          def __hash__(self):
              ...
          ...
          def __eq__(self, $O):
              ...
  - pattern: |
      class A(...):
        ...
        def __eq__(self, $O): ...
        ...
  severity: WARNING
- id: python.lang.best-practice.open-never-closed.open-never-closed
  languages:
  - python
  message: file object opened without corresponding close
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/9oN8
    source: https://semgrep.dev/r/python.lang.best-practice.open-never-closed.open-never-closed
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      $F = open(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = io.open(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = tarfile.open(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = ZipFile.open(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = tempfile.TemporaryFile(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = tempfile.NamedTemporaryFile(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = tempfile.SpooledTemporaryFile(...)
      ...
      $F.close()
  - pattern-not-inside: |
      $F = open(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = io.open(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = tarfile.open(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = ZipFile.open(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = tempfile.TemporaryFile(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = tempfile.NamedTemporaryFile(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-not-inside: |
      $F = tempfile.SpooledTemporaryFile(...)
      ...
      try:
          ...
      finally:
          $F.close()
  - pattern-either:
    - pattern: $F = open(...)
    - pattern: $F = io.open(...)
    - pattern: $F = tarfile.open(...)
    - pattern: $F = ZipFile.open(...)
    - pattern: $F = tempfile.TemporaryFile(...)
    - pattern: $F = tempfile.NamedTemporaryFile(...)
    - pattern: $F = tempfile.SpooledTemporaryFile(...)
  severity: ERROR
- id: python.lang.best-practice.pass-body.pass-body-fn
  languages:
  - python
  message: '`pass` is the body of function $X. Consider removing this or raise NotImplementedError()
    if this is a TODO'
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/ydWR
    source: https://semgrep.dev/r/python.lang.best-practice.pass-body.pass-body-fn
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      def __init__(self, ...):
          ...
  - pattern-not-inside: |
      class $A:
           ...
  - pattern: |
      def $X(...):
          pass
  severity: WARNING
- id: python.lang.best-practice.pass-body.pass-body-range
  languages:
  - python
  message: '`pass` is the body of for $X in $Y. Consider removing this or raise NotImplementedError()
    if this is a TODO'
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/rdJR
    source: https://semgrep.dev/r/python.lang.best-practice.pass-body.pass-body-range
    technology:
    - python
  pattern: |
    for $X in $Y:
        pass
  severity: WARNING
- id: python.lang.best-practice.sleep.arbitrary-sleep
  languages:
  - python
  message: time.sleep() call; did you mean to leave this in?
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/N4Bz
    source: https://semgrep.dev/r/python.lang.best-practice.sleep.arbitrary-sleep
    technology:
    - python
  patterns:
  - pattern-not: time.sleep($F(...))
  - pattern-either:
    - pattern: |
        time.sleep($X: int)
    - pattern: |
        time.sleep($X: float)
  severity: ERROR
- id: python.lang.compatibility.python36.python36-compatibility-ssl
  languages:
  - python
  message: this function is only available on Python 3.6+
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/kXn2
    source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl
    technology:
    - python
  pattern: ssl.get_ciphers()
  severity: ERROR
- id: python.lang.compatibility.python36.python36-compatibility-Popen1
  languages:
  - python
  message: the `errors` argument to Popen is only available on Python 3.6+
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/weBP
    source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1
    technology:
    - python
  pattern: subprocess.Popen(errors=$X, ...)
  severity: ERROR
- id: python.lang.compatibility.python36.python36-compatibility-Popen2
  languages:
  - python
  message: the `encoding` argument to Popen is only available on Python 3.6+
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/x1Dg
    source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2
    technology:
    - python
  pattern: subprocess.Popen(encoding=$X, ...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-importlib
  languages:
  - python
  message: source_hash' is only available on Python 3.7+. This does not work in lower
    versions, and therefore is not backwards compatible. Instead, use another hash
    function.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/OPDn
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib
    technology:
    - python
  pattern: importlib.source_hash()
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-importlib2
  languages:
  - python
  message: Found 'importlib.resources', which is a module only available on Python
    3.7+. This does not work in lower versions, and therefore is not backwards compatible.
    Use importlib_resources instead for older Python versions.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/eL3y
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2
    technology:
    - python
  pattern: import importlib.resources
  severity: ERROR
- id: python.lang.maintainability.return.code-after-unconditional-return
  languages:
  - python
  message: code after return statement will not be executed
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/6nOo
    source: https://semgrep.dev/r/python.lang.maintainability.return.code-after-unconditional-return
    technology:
    - python
  pattern: |
    return ...
    $S
  severity: WARNING
- id: python.lang.maintainability.return.return-not-in-function
  languages:
  - python
  message: '`return` only makes sense inside a function'
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/oxG9
    source: https://semgrep.dev/r/python.lang.maintainability.return.return-not-in-function
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      def $F(...):
          ...
      # TODO: first pattern should just automatically include this one
  - pattern-not-inside: |
      def $F(...) ->  $Y:
          ...
  - pattern: return ...
  severity: WARNING
- id: python.lang.maintainability.useless-ifelse.useless-if-conditional
  languages:
  - python
  message: if block checks for the same condition on both branches (`$X`)
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/pxRg
    source: https://semgrep.dev/r/python.lang.maintainability.useless-ifelse.useless-if-conditional
    technology:
    - python
  pattern: |
    if $X:
        ...
    elif $X:
        ...
  severity: WARNING
- id: python.lang.maintainability.useless-ifelse.useless-if-body
  languages:
  - python
  message: useless if statment; both blocks have the same body
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/2xN0
    source: https://semgrep.dev/r/python.lang.maintainability.useless-ifelse.useless-if-body
    technology:
    - python
  pattern: |
    if $X:
        $S
    else:
        $S
  severity: WARNING
- id: python.lang.security.audit.dangerous-subprocess-use.dangerous-subprocess-use
  languages:
  - python
  message: Detected subprocess function '$FUNC' without a static string. If this data
    can be controlled by a malicious actor, it may be an instance of command injection.
    Audit the use of this call to ensure it is not controllable by an external resource.
    You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess
    - https://docs.python.org/3/library/subprocess.html
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/eLnb
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-subprocess-use.dangerous-subprocess-use
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not: subprocess.$FUNC("...", ...)
    - pattern-not: subprocess.$FUNC(["...",...], ...)
    - pattern-not: subprocess.CalledProcessError(...)
    - pattern-not: subprocess.SubprocessError(...)
    - pattern: subprocess.$FUNC(...)
  - patterns:
    - pattern: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",...)
    - pattern-not: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...)
  - patterns:
    - pattern: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",...],...)
    - pattern-not: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...],...)
  - patterns:
    - pattern: subprocess.$FUNC("=~/(python)/",...)
    - pattern-not: subprocess.$FUNC("=~/(python)/","...",...)
  - patterns:
    - pattern: subprocess.$FUNC(["=~/(python)/",...],...)
    - pattern-not: subprocess.$FUNC(["=~/(python)/","...",...],...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-system-call.dangerous-system-call
  languages:
  - python
  message: Found dynamic content used in a system call. This is dangerous if external
    data can reach this function call because it allows a malicious actor to execute
    commands. Use the 'subprocess' module instead, which is easier to use without
    accidentally exposing a command injection vulnerability.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/vzKA
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-system-call.dangerous-system-call
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
    technology:
    - python
  patterns:
  - pattern-not: os.$W("...", ...)
  - pattern-either:
    - pattern: os.system(...)
    - pattern: os.popen(...)
    - pattern: os.popen2(...)
    - pattern: os.popen3(...)
    - pattern: os.popen4(...)
  severity: ERROR
- id: python.lang.maintainability.useless-innerfunction.useless-inner-function
  languages:
  - python
  message: function `$FF` is defined inside a function but never used
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/XB9K
    source: https://semgrep.dev/r/python.lang.maintainability.useless-innerfunction.useless-inner-function
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      def $F(...):
          ...
          def $FF(...):
             ...
          ...
          <... $FF ...>
  - pattern-not-inside: |
      def $F(...):
          ...
          class $CLAZZ(...):
            ...
  - pattern-inside: |
      def $F(...):
        ...
        def $FF(...):
           ...
        ...
  - pattern: |
      def $FF(...):
        ...
  - pattern-not: |
      @$DECORATOR
      def $FF(...):
        ...
  severity: ERROR
- id: python.lang.maintainability.useless-literal.useless-literal-dict
  languages:
  - python
  message: key `$X` is uselessly assigned twice
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/jRgY
    source: https://semgrep.dev/r/python.lang.maintainability.useless-literal.useless-literal-dict
    technology:
    - python
  pattern-either:
  - pattern: |
      {..., $X: $A, ..., $X: $B, ...}
  - pattern: |
      dict(..., ($X, $A), ..., ($X, $B), ...)
  severity: WARNING
- id: python.lang.maintainability.useless-literal.useless-literal-set
  languages:
  - python
  message: '`$X` is uselessly assigned twice inside the creation of the set'
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/1Zbw
    source: https://semgrep.dev/r/python.lang.maintainability.useless-literal.useless-literal-set
    technology:
    - python
  pattern: |
    set(..., ($X, $A), ..., ($X, $B), ...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage
  languages:
  - python
  message: Annotations passed to `typing.get_type_hints` are evaluated in `globals`
    and `locals` namespaces. Make sure that no arbitrary value can be written as the
    annotation and passed to `typing.get_type_hints` function.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/typing.html#typing.get_type_hints
    shortlink: https://sg.run/8R6J
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage
    technology:
    - python
  patterns:
  - pattern: |
      $C.__annotations__[$NAME] = $X
  - pattern-not: |
      $C.__annotations__[$NAME] = "..."
  - pattern-not: |
      $C.__annotations__[$NAME] = typing.$Y
  - metavariable-regex:
      metavariable: $X
      regex: (?!(int|float|complex|list|tuple|range|str|bytes|bytearray|memoryview|set|frozenset|dict))
  severity: INFO
- id: python.lang.security.audit.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string
  languages:
  - python
  message: Found dynamic content in `run_string`. This is dangerous if external data
    can reach this function call because it allows a malicious actor to run arbitrary
    Python code. Ensure no external data reaches here.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://bugs.python.org/issue43472
    shortlink: https://sg.run/rky6
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string
    technology:
    - python
  patterns:
  - pattern: |
      _xxsubinterpreters.run_string($ID, $PAYLOAD, ...)
  - pattern-not: |
      _xxsubinterpreters.run_string($ID, "...", ...)
  severity: WARNING
- id: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
  languages:
  - python
  message: Detected a dynamic value being used with urllib. urllib supports 'file://'
    schemes, so a dynamic value controlled by a malicious actor may allow them to
    read arbitrary files. Audit uses of urllib calls to ensure user data cannot control
    the URLs, or consider using the 'requests' library instead.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    bandit-code: B310
    category: security
    cwe: 'CWE-939: Improper Authorization in Handler for Custom URL Scheme'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/dKZZ
    source: https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163
    technology:
    - python
  patterns:
  - pattern-not: urllib.$W("...")
  - pattern-not: urllib.request.$W("...")
  - pattern-not: $OPENER.$W("...")
  - pattern-either:
    - pattern: urllib.urlopen(...)
    - pattern: urllib.request.urlopen(...)
    - pattern: urllib.urlretrieve(...)
    - pattern: urllib.request.urlretrieve(...)
    - patterns:
      - pattern-either:
        - pattern-inside: |
            $OPENER = urllib.URLopener(...)
            ...
        - pattern-inside: |
            $OPENER = urllib.request.URLopener(...)
            ...
        - pattern-inside: |
            $OPENER = urllib.FancyURLopener(...)
            ...
        - pattern-inside: |
            $OPENER = urllib.request.FancyURLopener(...)
            ...
      - pattern-either:
        - pattern: $OPENER.open(...)
        - pattern: $OPENER.retrieve(...)
  severity: WARNING
- id: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation
  languages:
  - python
  message: certificate verification explicitly disabled, insecure connections possible
  metadata:
    category: security
    cwe: 'CWE-295: Improper Certificate Validation'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    shortlink: https://sg.run/b7yp
    source: https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: urllib3.PoolManager(..., cert_reqs=$REQS, ...)
    - pattern: urllib3.ProxyManager(..., cert_reqs=$REQS, ...)
    - pattern: urllib3.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
    - pattern: urllib3.connectionpool.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
    - pattern: urllib3.connection_from_url(..., cert_reqs=$REQS, ...)
    - pattern: urllib3.proxy_from_url(..., cert_reqs=$REQS, ...)
    - pattern: $CONTEXT.wrap_socket(..., cert_reqs=$REQS, ...)
    - pattern: ssl.wrap_socket(..., cert_reqs=$REQS, ...)
  - metavariable-regex:
      metavariable: $REQS
      regex: (NONE|CERT_NONE|CERT_OPTIONAL|ssl\.CERT_NONE|ssl\.CERT_OPTIONAL|\'NONE\'|\"NONE\"|\'OPTIONAL\'|\"OPTIONAL\")
  severity: ERROR
- id: python.sqlalchemy.correctness.delete-where.delete-where-no-execute
  languages:
  - python
  message: .delete().where(...) results in a no-op in SQLAlchemy unless the command
    is executed, use .filter(...).delete() instead.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/KWp7
    source: https://semgrep.dev/r/python.sqlalchemy.correctness.delete-where.delete-where-no-execute
    technology:
    - sqlalchemy
  patterns:
  - pattern: $X.delete().where(...)
  - pattern-not-inside: $X.delete().where(...).execute()
  - pattern-not-inside: $C.execute(...)
  severity: ERROR
- id: python.sqlalchemy.performance.performance-improvements.len-all-count
  languages:
  - python
  message: Using QUERY.count() instead of len(QUERY.all()) sends less data to the
    client since the SQLAlchemy method is performed server-side.
  metadata:
    category: performance
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/4y8g
    source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count
    technology:
    - sqlalchemy
  pattern: len($X.all())
  severity: WARNING
- id: python.sqlalchemy.performance.performance-improvements.batch-import
  languages:
  - python
  message: Rather than adding one element at a time, consider batch loading to improve
    performance.
  metadata:
    category: performance
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/PprN
    source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import
    technology:
    - sqlalchemy
  pattern: |
    for $X in $Y:
      db.session.add($Z)
  severity: WARNING
- fix-regex:
    regex: (.*)\)
    replacement: \1, quoting=csv.QUOTE_ALL)
  id: python.lang.security.unquoted-csv-writer.unquoted-csv-writer
  languages:
  - python
  message: Found an unquoted CSV writer. This is susceptible to injection. Use 'quoting=csv.QUOTE_ALL'.
  metadata:
    category: security
    cwe: 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://affinity-it-security.com/how-to-prevent-csv-injection/
    shortlink: https://sg.run/b7vp
    source: https://semgrep.dev/r/python.lang.security.unquoted-csv-writer.unquoted-csv-writer
    technology:
    - python
  patterns:
  - pattern-not: csv.writer(..., quoting=csv.QUOTE_ALL, ...)
  - pattern-not: csv.writer(..., quoting=1, ...)
  - pattern-not: csv.writer(..., dialect='unix', ...)
  - pattern-not: csv.writer(..., dialect=csv.unix_dialect, ...)
  - pattern: csv.writer(...)
  severity: ERROR
- id: python.django.security.injection.raw-html-format.raw-html-format
  languages:
  - python
  message: Detected user input flowing into a manually constructed HTML string. You
    may be accidentally bypassing secure methods of rendering HTML by manually constructing
    HTML and this could create a cross-site scripting vulnerability, which could let
    attackers steal sensitive user data. To be sure this is safe, check that the HTML
    is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which
    will safely render HTML instead.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A07:2017
    - A03:2021
    references:
    - https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render
    - https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection
    shortlink: https://sg.run/oYj1
    source: https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format
    technology:
    - django
  mode: taint
  pattern-sanitizers:
  - pattern: django.utils.html.escape(...)
  pattern-sinks:
  - patterns:
    - pattern-either:
      - patterns:
        - pattern-either:
          - pattern: '"$HTMLSTR" % ...'
          - pattern: '"$HTMLSTR".format(...)'
          - pattern: '"$HTMLSTR" + ...'
          - pattern: f"$HTMLSTR{...}..."
      - patterns:
        - pattern-inside: |
            $HTML = "$HTMLSTR"
            ...
        - pattern-either:
          - pattern: $HTML % ...
          - pattern: $HTML.format(...)
          - pattern: $HTML + ...
    - metavariable-pattern:
        language: generic
        metavariable: $HTMLSTR
        pattern: <$TAG ...
  pattern-sources:
  - patterns:
    - pattern: request.$ANYTHING
    - pattern-not: request.build_absolute_uri
  severity: WARNING
- id: python.flask.security.injection.raw-html-concat.raw-html-format
  languages:
  - python
  message: Detected user input flowing into a manually constructed HTML string. You
    may be accidentally bypassing secure methods of rendering HTML by manually constructing
    HTML and this could create a cross-site scripting vulnerability, which could let
    attackers steal sensitive user data. To be sure this is safe, check that the HTML
    is rendered safely. Otherwise, use templates (`flask.render_template`) which will
    safely render HTML instead.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A07:2017
    - A03:2021
    references:
    - https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss
    shortlink: https://sg.run/Pb7e
    source: https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format
    technology:
    - flask
  mode: taint
  pattern-sanitizers:
  - pattern: jinja2.escape(...)
  - pattern: flask.escape(...)
  - pattern: flask.render_template("~=/.*\.html", ...)
  pattern-sinks:
  - patterns:
    - pattern-either:
      - patterns:
        - pattern-either:
          - pattern: '"$HTMLSTR" % ...'
          - pattern: '"$HTMLSTR".format(...)'
          - pattern: '"$HTMLSTR" + ...'
          - pattern: f"$HTMLSTR{...}..."
      - patterns:
        - pattern-inside: |
            $HTML = "$HTMLSTR"
            ...
        - pattern-either:
          - pattern: $HTML % ...
          - pattern: $HTML.format(...)
          - pattern: $HTML + ...
    - metavariable-pattern:
        language: generic
        metavariable: $HTMLSTR
        pattern: <$TAG ...
  pattern-sources:
  - patterns:
    - pattern-either:
      - pattern: flask.request.$ANYTHING
      - patterns:
        - pattern-inside: |
            @$APP.route(...)
            def $FUNC(..., $ROUTEVAR, ...):
              ...
        - pattern: $ROUTEVAR
  severity: WARNING
- id: python.lang.correctness.useless-eqeq.useless-eqeq
  languages:
  - python
  message: 'This expression is always True: `$X == $X` or `$X != $X`. If testing for
    floating point NaN, use `math.isnan($X)`, or `cmath.isnan($X)` if the number is
    complex.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/GeAp
    source: https://semgrep.dev/r/python.lang.correctness.useless-eqeq.useless-eqeq
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      def __eq__(...):
          ...
  - pattern-not-inside: |
      def __cmp__(...):
          ...
  - pattern-not-inside: assert(...)
  - pattern-not-inside: assert ..., ...
  - pattern-not-inside: assertTrue(...)
  - pattern-not-inside: assertFalse(...)
  - pattern-either:
    - pattern: $X == $X
    - pattern: $X != $X
  - pattern-not: 1 == 1
  severity: ERROR
- id: python.django.security.audit.raw-query.avoid-raw-sql
  languages:
  - python
  message: 'Detected the use of ''RawSQL'' or ''raw'' indicating the execution of
    a non-parameterized SQL query. This could lead to a SQL injection and therefore
    protected information could be leaked. Instead, use Django ORM and parameterized
    queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=''Bob'')`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions
    - https://blog.r2c.dev/2020/preventing-sql-injection-a-django-authors-perspective/
    shortlink: https://sg.run/weDA
    source: https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern: $MODEL.objects.raw($QUERY, ...)
    - pattern: django.db.models.expressions.RawSQL(...)
  - pattern-not: $MODEL.objects.raw("...")
  - pattern-not: django.db.models.expressions.RawSQL("...")
  severity: ERROR
- id: python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter
  languages:
  - python
  message: Passing a formatted string as first parameter to `format_html` disables
    the proper encoding of variables. Any HTML in the first parameter is not encoded.
    Using a formatted string as first parameter obscures which parameters are encoded.
    Correct use of `format_html` is passing a static format string as first parameter,
    and the variables to substitute as subsequent parameters.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html
    shortlink: https://sg.run/lxQo
    source: https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter
    technology:
    - django
  pattern-either:
  - pattern: format_html(<... f"..." ...>, ...)
  - pattern: format_html("..." % ..., ...)
  - pattern: format_html("...".format(...), ...)
  severity: WARNING
- fix-regex:
    regex: MONGODB-CR
    replacement: SCRAM-SHA-256
  id: python.pymongo.security.mongodb.mongo-client-bad-auth
  languages:
  - python
  message: Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is
    no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html
    for details).
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/YXRd
    source: https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth
    technology:
    - pymongo
  pattern: |
    pymongo.MongoClient(..., authMechanism='MONGODB-CR')
  severity: WARNING
- id: python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment
  languages:
  - python
  message: path for `$URL` is uselessly assigned twice
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/65e1
    source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment
    technology:
    - django
  patterns:
  - pattern: |
      [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $VIEW, ...), ...]
  severity: WARNING
- id: python.django.maintainability.duplicate-path-assignment.conflicting-path-assignment
  languages:
  - python
  message: The path for `$URL` is assigned once to view `$VIEW` and once to `$DIFFERENT_VIEW`,
    which can lead to unexpected behavior. Verify what the intended target view is
    and delete the other route.
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/owp0
    source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.conflicting-path-assignment
    technology:
    - django
  patterns:
  - pattern: |
      [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $DIFFERENT_VIEW, ...), ...]
  - pattern-not: |
      [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $VIEW, ...), ...]
  severity: ERROR
- id: python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment-different-names
  languages:
  - python
  message: path for `$URL` is assigned twice with different names
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/z9Gd
    source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment-different-names
    technology:
    - django
  patterns:
  - pattern: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$OTHER_NAME', ...), ...]
  - pattern-not: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ...]
  severity: WARNING
- id: python.django.maintainability.duplicate-path-assignment.duplicate-name-assignment
  languages:
  - python
  message: The name `$NAME` is used for both `$URL` and `$OTHER_URL`, which can lead
    to unexpected behavior when using URL reversing. Pick a unique name for each path.
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://docs.djangoproject.com/en/3.2/topics/http/urls/#naming-url-patterns
    shortlink: https://sg.run/pk2Z
    source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-name-assignment
    technology:
    - django
  patterns:
  - pattern: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$OTHER_URL', $OTHER_VIEW, name='$NAME', ...), ...]
  - pattern-not: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ...]
  - pattern-not: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $OTHER_VIEW, name='$NAME', ...), ...]
  - pattern-not: |
      [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$OTHER_URL', $VIEW, name='$NAME', ...), ...]
  severity: ERROR
- id: python.django.security.audit.avoid-mark-safe.avoid-mark-safe
  languages:
  - python
  message: '''mark_safe()'' is used to mark a string as "safe" for HTML output. This
    disables escaping and could therefore subject the content to XSS attacks. Use
    ''django.utils.html.format_html()'' to build HTML for rendering instead.'
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe
    - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html
    shortlink: https://sg.run/yd0P
    source: https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
    technology:
    - django
  patterns:
  - pattern-not-inside: django.utils.html.format_html(...)
  - pattern-not: django.utils.safestring.mark_safe("...")
  - pattern: django.utils.safestring.mark_safe(...)
  severity: WARNING
- id: python.django.security.audit.extends-custom-expression.extends-custom-expression
  languages:
  - python
  message: 'Found extension of custom expression: $CLASS. Extending expressions in
    this way could inadvertently lead to a SQL injection vulnerability, which can
    result in attackers exfiltrating sensitive data. Instead, ensure no user input
    enters this function or that user input is properly sanitized.'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection
    - https://blog.r2c.dev/2020/preventing-sql-injection-a-django-authors-perspective/
    shortlink: https://sg.run/N4Ay
    source: https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression
    technology:
    - django
  pattern-either:
  - pattern: |
      class $CLASS(..., django.db.models.Func, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Func, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Expression, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Expression, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Value, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Value, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.DurationValue, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.DurationValue, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.RawSQL, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.RawSQL, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Star, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Star, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Random, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Random, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Col, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Col, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Ref, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Ref, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.ExpressionList, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.ExpressionList, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.ExpressionWrapper, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.ExpressionWrapper, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.When, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.When, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Case, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Case, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Subquery, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Subquery, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Exists, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Exists, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.Window, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.Window, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.WindowFrame, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.WindowFrame, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.RowRange, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.RowRange, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.ValueRange, ...):
          ...
  - pattern: |
      class $CLASS(..., django.db.models.expressions.ValueRange, ...):
          ...
  severity: WARNING
- id: python.django.security.injection.code.user-exec.user-exec
  languages:
  - python
  message: Found user data in a call to 'exec'. This is extremely dangerous because
    it can enable an attacker to execute arbitrary remote code on the system. Instead,
    refactor your code to not use 'eval' and instead use a safe library for the specific
    functionality you need.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Code_Injection
    shortlink: https://sg.run/5Q3X
    source: https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-either:
    - pattern: exec(..., request.$W.get(...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        exec(..., $V, ...)
    - pattern: exec(..., request.$W(...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        exec(..., $V, ...)
    - pattern: exec(..., request.$W[...], ...)
    - pattern: |
        $V = request.$W[...]
        ...
        exec(..., $V, ...)
  severity: WARNING
- id: python.flask.security.audit.secure-set-cookie.secure-set-cookie
  languages:
  - python
  message: Found a Flask cookie without secure, httponly, or samesite correctly set.
    Flask cookies should be handled securely by setting secure=True, httponly=True,
    and samesite='Lax' in response.set_cookie(...). If these parameters are not properly
    set, your cookies are not properly protected and are at risk of being stolen by
    an attacker. Include the 'secure=True', 'httponly=True', samesite='Lax' arguments
    or set these to be true in the Flask configuration.
  metadata:
    category: security
    cwe: 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://blog.r2c.dev/2020/bento-check-keeping-cookies-safe-in-flask/
    - https://bento.dev/checks/flask/secure-set-cookie/
    - https://flask.palletsprojects.com/en/1.1.x/security/#set-cookie-options
    shortlink: https://sg.run/gLkZ
    source: https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie
    technology:
    - flask
  patterns:
  - pattern-either:
    - pattern-inside: |
        $RESP = flask.make_response(...)
        ...
    - pattern-inside: |
        $RESP = flask.Response(...)
        ...
  - pattern-not: $RESPONSE.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...)
  - pattern-not: $RESPONSE.set_cookie(..., **$A)
  - pattern: $RESPONSE.set_cookie(...)
  severity: WARNING
- id: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization
  languages:
  - python
  message: Detected a user-controlled `filename` that could flow to `flask.send_file()`
    function. This could lead to an attacker reading arbitrary file from the system,
    leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`
  metadata:
    category: security
    cwe: 'CWE-73: External Control of File Name or Path'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/weGP
    source: https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization
    technology:
    - flask
  patterns:
  - pattern-inside: |
      @app.route(...)
      def $X(filename):
        ...
  - pattern: flask.send_file(filename, ...)
  severity: WARNING
- fix-regex:
    regex: (.*)\)
    replacement: \1, autoescape=True)
  id: python.jinja2.security.audit.autoescape-disabled.autoescape-disabled
  languages:
  - python
  message: Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape
    by default. This is dangerous if you are rendering to a browser because this allows
    for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping
    by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()'
    to only enable automatic escaping for certain file extensions.
  metadata:
    category: security
    cwe: 'CWE-116: Improper Encoding or Escaping of Output'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
    shortlink: https://sg.run/KlGX
    source: https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled.autoescape-disabled
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
    technology:
    - jinja2
  patterns:
  - pattern-not: jinja2.Environment(..., autoescape=True, ...)
  - pattern-not: jinja2.Environment(..., autoescape=jinja2.select_autoescape(...),
      ...)
  - pattern: jinja2.Environment(...)
  severity: WARNING
- id: python.lang.best-practice.unspecified-open-encoding.unspecified-open-encoding
  languages:
  - python
  message: Missing 'encoding' parameter. 'open()' uses device locale encodings by
    default, corrupting files with special characters. Specify the encoding to ensure
    cross-platform support when opening files in text mode (e.g. encoding="utf-8").
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://www.python.org/dev/peps/pep-0597/
    - https://docs.python.org/3/library/functions.html#open
    shortlink: https://sg.run/1z8x
    source: https://semgrep.dev/r/python.lang.best-practice.unspecified-open-encoding.unspecified-open-encoding
    technology:
    - python
  patterns:
  - pattern-inside: open(...)
  - pattern-not: open(..., encoding="...", ...)
  - pattern-not: open($F, "...", $B, "...", ...)
  - pattern-either:
    - pattern: open($FILE)
    - patterns:
      - pattern: open($FILE, ...)
      - pattern-not: open($FILE, $M, ...)
      - pattern-not-regex: open\(.*(?:encoding|mode)=.*\)
    - patterns:
      - pattern: open($FILE, $MODE, ...)
      - metavariable-regex:
          metavariable: $MODE
          regex: (?!.*b.*)
    - patterns:
      - pattern: open($FILE, ..., mode=$MODE, ...)
      - metavariable-regex:
          metavariable: $MODE
          regex: (?!.*b.*)
  severity: WARNING
- id: python.lang.correctness.sync-sleep-in-async-code.sync-sleep-in-async-code
  languages:
  - python
  message: Synchronous time.sleep in async code will block the event loop and not
    allow other tasks to execute. Use asyncio.sleep() instead.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/9vrz
    source: https://semgrep.dev/r/python.lang.correctness.sync-sleep-in-async-code.sync-sleep-in-async-code
    technology:
    - python
  patterns:
  - pattern: time.sleep(...)
  - pattern-inside: |
      async def $F(...):
        ...
  - pattern-not-inside: |
      async def $F(...):
        def $INNER(...):
          ...
  severity: WARNING
- id: python.lang.security.audit.eval-detected.eval-detected
  languages:
  - python
  message: Detected the use of eval(). eval() can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this may
    be a code injection vulnerability. Ensure evaluated content is not definable by
    external sources.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/ZvrD
    source: https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected
    source-rule-url: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval
    technology:
    - python
  patterns:
  - pattern-not: eval("...")
  - pattern: eval(...)
  severity: WARNING
- id: python.lang.security.audit.exec-detected.exec-detected
  languages:
  - python
  message: Detected the use of exec(). exec() can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this may
    be a code injection vulnerability. Ensure evaluated content is not definable by
    external sources.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/ndRX
    source: https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b102_exec_used.html
    technology:
    - python
  patterns:
  - pattern-not: exec("...")
  - pattern: exec(...)
  severity: WARNING
- id: python.lang.security.audit.logging.listeneval.listen-eval
  languages:
  - python
  message: Because portions of the logging configuration are passed through eval(),
    use of this function may open its users to a security risk. While the function
    only binds to a socket on localhost, and so does not accept connections from remote
    machines, there are scenarios where untrusted code could be run under the account
    of the process which calls listen(). To avoid this happening, use the `verify()`
    argument to `listen()` to prevent unrecognized configurations.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen
    shortlink: https://sg.run/9okY
    source: https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval
    technology:
    - python
  pattern: logging.config.listen(...)
  severity: WARNING
- id: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
  languages:
  - python
  message: sqlalchemy.text passes the constructed SQL statement to the database mostly
    unchanged. This means that the usual SQL injection protections are not applied
    and this function is vulnerable to SQL injection if user input can reach here.
    Use normal SQLAlchemy operators (such as or_, and_, etc.) to construct SQL.
  metadata:
    category: security
    confidence: MEDIUM
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A03:2021 - Injection
    - A01:2017 - Injection
    references:
    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
    shortlink: https://sg.run/yP1O
    source: https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
    technology:
    - sqlalchemy
  patterns:
  - pattern: sqlalchemy.text(...)
  - pattern-not-inside: sqlalchemy.text("...")
  severity: ERROR
- id: python.flask.security.injection.tainted-url-host.tainted-url-host
  languages:
  - python
  message: User data flows into the host portion of this manually-constructed URL.
    This could allow an attacker to send data to their own server, potentially exposing
    sensitive data such as cookies or authorization information sent with this request.
    They could also probe internal servers or other resources that the server runnig
    this code can access. (This is called server-side request forgery, or SSRF.) Do
    not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode
    the correct host.
  metadata:
    category: security
    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A10:2021
    - A01:2017
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
    shortlink: https://sg.run/RXpK
    source: https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host
    technology:
    - flask
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - patterns:
        - pattern: '"$URLSTR" % ...'
        - metavariable-pattern:
            language: generic
            metavariable: $URLSTR
            patterns:
            - pattern-either:
              - pattern: $SCHEME://%s
              - pattern: $SCHEME://%r
      - patterns:
        - pattern: '"$URLSTR".format(...)'
        - metavariable-pattern:
            language: generic
            metavariable: $URLSTR
            pattern: $SCHEME:// { ... }
      - patterns:
        - pattern: '"$URLSTR" + ...'
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
      - patterns:
        - pattern: f"$URLSTR{...}..."
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
      - patterns:
        - pattern-inside: |
            $URL = "$URLSTR"
            ...
        - pattern: $URL += ...
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
  pattern-sources:
  - patterns:
    - pattern-either:
      - pattern: flask.request.$ANYTHING
      - patterns:
        - pattern-inside: |
            @$APP.route(...)
            def $FUNC(..., $ROUTEVAR, ...):
              ...
        - pattern: $ROUTEVAR
  severity: WARNING
- id: python.django.security.injection.tainted-sql-string.tainted-sql-string
  languages:
  - python
  message: Detected user input used to manually construct a SQL string. This is usually
    bad practice because manual construction could accidentally result in a SQL injection.
    An attacker could use a SQL injection to steal or modify contents of the database.
    Instead, use a parameterized query which is available by default in most database
    engines. Alternatively, consider using the Django object-relational mappers (ORM)
    instead of raw SQL queries.
  metadata:
    category: security
    cwe: |
      CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    references:
    - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection
    shortlink: https://sg.run/PbZp
    source: https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string
    technology:
    - django
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: |
          "$SQLSTR" + ...
      - pattern: |
          "$SQLSTR" % ...
      - pattern: |
          "$SQLSTR".format(...)
      - pattern: |
          f"$SQLSTR{...}..."
    - metavariable-regex:
        metavariable: $SQLSTR
        regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*
  pattern-sources:
  - patterns:
    - pattern: request.$ANYTHING
    - pattern-not: request.build_absolute_uri
  severity: ERROR
- id: python.flask.security.injection.tainted-sql-string.tainted-sql-string
  languages:
  - python
  message: Detected user input used to manually construct a SQL string. This is usually
    bad practice because manual construction could accidentally result in a SQL injection.
    An attacker could use a SQL injection to steal or modify contents of the database.
    Instead, use a parameterized query which is available by default in most database
    engines. Alternatively, consider using an object-relational mapper (ORM) such
    as SQLAlchemy which will protect your queries.
  metadata:
    category: security
    cwe: |
      CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    references:
    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
    - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm
    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column
    shortlink: https://sg.run/JxZj
    source: https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string
    technology:
    - sqlalchemy
    - flask
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: |
          "$SQLSTR" + ...
      - pattern: |
          "$SQLSTR" % ...
      - pattern: |
          "$SQLSTR".format(...)
      - pattern: |
          f"$SQLSTR{...}..."
    - metavariable-regex:
        metavariable: $SQLSTR
        regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*
  pattern-sources:
  - patterns:
    - pattern-either:
      - pattern: flask.request.$ANYTHING
      - patterns:
        - pattern-inside: |
            @$APP.route(...)
            def $FUNC(..., $ROUTEVAR, ...):
              ...
        - pattern: $ROUTEVAR
  severity: ERROR
- id: python.lang.security.audit.md5-used-as-password.md5-used-as-password
  languages:
  - python
  message: It looks like MD5 is used as a password hash. MD5 is not considered a secure
    password hash because it can be cracked by an attacker in a short amount of time.
    Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A02:2017 - Broken Authentication
    - A02:2021 - Cryptographic Failures
    references:
    - https://tools.ietf.org/html/rfc6151
    - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
    - https://github.com/returntocorp/semgrep-rules/issues/1609
    - https://docs.python.org/3/library/hashlib.html#hashlib.scrypt
    shortlink: https://sg.run/5DwD
    source: https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password
    technology:
    - pycryptodome
    - hashlib
    - md5
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $FUNCTION(...)
    - metavariable-regex:
        metavariable: $FUNCTION
        regex: (?i)(.*password.*)
  pattern-sources:
  - patterns:
    - pattern-either:
      - pattern: hashlib.md5
      - pattern: hashlib.new(..., name="MD5", ...)
      - pattern: Cryptodome.Hash.MD5
      - pattern: Crypto.Hash.MD5
      - pattern: cryptography.hazmat.primitives.hashes.MD5
  severity: WARNING
- id: python.aws-lambda.security.mysql-sqli.mysql-sqli
  languages:
  - python
  message: 'Detected SQL statement that is tainted by `event` object. This could lead
    to SQL injection if the variable is user-controlled and not properly sanitized.
    In order to prevent SQL injection, used parameterized queries or prepared statements
    instead. You can use parameterized statements like so: `cursor.execute(''SELECT
    * FROM projects WHERE status = %s'', (''active''))`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html
    - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html
    shortlink: https://sg.run/1RjG
    source: https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli
    technology:
    - aws-lambda
    - mysql
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $QUERY
    - pattern-either:
      - pattern-inside: $CURSOR.execute($QUERY,...)
      - pattern-inside: $CURSOR.executemany($QUERY,...)
    - pattern-either:
      - pattern-inside: |
          import mysql
          ...
      - pattern-inside: |
          import mysql.cursors
          ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.psycopg-sqli.psycopg-sqli
  languages:
  - python
  message: 'Detected SQL statement that is tainted by `event` object. This could lead
    to SQL injection if the variable is user-controlled and not properly sanitized.
    In order to prevent SQL injection, used parameterized queries or prepared statements
    instead. You can use parameterized statements like so: `cursor.execute(''SELECT
    * FROM projects WHERE status = %s'', ''active'')`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://www.psycopg.org/docs/cursor.html#cursor.execute
    - https://www.psycopg.org/docs/cursor.html#cursor.executemany
    - https://www.psycopg.org/docs/cursor.html#cursor.mogrify
    shortlink: https://sg.run/9L8r
    source: https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli
    technology:
    - aws-lambda
    - psycopg
    - psycopg2
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $QUERY
    - pattern-either:
      - pattern-inside: $CURSOR.execute($QUERY,...)
      - pattern-inside: $CURSOR.executemany($QUERY,...)
      - pattern-inside: $CURSOR.mogrify($QUERY,...)
    - pattern-inside: |
        import psycopg2
        ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.pymssql-sqli.pymssql-sqli
  languages:
  - python
  message: 'Detected SQL statement that is tainted by `event` object. This could lead
    to SQL injection if the variable is user-controlled and not properly sanitized.
    In order to prevent SQL injection, used parameterized queries or prepared statements
    instead. You can use parameterized statements like so: `cursor.execute(''SELECT
    * FROM projects WHERE status = %s'', ''active'')`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://pypi.org/project/pymssql/
    shortlink: https://sg.run/yXvP
    source: https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli
    technology:
    - aws-lambda
    - pymssql
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $QUERY
    - pattern-inside: $CURSOR.execute($QUERY,...)
    - pattern-inside: |
        import pymssql
        ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.pymysql-sqli.pymysql-sqli
  languages:
  - python
  message: 'Detected SQL statement that is tainted by `event` object. This could lead
    to SQL injection if the variable is user-controlled and not properly sanitized.
    In order to prevent SQL injection, used parameterized queries or prepared statements
    instead. You can use parameterized statements like so: `cursor.execute(''SELECT
    * FROM projects WHERE status = %s'', (''active''))`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://pypi.org/project/PyMySQL/#id4
    shortlink: https://sg.run/reve
    source: https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli
    technology:
    - aws-lambda
    - pymysql
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $QUERY
    - pattern-inside: $CURSOR.execute($QUERY,...)
    - pattern-either:
      - pattern-inside: |
          import pymysql
          ...
      - pattern-inside: |
          import pymysql.cursors
          ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli
  languages:
  - python
  message: 'Detected SQL statement that is tainted by `event` object. This could lead
    to SQL injection if the variable is user-controlled and not properly sanitized.
    In order to prevent SQL injection, used parameterized queries or prepared statements
    instead. You can use parameterized statements like so: `cursor.execute(''SELECT
    * FROM projects WHERE status = ?'', ''active'')`'
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute
    shortlink: https://sg.run/b48W
    source: https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli
    technology:
    - aws-lambda
    - sqlalchemy
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $QUERY
    - pattern-inside: $CURSOR.execute($QUERY,...)
    - pattern-inside: |
        import sqlalchemy
        ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.tainted-code-exec.tainted-code-exec
  languages:
  - python
  message: Detected the use of `exec/eval`.This can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this may
    be a code injection vulnerability. Ensure evaluated content is not definable by
    external sources.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/Ng7y
    source: https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec
    technology:
    - python
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: eval($CODE, ...)
      - pattern: exec($CODE, ...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.aws-lambda.security.tainted-html-response.tainted-html-response
  languages:
  - python
  message: Detected user input flowing into an HTML response. You may be accidentally
    bypassing secure methods of rendering HTML by manually constructing HTML and this
    could create a cross-site scripting vulnerability, which could let attackers steal
    sensitive user data.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A07:2017
    - A03:2021
    shortlink: https://sg.run/k9vP
    source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response
    technology:
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $BODY
    - pattern-inside: |
        {..., "headers": {..., "Content-Type": "text/html", ...}, "body": $BODY, ... }
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.correctness.suppressed-exception-handling-finally-break.suppressed-exception-handling-finally-break
  languages:
  - python
  message: Having a `break`, `continue`, or `return` in a `finally` block will cause
    strange behaviors, like exceptions not being caught.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://docs.python.org/3/reference/compound_stmts.html#the-try-statement
    - https://www.python.org/dev/peps/pep-0601/#rejection-note
    shortlink: https://sg.run/xXvL
    source: https://semgrep.dev/r/python.correctness.suppressed-exception-handling-finally-break.suppressed-exception-handling-finally-break
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: |
        try:
          ...
        except $EXCEPTION:
          ...
        finally:
          ...
          break
    - pattern: |
        try:
          ...
        except $EXCEPTION:
          ...
        finally:
          ...
          continue
    - pattern: |
        try:
          ...
        except $EXCEPTION:
          ...
        finally:
          ...
          return ...
    - pattern: |
        try:
          ...
          return ...
        finally:
          ...
          return ...
  severity: WARNING
- fix-regex:
    regex: (SECP192R1|SECT163K1|SECT163R2)
    replacement: SECP256R1
  id: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size
  languages:
  - python
  message: Detected an insufficient curve size for EC. NIST recommends a key size
    of 224 or higher. For example, use 'ec.SECP256R1'.
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
    - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves
    shortlink: https://sg.run/GeQq
    source: https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
    technology:
    - cryptography
  patterns:
  - pattern-inside: cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(...)
  - pattern-either:
    - pattern: cryptography.hazmat.primitives.asymmetric.ec.SECP192R1
    - pattern: cryptography.hazmat.primitives.asymmetric.ec.SECT163K1
    - pattern: cryptography.hazmat.primitives.asymmetric.ec.SECT163R2
  severity: WARNING
- id: python.django.security.nan-injection.nan-injection
  languages:
  - python
  message: Found user input going directly into typecast for bool(), float(), or complex().
    This allows  an attacker to inject Python's not-a-number (NaN) into the typecast.
    This results in undefind behavior, particularly when doing comparisons. Either
    cast to a different type, or add a guard checking for all capitalizations of the
    string 'nan'.
  metadata:
    category: security
    cwe: 'CWE-704: Incorrect Type Conversion or Cast'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868
    - https://blog.bitdiscovery.com/2021/12/python-nan-injection/
    shortlink: https://sg.run/Og7L
    source: https://semgrep.dev/r/python.django.security.nan-injection.nan-injection
    technology:
    - django
  mode: taint
  pattern-sanitizers:
  - not_conflicting: true
    pattern: $ANYTHING(...)
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: float(...)
      - pattern: bool(...)
      - pattern: complex(...)
    - pattern-not-inside: |
        if $COND:
          ...
        ...
  pattern-sources:
  - patterns:
    - pattern-inside: |
        def $FUNC(request, ...):
          ...
    - pattern-either:
      - pattern: request.$PROPERTY.get(...)
      - pattern: request.$PROPERTY[...]
  severity: ERROR
- id: python.flask.security.injection.nan-injection.nan-injection
  languages:
  - python
  message: Found user input going directly into typecast for bool(), float(), or complex().
    This allows  an attacker to inject Python's not-a-number (NaN) into the typecast.
    This results in undefind behavior, particularly when doing comparisons. Either
    cast to a different type, or add a guard checking for all capitalizations of the
    string 'nan'.
  metadata:
    category: security
    cwe: 'CWE-704: Incorrect Type Conversion or Cast'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868
    - https://blog.bitdiscovery.com/2021/12/python-nan-injection/
    shortlink: https://sg.run/e598
    source: https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection
    technology:
    - flask
  mode: taint
  pattern-sanitizers:
  - not_conflicting: true
    pattern: $ANYTHING(...)
  pattern-sinks:
  - pattern-either:
    - pattern: float(...)
    - pattern: bool(...)
    - pattern: complex(...)
  pattern-sources:
  - pattern-either:
    - pattern: flask.request.$SOMETHING.get(...)
    - pattern: flask.request.$SOMETHING[...]
    - patterns:
      - pattern-inside: |
          @$APP.route(...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
      - pattern: $ROUTEVAR
  severity: ERROR
- id: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec
  languages:
  - python
  message: Detected 'create_subprocess_exec' function with argument tainted by `event`
    object. If this data can be controlled by a malicious actor, it may be an instance
    of command injection. Audit the use of this call to ensure it is not controllable
    by an external resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/oyv0
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec
    technology:
    - python
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - pattern-inside: asyncio.create_subprocess_exec($PROG, $CMD, ...)
      - pattern-inside: asyncio.create_subprocess_exec($PROG, [$CMD, ...], ...)
      - pattern-inside: asyncio.subprocess.create_subprocess_exec($PROG, $CMD, ...)
      - pattern-inside: asyncio.subprocess.create_subprocess_exec($PROG, [$CMD, ...],
          ...)
      - pattern-inside: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...)
      - pattern-inside: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...], ...)
      - pattern-inside: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...)
      - pattern-inside: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...], ...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec
  languages:
  - python
  message: Detected subprocess function '$LOOP.subprocess_exec' with argument tainted
    by `event` object. If this data can be controlled by a malicious actor, it may
    be an instance of command injection. Audit the use of this call to ensure it is
    not controllable by an external resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/z14d
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec
    technology:
    - python
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - pattern-inside: $LOOP.subprocess_exec($PROTOCOL, $CMD, ...)
      - pattern-inside: $LOOP.subprocess_exec($PROTOCOL, [$CMD, ...], ...)
      - pattern-inside: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...)
      - pattern-inside: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
          "-c", $CMD, ...], ...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.django.security.injection.tainted-url-host.tainted-url-host
  languages:
  - python
  message: User data flows into the host portion of this manually-constructed URL.
    This could allow an attacker to send data to their own server, potentially exposing
    sensitive data such as cookies or authorization information sent with this request.
    They could also probe internal servers or other resources that the server runnig
    this code can access. (This is called server-side request forgery, or SSRF.) Do
    not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode
    the correct host.
  metadata:
    category: security
    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A10:2021
    - A01:2017
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
    shortlink: https://sg.run/oYz6
    source: https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host
    technology:
    - flask
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - patterns:
        - pattern: '"$URLSTR" % ...'
        - metavariable-pattern:
            language: generic
            metavariable: $URLSTR
            patterns:
            - pattern-either:
              - pattern: $SCHEME://%s
              - pattern: $SCHEME://%r
      - patterns:
        - pattern: '"$URLSTR".format(...)'
        - metavariable-pattern:
            language: generic
            metavariable: $URLSTR
            pattern: $SCHEME:// { ... }
      - patterns:
        - pattern: '"$URLSTR" + ...'
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
      - patterns:
        - pattern: f"$URLSTR{...}..."
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
      - patterns:
        - pattern-inside: |
            $URL = "$URLSTR"
            ...
        - pattern: $URL += ...
        - metavariable-regex:
            metavariable: $URLSTR
            regex: .*://$
  pattern-sources:
  - patterns:
    - pattern: request.$ANYTHING
    - pattern-not: request.build_absolute_uri
  severity: WARNING
- id: python.aws-lambda.security.tainted-html-string.tainted-html-string
  languages:
  - python
  message: Detected user input flowing into a manually constructed HTML string. You
    may be accidentally bypassing secure methods of rendering HTML by manually constructing
    HTML and this could create a cross-site scripting vulnerability, which could let
    attackers steal sensitive user data. To be sure this is safe, check that the HTML
    is rendered safely. Otherwise, use templates which will safely render HTML instead.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A07:2017
    - A03:2021
    shortlink: https://sg.run/8zNy
    source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string
    technology:
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - patterns:
        - pattern-either:
          - pattern: '"$HTMLSTR" % ...'
          - pattern: '"$HTMLSTR".format(...)'
          - pattern: '"$HTMLSTR" + ...'
          - pattern: f"$HTMLSTR{...}..."
      - patterns:
        - pattern-inside: |
            $HTML = "$HTMLSTR"
            ...
        - pattern-either:
          - pattern: $HTML % ...
          - pattern: $HTML.format(...)
          - pattern: $HTML + ...
    - metavariable-pattern:
        language: generic
        metavariable: $HTMLSTR
        pattern: <$TAG ...
    - pattern-not-inside: |
        print(...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING
- id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-rc4
  languages:
  - python
  message: Detected RC4 cipher algorithm which is considered insecure. The algorithm
    has many known vulnerabilities. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://crypto.stackexchange.com/questions/853/google-is-using-rc4-but-isnt-rc4-considered-unsafe
    - https://sweet32.info/
    shortlink: https://sg.run/gL40
    source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-rc4
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L94
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...)
  severity: WARNING
- id: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size
  languages:
  - python
  message: Detected an insufficient key size for DSA. NIST recommends a key size of
    2048 or higher.
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
    shortlink: https://sg.run/5Qb0
    source: https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
    technology:
    - cryptography
  patterns:
  - pattern-either:
    - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(...,
        key_size=$SIZE, ...)
    - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE,
        ...)
  - metavariable-comparison:
      comparison: $SIZE < 2048
      metavariable: $SIZE
  severity: WARNING
- id: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size
  languages:
  - python
  message: Detected an insufficient key size for RSA. NIST recommends a key size of
    2048 or higher.
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
    shortlink: https://sg.run/RoQq
    source: https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
    technology:
    - cryptography
  patterns:
  - pattern-either:
    - pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(...,
        key_size=$SIZE, ...)
    - pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($EXP,
        $SIZE, ...)
  - metavariable-comparison:
      comparison: $SIZE < 2048
      metavariable: $SIZE
  severity: WARNING
- fix: distributed.security.Security(..., require_encryption=True, ...)
  id: python.distributed.security.require-encryption
  languages:
  - python
  message: Initializing the a security context for Dask (`distributed`) without "require_encription"
    keyword argument may silently fail to provide security. See https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/AvQ2
    source: https://semgrep.dev/r/python.distributed.security.require-encryption
    technology:
    - distributed
  patterns:
  - pattern-not: |
      distributed.security.Security(..., require_encryption=True, ...)
  - pattern: |
      distributed.security.Security(...)
  severity: WARNING
- id: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config
  languages:
  - python
  message: Django REST framework configuration is missing default rate- limiting options.
    This could inadvertently allow resource starvation or Denial of Service (DoS)
    attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting
    to your application.
  metadata:
    category: security
    cwe: 'CWE-400: Uncontrolled Resource Consumption'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
    shortlink: https://sg.run/vzBY
    source: https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config
    technology:
    - django
  patterns:
  - pattern-not-inside: |
      REST_FRAMEWORK = {
        ...,
        "DEFAULT_THROTTLE_RATES": ...
      }
  - pattern: |
      REST_FRAMEWORK = ...
  severity: WARNING
- id: python.django.security.audit.secure-cookies.django-secure-set-cookie
  languages:
  - python
  message: Django cookies should be handled securely by setting secure=True, httponly=True,
    and samesite='Lax' in response.set_cookie(...). If your situation calls for different
    settings, explicitly disable the setting. If you want to send the cookie over
    http, set secure=False.  If you want to let client-side JavaScript read the cookie,
    set httponly=False. If you want to attach cookies to requests for external sites,
    set samesite=None.
  metadata:
    asvs:
      control_id: 3.4 Missing Cookie Attributes
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management
      section: 'V3: Session Management Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie
    - https://blog.r2c.dev/2020/bento-check-keeping-cookies-safe-in-flask/
    - https://bento.dev/checks/flask/secure-set-cookie/
    shortlink: https://sg.run/x1WL
    source: https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern-inside: |
        import django.http.HttpResponse
        ...
    - pattern-inside: |
        import django.shortcuts.render
        ...
  - pattern-not-inside: |
      LANGUAGE_QUERY_PARAMETER = 'language'
      ...
      def set_language(request):
          ...
      # Exclude vendored contrib/messages/storage/cookie.py
  - pattern-not-inside: |
      class CookieStorage(django.contrib.messages.storage.base.BaseStorage):
          ...
      # Exclude cookies handled by vendored middleware
  - pattern-not: response.set_cookie(django.conf.settings.SESSION_COOKIE_NAME, ...)
  - pattern-not: response.set_cookie(django.conf.settings.CSRF_COOKIE_NAME, ...)
  - pattern-not: response.set_cookie(django.conf.settings.LANGUAGE_COOKIE_NAME, ...)
  - pattern-not: response.set_cookie(rest_framework_jwt.settings.api_settings.JWT_AUTH_COOKIE,
      ...)
  - pattern-not: response.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...)
  - pattern-not: response.set_cookie(..., **$A)
  - pattern: response.set_cookie(...)
  severity: WARNING
- id: python.django.security.audit.templates.debug-template-tag.debug-template-tag
  languages:
  - generic
  message: Detected a debug template tag in a Django template. This dumps debugging
    information to the page when debug mode is enabled. Showing debug information
    to users is dangerous because it may reveal information about your environment
    that malicious actors can use to gain access to the system. Remove the debug tag.
  metadata:
    category: security
    cwe: 'CWE-489: Active Debug Code'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#debug
    - https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page
    shortlink: https://sg.run/dK3E
    source: https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag
    technology:
    - django
  pattern: '{% debug %}'
  severity: WARNING
- id: python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe
  languages:
  - python
  message: Detected Django filters flagged with 'is_safe'. 'is_safe' tells Django
    not to apply escaping on the value returned by this filter (although the input
    is escaped). Used improperly, 'is_safe' could expose your application to cross-site
    scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters,
    2) remove characters, or 3) use external data in any way. Consider instead removing
    'is_safe' and explicitly marking safe content with 'mark_safe()'.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection
    - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping
    - https://stackoverflow.com/questions/7665512/why-use-is-safe
    shortlink: https://sg.run/7o12
    source: https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe
    technology:
    - django
  pattern: |-
    @register.filter(..., is_safe=True, ...)
    def $FILTER(...):
      ...
  severity: WARNING
- fix-regex:
    regex: (autoescape.*?)False
    replacement: \1True
  id: python.django.security.audit.xss.global-autoescape-off.global-autoescape-off
  languages:
  - python
  message: 'Autoescape is globally disbaled for this Django application. If you are
    rendering any web pages, this exposes your application to cross-site scripting
    (XSS) vulnerabilities. Remove ''autoescape: False'' or set it to ''True''.'
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.1/ref/settings/#templates
    - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates
    shortlink: https://sg.run/LwG6
    source: https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off
    technology:
    - django
  pattern: |
    {..., 'BACKEND': ..., 'OPTIONS': {..., 'autoescape': False, ...}, ...}
  severity: WARNING
- id: python.django.security.audit.xss.html-magic-method.html-magic-method
  languages:
  - python
  message: The `__html__` method indicates to the Django template engine that the
    value is 'safe' for rendering. This means that normal HTML escaping will not be
    applied to the return value. This exposes your application to cross-site scripting
    (XSS) vulnerabilities. If you need to render raw HTML, consider instead using
    `mark_safe()` which more clearly marks the intent to render raw HTML than a class
    with a magic method.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape
    - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5
    shortlink: https://sg.run/8y9N
    source: https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $CLASS(...):
        ...
  - pattern: |
      def __html__(...):
        ...
  severity: WARNING
- id: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape
  languages:
  - generic
  message: Translated strings will not be escaped when rendered in a template. This
    leads to a vulnerability where translators could include malicious script tags
    in their translations. Consider using `force_escape` to explicitly escape a translated
    text.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
    - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
    shortlink: https://sg.run/3xpK
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern: |
        {% blocktranslate...%}
    - pattern: |
        {% blocktrans...%}
  - pattern-not-inside: |
      {%...filter...force_escape...%}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {%...endfilter...%}
  severity: INFO
- id: python.django.security.audit.xss.template-href-var.template-href-var
  languages:
  - regex
  message: Detected a template variable used in an anchor tag with the 'href' attribute.
    This allows a malicious actor to input the 'javascript:' URI and is subject to
    cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate
    a URL. You may also consider setting the Content Security Policy (CSP) header.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
    - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url
    - https://content-security-policy.com/
    shortlink: https://sg.run/4x25
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var
    technology:
    - django
  paths:
    include:
    - '*.html'
  pattern-regex: .*href\s*=\s*[\"\']?{{\s*.*
  severity: WARNING
- id: python.django.security.injection.code.user-eval-format-string.user-eval-format-string
  languages:
  - python
  message: Found user data in a call to 'eval'. This is extremely dangerous because
    it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection
    for more information.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
    shortlink: https://sg.run/4x2z
    source: https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-either:
    - pattern: eval(..., $STR % request.$W.get(...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        eval(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = $STR % $V
        ...
        eval(..., $S, ...)
    - pattern: eval(..., "..." % request.$W(...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        eval(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = $STR % $V
        ...
        eval(..., $S, ...)
    - pattern: eval(..., $STR % request.$W[...], ...)
    - pattern: |
        $V = request.$W[...]
        ...
        eval(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = $STR % $V
        ...
        eval(..., $S, ...)
    - pattern: eval(..., $STR.format(..., request.$W.get(...), ...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        eval(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = $STR.format(..., $V, ...)
        ...
        eval(..., $S, ...)
    - pattern: eval(..., $STR.format(..., request.$W(...), ...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        eval(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = $STR.format(..., $V, ...)
        ...
        eval(..., $S, ...)
    - pattern: eval(..., $STR.format(..., request.$W[...], ...), ...)
    - pattern: |
        $V = request.$W[...]
        ...
        eval(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = $STR.format(..., $V, ...)
        ...
        eval(..., $S, ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        eval(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = f"...{$V}..."
        ...
        eval(..., $S, ...)
    - pattern: |
        $V = request.$W(...)
        ...
        eval(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = f"...{$V}..."
        ...
        eval(..., $S, ...)
    - pattern: |
        $V = request.$W[...]
        ...
        eval(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = f"...{$V}..."
        ...
        eval(..., $S, ...)
  severity: WARNING
- id: python.django.security.injection.email.xss-html-email-body.xss-html-email-body
  languages:
  - python
  message: Found request data in an EmailMessage that is set to use HTML. This is
    dangerous because HTML emails are susceptible to XSS. An attacker could inject
    data into this HTML email, causing XSS.
  metadata:
    category: security
    cwe: 'CWE-74: Improper Neutralization of Special Elements in Output Used by a
      Downstream Component (''Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://www.damonkohler.com/2008/12/email-injection.html
    shortlink: https://sg.run/RoBe
    source: https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
        $EMAIL.content_subtype = "html"
        ...
  - pattern-either:
    - pattern: django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $B.$C(..., $DATA, ...)
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)
    - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)
    - pattern: django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $B.$C(..., $DATA, ...)
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)
    - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)
    - pattern: django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.EmailMessage($SUBJ, $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $B.$C(..., $DATA, ...)
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)
    - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)
    - pattern: django.core.mail.EmailMessage($SUBJ, request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.EmailMessage($SUBJ, $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $B.$C(..., $DATA, ...)
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.EmailMessage($SUBJ, $INTERM, ...)
    - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W, ...)
    - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W, ...)
  severity: WARNING
- id: python.django.security.injection.mass-assignment.mass-assignment
  languages:
  - python
  message: Mass assignment detected. This can result in assignment to model fields
    that are unintended and can be exploited by an attacker. Instead of using '**request.$W',
    assign each field you want to edit individually to prevent mass assignment. You
    can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.
  metadata:
    category: security
    cwe: 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object
      Attributes'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    owaspapi: 'API6: Mass Assignment'
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
    shortlink: https://sg.run/Ro0q
    source: https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment
    technology:
    - django
  pattern-either:
  - pattern: $MODEL.objects.create(**request.$W)
  - pattern: |
      $OBJ.update(**request.$W)
      ...
      $OBJ.save()
  severity: WARNING
- id: python.django.security.injection.open-redirect.open-redirect
  languages:
  - python
  message: Data from request ($DATA) is passed to redirect(). This is an open redirect
    and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url().
    See https://cwe.mitre.org/data/definitions/601.html for more information.
  metadata:
    category: security
    cwe: 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/
    - https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231
    shortlink: https://sg.run/Ave2
    source: https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-not-inside: |
      def $FUNC(...):
        ...
        django.utils.http.is_safe_url(...)
        ...
  - pattern-not-inside: |
      def $FUNC(...):
        ...
        if <... django.utils.http.is_safe_url(...) ...>:
          ...
  - pattern-either:
    - pattern: django.shortcuts.redirect(..., request.$W.get(...), ...)
    - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: django.shortcuts.redirect(..., $S % request.$W.get(...), ...)
    - pattern: django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.shortcuts.redirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.shortcuts.redirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.shortcuts.redirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.shortcuts.redirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: $A = django.shortcuts.redirect(..., request.$W.get(...), ...)
    - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: $A = django.shortcuts.redirect(..., $S % request.$W.get(...), ...)
    - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: return django.shortcuts.redirect(..., request.$W.get(...), ...)
    - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: return django.shortcuts.redirect(..., $S % request.$W.get(...), ...)
    - pattern: return django.shortcuts.redirect(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: django.shortcuts.redirect(..., request.$W(...), ...)
    - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...),
        ...)
    - pattern: django.shortcuts.redirect(..., $S % request.$W(...), ...)
    - pattern: django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.shortcuts.redirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.shortcuts.redirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.shortcuts.redirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.shortcuts.redirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: $A = django.shortcuts.redirect(..., request.$W(...), ...)
    - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: $A = django.shortcuts.redirect(..., $S % request.$W(...), ...)
    - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...)
    - pattern: return django.shortcuts.redirect(..., request.$W(...), ...)
    - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: return django.shortcuts.redirect(..., $S % request.$W(...), ...)
    - pattern: return django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...)
    - pattern: django.shortcuts.redirect(..., request.$W[...], ...)
    - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...),
        ...)
    - pattern: django.shortcuts.redirect(..., $S % request.$W[...], ...)
    - pattern: django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.shortcuts.redirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.shortcuts.redirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.shortcuts.redirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.shortcuts.redirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: $A = django.shortcuts.redirect(..., request.$W[...], ...)
    - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: $A = django.shortcuts.redirect(..., $S % request.$W[...], ...)
    - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...)
    - pattern: return django.shortcuts.redirect(..., request.$W[...], ...)
    - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: return django.shortcuts.redirect(..., $S % request.$W[...], ...)
    - pattern: return django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...)
    - pattern: django.shortcuts.redirect(..., request.$W, ...)
    - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...)
    - pattern: django.shortcuts.redirect(..., $S % request.$W, ...)
    - pattern: django.shortcuts.redirect(..., f"...{request.$W}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.shortcuts.redirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.shortcuts.redirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.shortcuts.redirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.shortcuts.redirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.shortcuts.redirect(..., $INTERM, ...)
    - pattern: $A = django.shortcuts.redirect(..., request.$W, ...)
    - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W, ...),
        ...)
    - pattern: $A = django.shortcuts.redirect(..., $S % request.$W, ...)
    - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W}...", ...)
    - pattern: return django.shortcuts.redirect(..., request.$W, ...)
    - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W, ...),
        ...)
    - pattern: return django.shortcuts.redirect(..., $S % request.$W, ...)
    - pattern: return django.shortcuts.redirect(..., f"...{request.$W}...", ...)
    - pattern: django.http.HttpResponseRedirect(..., request.$W.get(...), ...)
    - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...)
    - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseRedirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseRedirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.http.HttpResponseRedirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., request.$W.get(...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W.get(...),
        ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., request.$W.get(...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...),
        ...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W.get(...),
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...",
        ...)
    - pattern: django.http.HttpResponseRedirect(..., request.$W(...), ...)
    - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: django.http.HttpResponseRedirect(..., $S % request.$W(...), ...)
    - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseRedirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseRedirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.http.HttpResponseRedirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., request.$W(...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W(...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...",
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., request.$W(...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...),
        ...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W(...),
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...",
        ...)
    - pattern: django.http.HttpResponseRedirect(..., request.$W[...], ...)
    - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: django.http.HttpResponseRedirect(..., $S % request.$W[...], ...)
    - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseRedirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseRedirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.http.HttpResponseRedirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., request.$W[...], ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W[...], ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...",
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., request.$W[...], ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...],
        ...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W[...],
        ...)
    - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...",
        ...)
    - pattern: django.http.HttpResponseRedirect(..., request.$W, ...)
    - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...),
        ...)
    - pattern: django.http.HttpResponseRedirect(..., $S % request.$W, ...)
    - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseRedirect(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseRedirect(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.http.HttpResponseRedirect(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.http.HttpResponseRedirect(..., $INTERM, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., request.$W, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W,
        ...), ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W, ...)
    - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...)
    - pattern: return django.http.HttpResponseRedirect(..., request.$W, ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W,
        ...), ...)
    - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W, ...)
    - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W}...",
        ...)
  - metavariable-regex:
      metavariable: $W
      regex: (?!get_full_path)
  severity: WARNING
- fix-regex:
    regex: MD5
    replacement: SHA256
  id: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-md5
  languages:
  - python
  message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision
    resistant and is therefore not suitable as a cryptographic signature. Use SHA256
    or SHA3 instead.
  metadata:
    bandit-code: B303
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6151
    - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/PJQz
    source: https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-md5
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.hashes.MD5(...)
  severity: WARNING
- fix-regex:
    regex: SHA1
    replacement: SHA256
  id: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
  languages:
  - python
  message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
    collision resistant and is therefore not suitable as a cryptographic signature.
    Use SHA256 or SHA3 instead.
  metadata:
    bandit-code: B303
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
    - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability
    - http://2012.sharcs.org/slides/stevens.pdf
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/J9Qy
    source: https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.hashes.SHA1(...)
  severity: WARNING
- id: python.flask.security.injection.user-eval.eval-injection
  languages:
  - python
  message: Detected user data flowing into eval. This is code injection and should
    be avoided.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
    shortlink: https://sg.run/5QpX
    source: https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection
    technology:
    - flask
  pattern-either:
  - patterns:
    - pattern: eval(...)
    - pattern-either:
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            eval(..., <... $ROUTEVAR ...>, ...)
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            $INTERM = <... $ROUTEVAR ...>
            ...
            eval(..., <... $INTERM ...>, ...)
  - pattern: eval(..., <... flask.request.$W.get(...) ...>, ...)
  - pattern: eval(..., <... flask.request.$W[...] ...>, ...)
  - pattern: eval(..., <... flask.request.$W(...) ...>, ...)
  - pattern: eval(..., <... flask.request.$W ...>, ...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        eval(..., <... $INTERM ...>, ...)
    - pattern: eval(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        eval(..., <... $INTERM ...>, ...)
    - pattern: eval(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        eval(..., <... $INTERM ...>, ...)
    - pattern: eval(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        eval(..., <... $INTERM ...>, ...)
    - pattern: eval(...)
  severity: ERROR
- id: python.flask.security.injection.user-exec.exec-injection
  languages:
  - python
  message: Detected user data flowing into exec. This is code injection and should
    be avoided.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html
    shortlink: https://sg.run/Ge42
    source: https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection
    technology:
    - flask
  pattern-either:
  - patterns:
    - pattern: exec(...)
    - pattern-either:
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            exec(..., <... $ROUTEVAR ...>, ...)
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            $INTERM = <... $ROUTEVAR ...>
            ...
            exec(..., <... $INTERM ...>, ...)
  - pattern: exec(..., <... flask.request.$W.get(...) ...>, ...)
  - pattern: exec(..., <... flask.request.$W[...] ...>, ...)
  - pattern: exec(..., <... flask.request.$W(...) ...>, ...)
  - pattern: exec(..., <... flask.request.$W ...>, ...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        exec(..., <... $INTERM ...>, ...)
    - pattern: exec(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        exec(..., <... $INTERM ...>, ...)
    - pattern: exec(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        exec(..., <... $INTERM ...>, ...)
    - pattern: exec(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        exec(..., <... $INTERM ...>, ...)
    - pattern: exec(...)
  severity: ERROR
- id: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests
  languages:
  - python
  message: Data from request object is passed to a new server-side request. This could
    lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes
    and hosts are validated against an allowlist, do not forward the response to the
    user, and ensure proper authentication and transport-layer security in the proxied
    request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    to learn more about SSRF vulnerabilities.
  metadata:
    category: security
    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    shortlink: https://sg.run/YvY4
    source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: requests.$METHOD(..., $S.format(..., request.$W.get(...), ...), ...)
    - pattern: requests.$METHOD(..., $S % request.$W.get(...), ...)
    - pattern: requests.$METHOD(..., f"...{request.$W.get(...)}...", ...)
    - pattern: requests.$METHOD(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        requests.$METHOD(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        requests.$METHOD(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        requests.$METHOD(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        requests.$METHOD(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        requests.$METHOD(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: $A = requests.$METHOD(..., request.$W.get(...), ...)
    - pattern: return requests.$METHOD(..., request.$W.get(...), ...)
    - pattern: requests.$METHOD(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: requests.$METHOD(..., $S % request.$W(...), ...)
    - pattern: requests.$METHOD(..., f"...{request.$W(...)}...", ...)
    - pattern: requests.$METHOD(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        requests.$METHOD(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        requests.$METHOD(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        requests.$METHOD(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        requests.$METHOD(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        requests.$METHOD(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: $A = requests.$METHOD(..., request.$W(...), ...)
    - pattern: return requests.$METHOD(..., request.$W(...), ...)
    - pattern: requests.$METHOD(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: requests.$METHOD(..., $S % request.$W[...], ...)
    - pattern: requests.$METHOD(..., f"...{request.$W[...]}...", ...)
    - pattern: requests.$METHOD(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        requests.$METHOD(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        requests.$METHOD(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        requests.$METHOD(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        requests.$METHOD(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        requests.$METHOD(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: $A = requests.$METHOD(..., request.$W[...], ...)
    - pattern: return requests.$METHOD(..., request.$W[...], ...)
    - pattern: requests.$METHOD(..., $S.format(..., request.$W, ...), ...)
    - pattern: requests.$METHOD(..., $S % request.$W, ...)
    - pattern: requests.$METHOD(..., f"...{request.$W}...", ...)
    - pattern: requests.$METHOD(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        requests.$METHOD(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        requests.$METHOD(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        requests.$METHOD(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        requests.$METHOD(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        requests.$METHOD(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        requests.$METHOD(..., $INTERM, ...)
    - pattern: $A = requests.$METHOD(..., request.$W, ...)
    - pattern: return requests.$METHOD(..., request.$W, ...)
  severity: ERROR
- id: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator
  languages:
  - python
  message: 'Found a formatted string in BashOperator: $CMD. This could be vulnerable
    to injection. Be extra sure your variables are not controllable by external sources.'
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/ndBY
    source: https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator
    technology:
    - airflow
  pattern-either:
  - pattern: |
      airflow.operators.bash_operator.BashOperator(..., bash_command="..." + $CONCAT, ...)
  - pattern: |
      airflow.operators.bash_operator.BashOperator(..., bash_command="...".format(...), ...)
  - pattern: |
      airflow.operators.bash_operator.BashOperator(..., bash_command=f"...", ...)
  - pattern: |
      airflow.operators.bash_operator.BashOperator(..., bash_command="..." % $PARAMS, ...)
  - pattern: |
      $CMD = "..." % $PARAMS
      ...
      airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)
  - pattern: |
      $CMD = $STR.format(...)
      ...
      airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)
  - pattern: |
      $CMD = f"..."
      ...
      airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)
  - pattern: |
      $CMD = "..." + $CONCAT
      ...
      airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)
  - pattern: |
      $CMD = "..."
      ...
      $CMD += $CONCAT
      ...
      airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)
  severity: ERROR
- id: python.flask.security.open-redirect.open-redirect
  languages:
  - python
  message: Data from request is passed to redirect(). This is an open redirect and
    could be exploited. Consider using 'url_for()' to generate links to known locations.
    If you must use a URL to unknown pages, consider using 'urlparse()' or similar
    and checking if the 'netloc' property is the same as your site's host name. See
    the references for more information.
  metadata:
    category: security
    cwe: 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://flask-login.readthedocs.io/en/latest/#login-example
    - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1
    - https://docs.python.org/3/library/urllib.parse.html#url-parsing
    shortlink: https://sg.run/kXe2
    source: https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect
    technology:
    - flask
  patterns:
  - pattern-inside: |
      @$APP.route(...)
      def $X(...):
        ...
  - pattern-not-inside: |
      @$APP.route(...)
      def $X(...):
        ...
        if <... werkzeug.urls.url_parse($V) ...>:
          ...
  - pattern-either:
    - pattern: flask.redirect(<... flask.request.$W.get(...) ...>, ...)
    - pattern: flask.redirect(<... flask.request.$W[...] ...>, ...)
    - pattern: flask.redirect(<... flask.request.$W(...) ...>, ...)
    - pattern: flask.redirect(<... flask.request.$W ...>, ...)
    - pattern: |
        $V = flask.request.$W.get(...)
        ...
        flask.redirect(<... $V ...>, ...)
    - pattern: |
        $V = flask.request.$W[...]
        ...
        flask.redirect(<... $V ...>, ...)
    - pattern: |
        $V = flask.request.$W(...)
        ...
        flask.redirect(<... $V ...>, ...)
    - pattern: |
        $V = flask.request.$W
        ...
        flask.redirect(<... $V ...>, ...)
  severity: ERROR
- id: python.flask.security.unescaped-template-extension.unescaped-template-extension
  languages:
  - python
  message: Flask does not automatically escape Jinja templates unless they have .html,
    .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm,
    .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
    for more information.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
    - https://blog.r2c.dev/2020/bento-check-unescaped-template-extensions-in-flask/
    - https://bento.dev/checks/flask/unescaped-file-extension/
    shortlink: https://sg.run/x1Rg
    source: https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension
    source-rule-url: https://pypi.org/project/flake8-flask/
    technology:
    - flask
  patterns:
  - pattern-not: flask.render_template("=~/.+\.html$/", ...)
  - pattern-not: flask.render_template("=~/.+\.xml$/", ...)
  - pattern-not: flask.render_template("=~/.+\.htm$/", ...)
  - pattern-not: flask.render_template("=~/.+\.xhtml$/", ...)
  - pattern-not: flask.render_template($X + "=~/\.html$/", ...)
  - pattern-not: flask.render_template($X + "=~/\.xml$/", ...)
  - pattern-not: flask.render_template($X + "=~/\.htm$/", ...)
  - pattern-not: flask.render_template($X + "=~/\.xhtml$/", ...)
  - pattern-not: flask.render_template("=~/.+\.html$/" % $X, ...)
  - pattern-not: flask.render_template("=~/.+\.xml$/" % $X, ...)
  - pattern-not: flask.render_template("=~/.+\.htm$/" % $X, ...)
  - pattern-not: flask.render_template("=~/.+\.xhtml$/" % $X, ...)
  - pattern-not: flask.render_template("=~/.+\.html$/".format(...), ...)
  - pattern-not: flask.render_template("=~/.+\.xml$/".format(...), ...)
  - pattern-not: flask.render_template("=~/.+\.htm$/".format(...), ...)
  - pattern-not: flask.render_template("=~/.+\.xhtml$/".format(...), ...)
  - pattern-not: flask.render_template($TEMPLATE)
  - pattern-either:
    - pattern: flask.render_template("...", ...)
    - pattern: flask.render_template($X + "...", ...)
    - pattern: flask.render_template("..." % $Y, ...)
    - pattern: flask.render_template("...".format(...), ...)
  severity: WARNING
- id: python.flask.security.unsanitized-input.response-contains-unsanitized-input
  languages:
  - python
  message: Flask response reflects unsanitized user input. This could lead to a cross-site
    scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which
    an attacker causes arbitrary code to be executed in the user's browser. To prevent,
    please sanitize the user input, e.g. by rendering the response in a Jinja2 template
    (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.0.x/security/
    - https://owasp.org/www-community/attacks/xss/
    shortlink: https://sg.run/OPGn
    source: https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input
    technology:
    - flask
  pattern-either:
  - pattern: |
      $X = flask.request.args.get(...)
      ...
      flask.make_response("...".format($X))
  - pattern: |
      $X = flask.request.args.get(...)
      ...
      flask.make_response(f"...{$X}...")
  - pattern: |
      $X = flask.request.args.get(...)
      ...
      flask.make_response(f"...{$X}")
  - pattern: |
      $X = flask.request.args.get(...)
      ...
      flask.make_response(f"{$X}...")
  severity: WARNING
- id: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2
  languages:
  - python
  message: Detected direct use of jinja2. If not done properly, this may bypass HTML
    escaping which opens up the application to cross-site scripting (XSS) vulnerabilities.
    Prefer using the Flask method 'render_template()' and templates with a '.html'
    extension in order to prevent XSS.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
    shortlink: https://sg.run/RoKe
    source: https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2
    technology:
    - flask
  pattern-either:
  - pattern: jinja2.Environment(...)
  - pattern: jinja2.Template.render(...)
  - patterns:
    - pattern-inside: |
        $TEMPLATE = $ENV.get_template(...)
        ...
    - pattern: $TEMPLATE.render(...)
  - patterns:
    - pattern-inside: |
        $TEMPLATE = jinja2.Template(...)
        ...
    - pattern: $TEMPLATE.render(...)
  severity: WARNING
- id: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off
  languages:
  - regex
  message: Detected a segment of a Flask template where autoescaping is explicitly
    disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this
    segment. Ensure no user data is rendered here, otherwise this is a cross-site
    scripting (XSS) vulnerability, or turn autoescape on.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping
    - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
    shortlink: https://sg.run/Bkn2
    source: https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off
    technology:
    - flask
  paths:
    include:
    - '*.html'
  pattern-regex: '{%\s*autoescape\s+false\s*%}'
  severity: WARNING
- id: python.flask.security.xss.audit.template-href-var.template-href-var
  languages:
  - generic
  message: Detected a template variable used in an anchor tag with the 'href' attribute.
    This allows a malicious actor to input the 'javascript:' URI and is subject to
    cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL.
    You may also consider setting the Content Security Policy (CSP) header.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
    - https://content-security-policy.com/
    shortlink: https://sg.run/Do7o
    source: https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var
    technology:
    - flask
  paths:
    include:
    - '*.html'
  patterns:
  - pattern-inside: <a ...>
  - pattern-either:
    - pattern: href = {{ ... }}
    - pattern: href = "{{ ... }}"
    - pattern: href = '{{ ... }}'
  - pattern-not-inside: href = {{ url_for(...) ... }}
  - pattern-not-inside: href = "{{ url_for(...) ... }}"
  - pattern-not-inside: href = '{{ url_for(...) ... }}'
  severity: WARNING
- id: python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
  languages:
  - regex
  message: Detected a segment of a Flask template where autoescaping is explicitly
    disabled with '| safe' filter. This allows rendering of raw HTML in this segment.
    Ensure no user data is rendered here, otherwise this is a cross-site scripting
    (XSS) vulnerability.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
    shortlink: https://sg.run/W8og
    source: https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
    technology:
    - flask
  paths:
    include:
    - '*.html'
  pattern-regex: '{{.*?\|\s*safe(\s*}})?'
  severity: WARNING
- fix-regex:
    regex: '{{(.*?)}}'
    replacement: '"{{\1}}"'
  id: python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var
  languages:
  - generic
  message: 'Detected a unquoted template variable as an attribute. If unquoted, a
    malicious actor could inject custom JavaScript handlers. To fix this, add quotes
    around the template expression, like this: "{{ expr }}".'
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
    shortlink: https://sg.run/0Qp5
    source: https://semgrep.dev/r/python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var
    technology:
    - flask
  paths:
    include:
    - '*.html'
  patterns:
  - pattern-inside: <$TAG ...>
  - pattern-not-inside: ="..."
  - pattern-not-inside: ='...'
  - pattern: '{{ ... }}'
  severity: WARNING
- fix: ''
  id: python.lang.correctness.concurrent.uncaught-executor-exceptions
  languages:
  - python
  message: 'Values returned by thread pool map must be read in order to raise exceptions.
    Consider using `for _ in $EXECUTOR.map(...): pass`.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Av48
    source: https://semgrep.dev/r/python.lang.correctness.concurrent.uncaught-executor-exceptions
    technology:
    - python
  patterns:
  - pattern-inside: |
      with concurrent.futures.thread.ThreadPoolExecutor(...) as $EXECUTOR:
        ...
  - pattern-not-inside: |
      $VAR = $EXECUTOR.map(...)
      ...
      for ... in $VAR:
        ...
  - pattern-not-inside: |
      $VAR = $EXECUTOR.map(...)
      ...
      [... for ... in $VAR]
  - pattern-not-inside: |
      [... for ... in $EXECUTOR.map(...)]
  - pattern-not-inside: |
      for $IT in $EXECUTOR.map(...):
        ...
  - pattern: $EXECUTOR.map(...)
  severity: WARNING
- id: python.lang.correctness.dict-modify-iterating.dict-del-while-iterate
  languages:
  - python
  message: 'It appears that `$DICT[$KEY]` is a dict with items being deleted while
    in a for loop. This is usually a bad idea and will likely lead to a RuntimeError:
    dictionary changed size during iteration'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://docs.python.org/3/library/stdtypes.html#dictionary-view-objects
    shortlink: https://sg.run/BkP2
    source: https://semgrep.dev/r/python.lang.correctness.dict-modify-iterating.dict-del-while-iterate
    technology:
    - python
  pattern-either:
  - pattern: |
      for $KEY, $VALUE in $DICT.items():
          ...
          del $DICT[$KEY]
  - pattern: |
      for $KEY in $DICT.keys():
          ...
          del $DICT[$KEY]
  severity: WARNING
- id: python.lang.correctness.exceptions.exceptions.raise-not-base-exception
  languages:
  - python
  message: In Python3, a runtime `TypeError` will be thrown if you attempt to raise
    an object or class which does not inherit from `BaseException`
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/qxAz
    source: https://semgrep.dev/r/python.lang.correctness.exceptions.exceptions.raise-not-base-exception
    technology:
    - python
  pattern-either:
  - pattern: raise "..."
  - pattern: |
      $X: BaseException
      raise $X(...)
  - patterns:
    - pattern: raise $EXCEPTION
    - metavariable-regex:
        metavariable: $EXCEPTION
        regex: '[0-9]*\.?[0-9]+'
  severity: ERROR
- id: python.lang.correctness.file-object-redefined-before-close.file-object-redefined-before-close
  languages:
  - python
  message: Detected a file object that is redefined and never closed. This could leak
    file descriptors and unnecessarily consume system resources.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/W81g
    source: https://semgrep.dev/r/python.lang.correctness.file-object-redefined-before-close.file-object-redefined-before-close
    technology:
    - python
  patterns:
  - pattern: |
      $F = open($X, ...)
      ...
      $F = open($Y, ...)
  - pattern-not: |
      $F = open($X, ...)
      ...
      $F.close()
      ...
      $F = open($Y, ...)
  severity: WARNING
- id: python.lang.correctness.list-modify-iterating.list-modify-while-iterate
  languages:
  - python
  message: It appears that `$LIST` is a list that is being modified while in a for
    loop. This will likely cause a runtime error or an infinite loop.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/0Qr5
    source: https://semgrep.dev/r/python.lang.correctness.list-modify-iterating.list-modify-while-iterate
    technology:
    - python
  pattern-either:
  - pattern: |
      for $ELEMENT in $LIST:
        ...
        $LIST.pop(...)
  - pattern: |
      for $ELEMENT in $LIST:
        ...
        $LIST.push(...)
  - pattern: |
      for $ELEMENT in $LIST:
        ...
        $LIST.append(...)
  - pattern: |
      for $ELEMENT in $LIST:
        ...
        $LIST.extend(...)
  severity: ERROR
- id: python.lang.correctness.pdb.pdb-remove
  languages:
  - python
  message: pdb is an interactive debugging tool and you may have forgotten to remove
    it before committing your code
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Kl0X
    source: https://semgrep.dev/r/python.lang.correctness.pdb.pdb-remove
    technology:
    - python
  pattern-either:
  - pattern: pdb.$X(...)
  - pattern: pdb.Pdb.$X(...)
  severity: WARNING
- id: python.lang.correctness.tempfile.flush.tempfile-without-flush
  languages:
  - python
  message: Using '$F.name' without '.flush()' or '.close()' may cause an error because
    the file may not exist when '$F.name' is used. Use '.flush()' or close the file
    before using '$F.name'.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/l23y
    source: https://semgrep.dev/r/python.lang.correctness.tempfile.flush.tempfile-without-flush
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not-inside: |
        $F = tempfile.NamedTemporaryFile(...)
        ...
        $F.write(...)
        ...
        $F.flush()
        ...
        $F.name
    - pattern-not-inside: |
        $F = tempfile.NamedTemporaryFile(...)
        ...
        $F.write(...)
        ...
        $F.close()
        ...
        $F.name
    - pattern-not-inside: |
        $F = tempfile.NamedTemporaryFile(..., delete=False, ...)
        ...
        $F.close()
        ...
        $F.name
    - pattern-inside: |
        $F = tempfile.NamedTemporaryFile(...)
        ...
    - pattern: |
        $F.name
  - patterns:
    - pattern-not-inside: |
        with tempfile.NamedTemporaryFile(...) as $F:
            ...
            $F.write(...)
            ...
            $F.flush()
            ...
            $F.name
    - pattern-not-inside: |
        with tempfile.NamedTemporaryFile(...) as $F:
            ...
            $F.write(...)
            ...
            $F.close()
            ...
            $F.name
    - pattern-not-inside: |
        with tempfile.NamedTemporaryFile(...) as $F:
            ...
            $MODULE.dump(..., $F, ...)
            ...
            $F.flush()
            ...
            $F.name
    - pattern-not-inside: |
        with tempfile.NamedTemporaryFile(...) as $F:
            ...
            $MODULE.dump(..., $F, ...)
            ...
            $F.close()
            ...
            $F.name
    - pattern-inside: |
        with tempfile.NamedTemporaryFile(...) as $F:
            ...
    - pattern: |
        $F.name
  severity: ERROR
- id: python.lang.correctness.tempfile.mktemp.tempfile-insecure
  languages:
  - python
  message: 'Use tempfile.NamedTemporaryFile instead. From the official Python documentation:
    THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file
    that did not exist at some point, but by the time you get around to creating it,
    someone else may have beaten you to the punch.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Yvye
    source: https://semgrep.dev/r/python.lang.correctness.tempfile.mktemp.tempfile-insecure
    technology:
    - python
  pattern: tempfile.mktemp(...)
  severity: ERROR
- fix: subprocess.check_call(...)
  id: python.lang.correctness.unchecked-returns.unchecked-subprocess-call
  languages:
  - python
  message: This is not checking the return value of this subprocess call; if it fails
    no exception will be raised. Consider subprocess.check_call() instead
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/J9Ww
    source: https://semgrep.dev/r/python.lang.correctness.unchecked-returns.unchecked-subprocess-call
    technology:
    - python
  patterns:
  - pattern: subprocess.call(...)
  - pattern-not-inside: $S = subprocess.call(...)
  - pattern-not-inside: subprocess.call(...) == $X
  - pattern-not-inside: return subprocess.call(...)
  severity: WARNING
- id: python.lang.correctness.useless-comparison.no-strings-as-booleans
  languages:
  - python
  message: Using strings as booleans in Python has unexpected results. `"one" and
    "two"` will return "two". `"one" or "two"` will return "one". In Python, strings
    are truthy, and strings with a non-zero length evaluate to True.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/5QxA
    source: https://semgrep.dev/r/python.lang.correctness.useless-comparison.no-strings-as-booleans
    technology:
    - python
  pattern-either:
  - pattern: |
      if <... "..." and ... ...>:
          ...
  - pattern: |
      if <... "..." or ... ...>:
          ...
  - patterns:
    - pattern-not: |
        if $X in "...":
          ...
    - pattern: |
        if "...":
            ...
  severity: ERROR
- id: python.lang.correctness.writing-to-file-in-read-mode.writing-to-file-in-read-mode
  languages:
  - python
  message: The file object '$FD' was opened in read mode, but is being written to.
    This will cause a runtime error.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/RozO
    source: https://semgrep.dev/r/python.lang.correctness.writing-to-file-in-read-mode.writing-to-file-in-read-mode
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern-inside: |
        $FD = open($NAME, "r", ...)
        ...
    - pattern-inside: |
        $FD = open($NAME, "rb", ...)
        ...
    - pattern-inside: |
        with open($NAME, "r", ...) as $FD:
          ...
    - pattern-inside: |
        with open($NAME, "rb", ...) as $FD:
          ...
  - pattern: $FD.write(...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp
  languages:
  - python
  message: Found dynamic content in `run_in_subinterp`. This is dangerous if external
    data can reach this function call because it allows a malicious actor to run arbitrary
    Python code. Ensure no external data reaches here.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/brXZ
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: |
        _testcapi.run_in_subinterp($PAYLOAD, ...)
    - pattern: |
        test.support.run_in_subinterp($PAYLOAD, ...)
  - pattern-not: |
      _testcapi.run_in_subinterp("...", ...)
  - pattern-not: |
      test.support.run_in_subinterp("...", ...)
  severity: WARNING
- id: python.lang.security.audit.formatted-sql-query.formatted-sql-query
  languages:
  - python
  message: Detected possible formatted SQL query. Use parameterized queries instead.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://stackoverflow.com/questions/775296/mysql-parameterized-queries
    shortlink: https://sg.run/EkWw
    source: https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query
    technology:
    - python
  pattern-either:
  - pattern: $DB.execute("..." % ...)
  - pattern: $DB.execute("...".format(...))
  - pattern: $DB.execute(f"...")
  - patterns:
    - pattern-either:
      - pattern-inside: |
          $SQL = "..." % ...
          ...
      - pattern-inside: |
          $SQL = "...".format(...)
          ...
      - pattern-inside: |
          $SQL = f"...{$X}..."
          ...
    - pattern: $DB.execute($SQL)
  severity: WARNING
- id: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument
  languages:
  - python
  message: Hardcoded password is used as a default argument to '$FUNC'. This could
    be dangerous if a real password is not supplied.
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Lw9r
    source: https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument
    technology:
    - python
  pattern: |
    def $FUNC(..., password="...", ...):
      ...
  severity: WARNING
- id: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected
  languages:
  - python
  message: The HTTPSConnection API has changed frequently with minor releases of Python.
    Ensure you are using the API for your version of Python securely. For example,
    Python 3 versions prior to 3.4.3 will not verify SSL certificates by default.
    See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
    for more information.
  metadata:
    category: security
    cwe: 'CWE-295: Improper Certificate Validation'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
    shortlink: https://sg.run/8yby
    source: https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected
    technology:
    - python
  pattern-either:
  - pattern: httplib.HTTPSConnection(...)
  - pattern: http.client.HTTPSConnection(...)
  - pattern: six.moves.http_client.HTTPSConnection(...)
  severity: WARNING
- id: python.lang.security.audit.mako-templates-detected.mako-templates-detected
  languages:
  - python
  message: Mako templates do not provide a global HTML escaping mechanism. This means
    you must escape all sensitive data in your templates using '| u' for URL escaping
    or '| h' for HTML escaping. If you are using Mako to serve web content, consider
    using a system such as Jinja2 which enables global escaping.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping
    - https://jinja.palletsprojects.com/en/2.11.x/intro/#
    shortlink: https://sg.run/Q5v4
    source: https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py
    technology:
    - mako
  pattern: mako.template.Template(...)
  severity: INFO
- id: python.lang.security.audit.marshal.marshal-usage
  languages:
  - python
  message: 'The marshal module is not intended to be secure against erroneous or maliciously
    constructed data. Never unmarshal data received from an untrusted or unauthenticated
    source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security'
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/marshal.html?highlight=security
    shortlink: https://sg.run/3xor
    source: https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage
    technology:
    - python
  pattern-either:
  - pattern: marshal.dump(...)
  - pattern: marshal.dumps(...)
  - pattern: marshal.load(...)
  - pattern: marshal.loads(...)
  severity: WARNING
- id: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection
  languages:
  - python
  message: Detected HTTPConnectionPool. This will transmit data in cleartext. It is
    recommended to use HTTPSConnectionPool instead for to encrypt communications.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool
    shortlink: https://sg.run/N4Np
    source: https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection
    technology:
    - python
  pattern-either:
  - pattern: urllib3.HTTPConnectionPool(...)
  - pattern: urllib3.connectionpool.HTTPConnectionPool(...)
  severity: ERROR
- id: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key
  languages:
  - python
  message: Detected a paramiko host key policy that implicitly trusts a server's host
    key. Host keys should be verified to ensure the connection is not to a malicious
    server. Use RejectPolicy or a custom subclass instead.
  metadata:
    category: security
    cwe: 'CWE-322: Key Exchange without Entity Authentication'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy
    shortlink: https://sg.run/4xpl
    source: https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/ssh_no_host_key_verification.py
    technology:
    - paramiko
  patterns:
  - pattern-inside: |
      $CLIENT = paramiko.client.SSHClient(...)
      ...
      $CLIENT.set_missing_host_key_policy(...)
  - pattern-either:
    - pattern: paramiko.client.AutoAddPolicy
    - pattern: paramiko.client.WarningPolicy
  severity: WARNING
- id: python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli
  languages:
  - python
  message: 'Detected string concatenation with a non-literal variable in a pg8000
    Python SQL statement. This could lead to SQL injection if the variable is user-controlled
    and not properly sanitized. In order to prevent SQL injection, used parameterized
    queries or prepared statements instead. You can create parameterized queries like
    so: ''conn.run("SELECT :value FROM table", value=myvalue)''. You can also create
    prepared statements with ''conn.prepare'': ''conn.prepare("SELECT (:v) FROM table")'''
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://github.com/tlocke/pg8000
    shortlink: https://sg.run/KWAL
    source: https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli
    technology:
    - pg8000
  patterns:
  - pattern-either:
    - patterns:
      - pattern: $CONN.$METHOD(...,$QUERY,...)
      - pattern-either:
        - pattern-inside: |
            $QUERY = $X + $Y
            ...
        - pattern-inside: |
            $QUERY += $X
            ...
        - pattern-inside: |
            $QUERY = '...'.format(...)
            ...
        - pattern-inside: |
            $QUERY = '...' % (...)
            ...
        - pattern-inside: |
            $QUERY = f'...{$USERINPUT}...'
            ...
      - pattern-not-inside: |
          $QUERY += "..."
          ...
      - pattern-not-inside: |
          $QUERY = "..." + "..."
          ...
      - pattern-not-inside: |
          $QUERY = '...'.format()
          ...
      - pattern-not-inside: |
          $QUERY = '...' % ()
          ...
    - pattern: $CONN.$METHOD(..., $X + $Y, ...)
    - pattern: $CONN.$METHOD(..., '...'.format(...), ...)
    - pattern: $CONN.$METHOD(..., '...' % (...), ...)
    - pattern: $CONN.$METHOD(..., f'...{$USERINPUT}...', ...)
  - pattern-either:
    - pattern-inside: |
        $CONN = pg8000.native.Connection(...)
        ...
    - pattern-inside: |
        $CONN = pg8000.dhapi.connect(...)
        ...
    - pattern-inside: |
        $CONN1 = pg8000.connect(...)
        ...
        $CONN = $CONN1.cursor(...)
        ...
    - pattern-inside: |
        $CONN = pg8000.connect(...)
        ...
  - pattern-not: $CONN.$METHOD(..., "..." + "...", ...)
  - pattern-not: $CONN.$METHOD(..., '...'.format(), ...)
  - pattern-not: $CONN.$METHOD(..., '...'%(), ...)
  - metavariable-regex:
      metavariable: $METHOD
      regex: ^(run|execute|executemany|prepare)$
  severity: WARNING
- id: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli
  languages:
  - python
  message: 'Detected string concatenation with a non-literal variable in a psycopg2
    Python SQL statement. This could lead to SQL injection if the variable is user-controlled
    and not properly sanitized. In order to prevent SQL injection, used parameterized
    queries or prepared statements instead. You can use prepared statements by creating
    a ''sql.SQL'' string. You can also use the pyformat binding style to create parameterized
    queries. For example: ''cur.execute(SELECT * FROM table WHERE name=%s, user_input)'''
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://www.psycopg.org/docs/sql.html
    shortlink: https://sg.run/qrLe
    source: https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli
    technology:
    - psycopg
  patterns:
  - pattern-either:
    - patterns:
      - pattern: $CUR.$METHOD(...,$QUERY,...)
      - pattern-either:
        - pattern-inside: |
            $QUERY = $X + $Y
            ...
        - pattern-inside: |
            $QUERY += $X
            ...
        - pattern-inside: |
            $QUERY = '...'.format(...)
            ...
        - pattern-inside: |
            $QUERY = '...' % (...)
            ...
        - pattern-inside: |
            $QUERY = f'...{$USERINPUT}...'
            ...
      - pattern-not-inside: |
          $QUERY += "..."
          ...
      - pattern-not-inside: |
          $QUERY = "..." + "..."
          ...
      - pattern-not-inside: |
          $QUERY = '...'.format()
          ...
      - pattern-not-inside: |
          $QUERY = '...' % ()
          ...
    - pattern: $CUR.$METHOD(..., $X + $Y, ...)
    - pattern: $CUR.$METHOD(..., '...'.format(...), ...)
    - pattern: $CUR.$METHOD(..., '...' % (...), ...)
    - pattern: $CUR.$METHOD(..., f'...{$USERINPUT}...', ...)
  - pattern-either:
    - pattern-inside: |
        $CONN = psycopg2.connect(...)
        ...
        $CUR = $CONN.cursor(...)
        ...
    - pattern-inside: |
        $CONN = psycopg2.connect(...)
        ...
        with $CONN.cursor(...) as $CUR:
          ...
  - pattern-not: $CUR.$METHOD(..., "..." + "...", ...)
  - pattern-not: $CUR.$METHOD(..., '...'.format(), ...)
  - pattern-not: $CUR.$METHOD(..., '...'%(), ...)
  - metavariable-regex:
      metavariable: $METHOD
      regex: ^(execute|executemany|mogrify)$
  severity: WARNING
- fix: sys.exit($X)
  id: python.lang.correctness.exit.use-sys-exit
  languages:
  - python
  message: Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper
    for the interactive shell and may not be available on all Python implementations.
    https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Do5o
    source: https://semgrep.dev/r/python.lang.correctness.exit.use-sys-exit
    technology:
    - python
  patterns:
  - pattern: exit($X)
  - pattern-not: sys.exit($X)
  severity: WARNING
- id: python.lang.correctness.return-in-init.return-in-init
  languages:
  - python
  message: '`return` should never appear inside a class __init__ function. This will
    cause a runtime error.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/4xwl
    source: https://semgrep.dev/r/python.lang.correctness.return-in-init.return-in-init
    technology:
    - python
  patterns:
  - pattern-inside: |
      class $A(...):
          ...
  - pattern-inside: |
      def __init__(...):
          ...
  - pattern-not-inside: |
      def __init__(...):
          ...
          def $F(...):
              ...
  - patterns:
    - pattern: return ...
    - pattern-not: return
    - pattern-not: return None
  severity: ERROR
- id: python.attr.correctness.mutable-initializer.attr-mutable-initializer
  languages:
  - python
  message: 'Unsafe usage of mutable initializer with attr.s decorator. Multiple instances
    of this class will re-use the same data structure, which is likely not the desired
    behavior. Consider instead: replace assignment to mutable initializer (ex. dict()
    or {}) with attr.ib(factory=type) where type is dict, set, or list'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/EkQN
    source: https://semgrep.dev/r/python.attr.correctness.mutable-initializer.attr-mutable-initializer
    technology:
    - attr
  patterns:
  - pattern-not-inside: |
      def $Y(...):
        ...
  - pattern-not-inside: |
      def $Y(...) -> $TYPE:
        ...
  - pattern-either:
    - pattern-inside: |
        @attr.s(...,auto_attribs=True, ...)
        class $X(...):
          ...
    - pattern-inside: |
        @attrs.define
        class $X(...):
          ...
  - pattern-either:
    - pattern: |
        $M = {...}
    - pattern: $M = [...]
    - pattern: $M = list(...)
    - pattern: $M = set(...)
    - pattern: $M = dict(...)
  severity: WARNING
- id: python.django.best-practice.use-onetoonefield.use-onetoonefield
  languages:
  - python
  message: Use 'django.db.models.OneToOneField' instead of 'ForeignKey' with unique=True.
    'OneToOneField' is used to create one-to-one relationships.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/W8Q2
    source: https://semgrep.dev/r/python.django.best-practice.use-onetoonefield.use-onetoonefield
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $M(...):
        ...
  - pattern: $F = django.db.models.ForeignKey(..., unique=True, ...)
  severity: WARNING
- id: python.django.correctness.string-field-null-checks.no-null-string-field
  languages:
  - python
  message: 'Avoid using null on string-based fields such as CharField and TextField.
    If a string-based field has null=True, that means it has two possible values for
    "no data": NULL, and the empty string. In most cases, it''s redundant to have
    two possible values for "no data;" the Django convention is to use the empty string,
    not NULL.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/zvKd
    source: https://semgrep.dev/r/python.django.correctness.string-field-null-checks.no-null-string-field
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $M(...):
        ...
  - pattern-not: $F = django.db.models.CharField(..., null=True, unique=True, blank=True,
      ...)
  - pattern-not: $F = django.db.models.TextField(..., null=True, unique=True, blank=True,
      ...)
  - pattern-either:
    - pattern: $F = django.db.models.CharField(..., null=True, ...)
    - pattern: $F = django.db.models.TextField(..., null=True, ...)
  severity: WARNING
- id: python.flask.best-practice.get-class-method-with-side-effects.flask-class-method-get-side-effects
  languages:
  - python
  message: Flask class method GET with side effects
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/2x6D
    source: https://semgrep.dev/r/python.flask.best-practice.get-class-method-with-side-effects.flask-class-method-get-side-effects
    technology:
    - flask
  patterns:
  - pattern-either:
    - pattern: |
        def get(self,...):
            ...
            $METHOD(...)
    - pattern: |
        def get(self,...):
            ...
            $VAR = $METHOD(...)
  - metavariable-regex:
      metavariable: $METHOD
      regex: (?i)(create|update|delete).*
  severity: WARNING
- id: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup
  languages:
  - python
  message: Detected explicitly unescaped content using 'Markup()'. This permits the
    unescaped data to include unescaped HTML which could result in cross-site scripting.
    Ensure this data is not externally controlled, or consider rewriting to not use
    'Markup()'.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://tedboy.github.io/flask/generated/generated/flask.Markup.html
    shortlink: https://sg.run/AvZ8
    source: https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup
    technology:
    - flask
  pattern-either:
  - pattern: flask.Markup(...)
  - pattern: flask.Markup.unescape(...)
  - pattern: markupsafe.Markup(...)
  - pattern: $MARKUPOBJ.unescape()
  severity: WARNING
- id: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials
  languages:
  - python
  message: Password is exposed through JWT token payload. This is not encrypted and
    the password could be compromised. Do not store passwords in JWT tokens.
  metadata:
    category: security
    cwe: 'CWE-522: Insufficiently Protected Credentials'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://cwe.mitre.org/data/definitions/522.html
    shortlink: https://sg.run/qxPy
    source: https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials
    source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    technology:
    - jwt
  pattern-either:
  - pattern: |
      jwt.encode({...,"password":$P,...},...)
  - pattern: |
      $PAYLOAD = {...,"password":$P,...}
      ...
      jwt.encode($PAYLOAD,...)
  severity: ERROR
- id: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret
  languages:
  - python
  message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently
    Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html
    Consider using an appropriate security mechanism to protect the credentials (e.g.
    keeping secrets in environment variables)'
  metadata:
    category: security
    cwe: 'CWE-522: Insufficiently Protected Credentials'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    shortlink: https://sg.run/l2E9
    source: https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret
    source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    technology:
    - jwt
  pattern-either:
  - pattern: |
      jwt.encode($X, "...", ...)
  - pattern: |
      $SECRET = "..."
      ...
      jwt.encode($X, $SECRET, ...)
  severity: ERROR
- fix-regex:
    regex: (verify\s*=\s*)False
    replacement: \1True
  id: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
  languages:
  - python
  message: Detected JWT token decoded with 'verify=False'. This bypasses any integrity
    checks for the token which means the token could be tampered with by malicious
    actors. Ensure that the JWT token is verified.
  metadata:
    category: security
    cwe: 'CWE-287: Improper Authentication'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96
    shortlink: https://sg.run/6nyB
    source: https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
    technology:
    - jwt
  pattern: |
    jwt.decode(..., verify=False, ...)
  severity: ERROR
- fix-regex:
    regex: FTP(.*)\)
    replacement: FTP_TLS\1, context=ssl.create_default_context())
  id: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls
  languages:
  - python
  message: The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS'
    class instead.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS
    shortlink: https://sg.run/AvPp
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls
    technology:
    - ftplib
  pattern: ftplib.FTP(...)
  severity: WARNING
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context
  languages:
  - python
  message: Detected a request using 'http://'. This request will be unencrypted. Use
    'https://' instead.
  metadata:
    asvs:
      control_id: 9.2.1 Weak TLS
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
      section: V9 Communications Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    shortlink: https://sg.run/Bk5W
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context
    technology:
    - requests
  patterns:
  - pattern-inside: |
      with requests.Session(...) as $SESSION:
        ...
  - pattern-either:
    - pattern: $SESSION.$W("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
    - pattern: $SESSION.request($METHOD, "=~/[Hh][Tt][Tt][Pp]://.*/", ...)
    - patterns:
      - pattern-inside: |
          $URL =  "=~/[Hh][Tt][Tt][Pp]://.*/"
          ...
      - pattern-either:
        - pattern: $SESSION.$W($URL, ...)
        - pattern: $SESSION.request($METHOD, $URL, ...)
  severity: ERROR
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http
  languages:
  - python
  message: Detected a request using 'http://'. This request will be unencrypted. Use
    'https://' instead.
  metadata:
    asvs:
      control_id: 9.2.1 Weak TLS
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
      section: V9 Communications Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    shortlink: https://sg.run/DoBY
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http
    technology:
    - requests
  pattern-either:
  - pattern: |
      def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...):
        ...
        $SESSION = requests.Session(...)
        ...
        $SESSION.$W($URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...):
        ...
        $SESSION = requests.Session(...)
        ...
        $SESSION.request($METHOD, $URL, ...)
  - patterns:
    - pattern-inside: |
        $SESSION = requests.Session(...)
        ...
    - pattern-either:
      - pattern: $SESSION.$W("=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
      - pattern: |
          $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"
          ...
          $SESSION.$W($URL, ...)
      - pattern: $SESSION.request($METHOD, "=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
      - pattern: |
          $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"
          ...
          $SESSION.request($METHOD, $URL, ...)
  severity: ERROR
- id: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers
  languages:
  - python
  message: The 'ssl' module disables insecure cipher suites by default. Therefore,
    use of 'set_ciphers()' should only be used when you have very specialized requirements.
    Otherwise, you risk lowering the security of the SSL channel.
  metadata:
    asvs:
      control_id: 9.1.3 Weak TLS
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements
      section: V9 Communications Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/ssl.html#cipher-selection
    - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers
    shortlink: https://sg.run/0Q0v
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers
    technology:
    - ssl
  pattern: $CONTEXT.set_ciphers(...)
  severity: WARNING
- id: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp
  languages:
  - python
  message: Detected an unsecured transmission channel. 'OpenerDirector.open(...)'
    is being used with 'ftp://'. Information sent over this connection will be unencrypted.
    Consider using SFTP instead. urllib does not support SFTP, so consider a library
    which supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open
    shortlink: https://sg.run/Klj7
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.OpenerDirector(...).open("=~/^[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
        ...
    - pattern: $OPENERDIRECTOR.open("=~/^[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
        ...
    - pattern: |
        $URL = "=~/^[Ff][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.open($URL, ...)
  - pattern: |
      $URL = "=~/^[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.OpenerDirector(...).open($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.OpenerDirector(...).open($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
            ...
        - pattern: $OPENERDIRECTOR.open($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
  languages:
  - python
  message: Detected a 'urllib.request.Request()' object using an insecure transport
    protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP
    instead. urllib does not support SFTP natively, so consider using a library which
    supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
    shortlink: https://sg.run/l2Py
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.Request("=~/^[Ff][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/^[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.Request($URL, ...)
  - pattern: |-
      def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
        ...
        urllib.request.Request($URL, ...)
  severity: WARNING
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object
  languages:
  - python
  message: Detected a 'urllib.request.Request()' object using an insecure transport
    protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
    shortlink: https://sg.run/YvAe
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.Request("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.Request($URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        urllib.request.Request($URL, ...)
  severity: WARNING
- fix-regex:
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen
  languages:
  - python
  message: Detected 'urllib.urlopen()' using 'http://'. This request will not be encrypted.
    Use 'https://' instead.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen
    shortlink: https://sg.run/oxB9
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.urlopen("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.urlopen($URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        urllib.request.urlopen($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp
  languages:
  - python
  message: Detected an insecure transmission channel. 'URLopener.open(...)' is being
    used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider
    using a library which supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open
    shortlink: https://sg.run/zvwG
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.URLopener(...).open("=~/[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: $OPENERDIRECTOR.open("=~/[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: |
        $URL = "=~/[Ff][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.open($URL, ...)
  - pattern: |
      $URL = "=~/[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.URLopener(...).open($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/[Ff][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.URLopener(...).open($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.URLopener(...)
            ...
        - pattern: $OPENERDIRECTOR.open($URL, ...)
  severity: WARNING
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open
  languages:
  - python
  message: Detected an unsecured transmission channel. 'URLopener.open(...)' is being
    used with 'http://'. Use 'https://' instead to secure the channel.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open
    shortlink: https://sg.run/pxWg
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.URLopener(...).open("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: $OPENERDIRECTOR.open("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: |
        $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.open($URL, ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.URLopener(...).open($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.URLopener(...).open($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.URLopener(...)
            ...
        - pattern: $OPENERDIRECTOR.open($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp
  languages:
  - python
  message: Detected 'urllib.urlretrieve()' using 'ftp://'. This request will not be
    encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching
    to a library which supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve
    shortlink: https://sg.run/jR8Y
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.urlretrieve("=~/^[Ff][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/^[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.urlretrieve($URL, ...)
  - pattern: |-
      def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
        ...
        urllib.request.urlretrieve($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command
  languages:
  - python
  message: Unverified SSL context detected. This will permit insecure connections
    without verifying SSL certificates. Use 'ssl.create_default_context()' instead.
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command
    - https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
    shortlink: https://sg.run/kXQ7
    source: https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
    technology:
    - paramiko
  patterns:
  - pattern-inside: |
      $CLIENT = paramiko.client.SSHClient(...)
      ...
  - pattern: $CLIENT.exec_command(...)
  - pattern-not: $CLIENT.exec_command("...", ...)
  severity: ERROR
- fix-regex:
    regex: md5
    replacement: sha256
  id: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-md5
  languages:
  - python
  message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision
    resistant and is therefore not suitable as a cryptographic signature. Use SHA256
    or SHA3 instead.
  metadata:
    asvs:
      control_id: 6.2.2 Insecure Custom Algorithm
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
      section: V6 Stored Cryptography Verification Requirements
      version: '4'
    bandit-code: B303
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6151
    - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/9odY
    source: https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-md5
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - python
  pattern: hashlib.md5(...)
  severity: WARNING
- id: python.lang.security.deserialization.pickle.avoid-shelve
  languages:
  - python
  message: Avoid using `shelve`, which uses `pickle`, which is known to lead to code
    execution vulnerabilities. When unpickling, the serialized data could be manipulated
    to run arbitrary code. Instead, consider serializing the relevant data as JSON
    or a similar text-based serialization format.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    shortlink: https://sg.run/dKkZ
    source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve
    technology:
    - python
  pattern: shelve.$FUNC(...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-rc2
  languages:
  - python
  message: Detected RC2 cipher algorithm which is considered insecure. The algorithm
    has known vulnerabilities and is difficult to use securely. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://security.stackexchange.com/questions/93924/is-rc2-cbc-at-all-secure
    - https://sweet32.info/
    shortlink: https://sg.run/ZvDD
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-rc2
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Cryptodome.Cipher.ARC2.new(...)
  - pattern: Crypto.Cipher.ARC2.new
  severity: WARNING
- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-rc4
  languages:
  - python
  message: Detected RC4 cipher algorithm which is considered insecure. The algorithm
    has many known vulnerabilities. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://crypto.stackexchange.com/questions/853/google-is-using-rc4-but-isnt-rc4-considered-unsafe
    - https://sweet32.info/
    shortlink: https://sg.run/nqXX
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-rc4
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Cryptodome.Cipher.ARC4.new(...)
  - pattern: Crypto.Cipher.ARC4.new(...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-blowfish
  languages:
  - python
  message: Detected Blowfish cipher algorithm which is considered insecure. The algorithm
    has many known vulnerabilities. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://sweet32.info/
    shortlink: https://sg.run/E5jw
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-blowfish
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Cryptodome.Cipher.Blowfish.new(...)
  - pattern: Crypto.Cipher.Blowfish.new(...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-des
  languages:
  - python
  message: Detected DES cipher algorithm which is considered insecure. The algorithm
    is considered weak and has been deprecated. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc5469
    shortlink: https://sg.run/705Z
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-des
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Cryptodome.Cipher.DES.new(...)
  - pattern: Crypto.Cipher.DES.new(...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md2
  languages:
  - python
  message: Detected MD2 hash algorithm which is considered insecure. This algorithm
    has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6149
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/8nqy
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md2
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Crypto.Hash.MD2.new(...)
  - pattern: Cryptodome.Hash.MD2.new (...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md4
  languages:
  - python
  message: Detected MD4 hash algorithm which is considered insecure. This algorithm
    has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6150
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/gJlJ
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md4
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Crypto.Hash.MD4.new(...)
  - pattern: Cryptodome.Hash.MD4.new (...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md5
  languages:
  - python
  message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision
    resistant and is therefore not suitable as a cryptographic signature. Use SHA256
    or SHA3 instead.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6151
    - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/Q8g4
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md5
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Crypto.Hash.MD5.new(...)
  - pattern: Cryptodome.Hash.MD5.new (...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1
  languages:
  - python
  message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
    collision resistant and is therefore not suitable as a cryptographic signature.
    Use SHA256 or SHA3 instead.
  metadata:
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
    - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability
    - http://2012.sharcs.org/slides/stevens.pdf
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/3ALr
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Crypto.Hash.SHA.new(...)
  - pattern: Cryptodome.Hash.SHA.new (...)
  severity: WARNING
- fix-regex:
    regex: sha1
    replacement: sha256
  id: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
  languages:
  - python
  message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
    collision resistant and is therefore not suitable as a cryptographic signature.
    Use SHA256 or SHA3 instead.
  metadata:
    asvs:
      control_id: 6.2.2 Insecure Custom Algorithm
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
      section: V6 Stored Cryptography Verification Requirements
      version: '4'
    bandit-code: B303
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
    - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability
    - http://2012.sharcs.org/slides/stevens.pdf
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/ydYx
    source: https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
    technology:
    - python
  pattern: hashlib.sha1(...)
  severity: WARNING
- fix-regex:
    regex: verify(\s)*=(\s)*False
    replacement: verify=True
  id: python.requests.security.disabled-cert-validation.disabled-cert-validation
  languages:
  - python
  message: Certificate verification has been explicitly disabled. This permits insecure
    connections to insecure servers. Re-enable certification validation.
  metadata:
    category: security
    cwe: 'CWE-295: Improper Certificate Validation'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib
    shortlink: https://sg.run/AlYp
    source: https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation
    technology:
    - requests
  pattern-either:
  - pattern: requests.put(..., verify=False, ...)
  - pattern: requests.patch(..., verify=False, ...)
  - pattern: requests.delete(..., verify=False, ...)
  - pattern: requests.head(..., verify=False, ...)
  - pattern: requests.options(..., verify=False, ...)
  - pattern: requests.request(..., verify=False, ...)
  - pattern: requests.get(..., verify=False, ...)
  - pattern: requests.post(..., verify=False, ...)
  severity: ERROR
- id: python.requests.best-practice.use-request-json-shortcut.python.requests.best-practice.use-request-json-shortcut
  languages:
  - python
  message: The requests library has a convenient shortcut for sending JSON requests,
    which lets you stop worrying about serializing the body yourself. To use it, replace
    `body=json.dumps(...)` with `json=...`.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://requests.readthedocs.io/en/stable/user/quickstart/#more-complicated-post-requests
    shortlink: https://sg.run/58YA
    source: https://semgrep.dev/r/python.requests.best-practice.use-request-json-shortcut.python.requests.best-practice.use-request-json-shortcut
    technology:
    - requests
  patterns:
  - pattern-inside: import json; ...
  - pattern-inside: import requests; ...
  - pattern: requests.$METHOD(..., body=json.dumps($BODY), ...)
  severity: WARNING
- fix: $RESP.json()
  id: python.requests.best-practice.use-response-json-shortcut.python.requests.best-practice.use-response-json-shortcut
  languages:
  - python
  message: The requests library has a convenient shortcut for reading JSON responses,
    which lets you stop worrying about deserializing the response yourself.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://requests.readthedocs.io/en/stable/user/quickstart/#json-response-content
    shortlink: https://sg.run/GW2p
    source: https://semgrep.dev/r/python.requests.best-practice.use-response-json-shortcut.python.requests.best-practice.use-response-json-shortcut
    technology:
    - requests
  patterns:
  - pattern-inside: import json; ...
  - pattern-inside: import requests; ...
  - pattern-inside: $RESP = requests.$METHOD(...); ...
  - pattern: json.loads($RESP.text)
  severity: WARNING
- fix-regex:
    regex: (.*)\)
    replacement: \1, timeout=30)
  id: python.requests.best-practice.use-timeout.use-timeout
  languages:
  - python
  message: Detected a 'requests' call without a timeout set. By default, 'requests'
    calls wait until the connection is closed. This means a 'requests' call without
    a timeout will hang the program if a response is never received. Consider setting
    a timeout for all 'requests'.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/R8kO
    source: https://semgrep.dev/r/python.requests.best-practice.use-timeout.use-timeout
    technology:
    - requests
  patterns:
  - pattern-not: requests.$W(..., timeout=$N, ...)
  - pattern-not: requests.$W(..., **$KWARGS)
  - pattern-not: |
      $SESSION = requests.Session(...)
      ...
      $SESSION.$W(..., timeout=$N, ...)
  - pattern-not: |
      $SESSION = requests.Session(...)
      ...
      $SESSION.$W(..., **$KWARGS)
  - pattern-either:
    - pattern: requests.request(...)
    - pattern: requests.get(...)
    - pattern: requests.post(...)
    - pattern: requests.put(...)
    - pattern: requests.delete(...)
    - pattern: requests.head(...)
    - pattern: requests.patch(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.get(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.post(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.put(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.delete(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.head(...)
    - pattern: |
        $SESSION = requests.Session(...)
        ...
        $SESSION.patch(...)
  severity: WARNING
- id: python.sh.security.string-concat.string-concat
  languages:
  - python
  message: Detected string concatenation or formatting in a call to a command via
    'sh'. This could be a command injection vulnerability if the data is user-controlled.
    Instead, use a list and append the argument.
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/Wg34
    source: https://semgrep.dev/r/python.sh.security.string-concat.string-concat
    technology:
    - sh
  pattern-either:
  - pattern: sh.$BIN($X + $Y)
  - pattern: sh.$BIN($X.format(...))
  - pattern: sh.$BIN(f"...{...}...")
  severity: ERROR
- id: python.sqlalchemy.correctness.bad-operator-in-filter.bad-operator-in-filter
  languages:
  - python
  message: Only comparison operators should be used inside SQLAlchemy filter expressions.
    Use `==` instead of `is`, `!=` instead of `is not`, `sqlalchemy.and_` instead
    of `and`, `sqlalchemy.or_` instead of `or`, `sqlalchemy.not_` instead of `not`,
    and `sqlalchemy.in_` instead of `in_`.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://docs.sqlalchemy.org/en/13/orm/tutorial.html#common-filter-operators
    shortlink: https://sg.run/0nLv
    source: https://semgrep.dev/r/python.sqlalchemy.correctness.bad-operator-in-filter.bad-operator-in-filter
    technology:
    - sqlalchemy
  patterns:
  - pattern-inside: |
      def $ANY(...):
          ...
          $MODEL.query
  - pattern-inside: |
      $TARGET.filter(...)
  - pattern-either:
    - pattern: not $A
    - pattern: $A is $B
    - pattern: $A is not $B
    - pattern: $A and $B
    - pattern: $A or $B
    - pattern: $A in $B
    - pattern: $A not in $B
  severity: WARNING
- fix-regex:
    regex: format
    replacement: bindparams
  id: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection
  languages:
  - python
  message: Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause
    sql injections if the developer inputs raw SQL into the before-mentioned clauses.
    This pattern captures relevant cases in which the developer inputs raw SQL into
    the distinct, having, group_by, order_by or filter clauses and injects user-input
    into the raw SQL with any function besides "bindparams". Use bindParams to securely
    bind user-input to SQL statements.
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/J3Xo
    source: https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection
    technology:
    - sqlalchemy
  patterns:
  - pattern-either:
    - pattern: |
        def $FUNC(...,$VAR,...):
          ...
          $SESSION.query(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
    - pattern: |
        def $FUNC(...,$VAR,...):
          ...
          $SESSION.query.join(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
    - pattern: |
        def $FUNC(...,$VAR,...):
          ...
          $SESSION.query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
    - pattern: |
        def $FUNC(...,$VAR,...):
          ...
          query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
  - metavariable-regex:
      metavariable: $SQLFUNC
      regex: (group_by|order_by|distinct|having|filter)
  - metavariable-regex:
      metavariable: $FORMATFUNC
      regex: (?!bindparams)
  severity: WARNING
- id: python.django.security.audit.xss.class-extends-safestring.class-extends-safestring
  languages:
  - python
  message: Found a class extending 'SafeString', 'SafeText' or 'SafeData'. These classes
    are for bypassing the escaping engine built in to Django and should not be used
    directly. Improper use of this class exposes your application to cross-site scripting
    (XSS) vulnerabilities. If you need this functionality, use 'mark_safe' instead
    and ensure no user data can reach it.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping
    - https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11
    shortlink: https://sg.run/Zvpw
    source: https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring
    technology:
    - django
  pattern-either:
  - pattern: |
      class $CLASS(django.utils.safestring.SafeString):
        ...
  - pattern: |
      class $CLASS(django.utils.safestring.SafeText):
        ...
  - pattern: |-
      class $CLASS(django.utils.safestring.SafeData):
        ...
  severity: WARNING
- id: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run
  languages:
  - python
  message: If unverified user data can reach the `run` or `create` method it can result
    in running arbitrary container.
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/pxEL
    source: https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run
    technology:
    - docker
  patterns:
  - pattern-either:
    - pattern-inside: |
        $CLIENT = docker.from_env()
        ...
    - pattern-inside: |
        $CLIENT = docker.DockerClient(...)
        ...
  - pattern-either:
    - pattern: |
        $CLIENT.containers.run(...)
    - pattern: |
        $CLIENT.containers.create(...)
  - pattern-not: |
      $CLIENT.containers.run("...",...)
  - pattern-not: |
      $CLIENT.containers.create("...",...)
  severity: WARNING
- id: python.flask.security.insecure-deserialization.insecure-deserialization
  languages:
  - python
  message: Detected the use of an insecure deserialization library in a Flask route.
    These libraries are prone to code execution vulnerabilities. Ensure user data
    does not enter this function. To fix this, try to avoid serializing whole objects.
    Consider instead using a serializer such as JSON.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    shortlink: https://sg.run/N45z
    source: https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization
    technology:
    - flask
  patterns:
  - pattern-inside: |
      @app.route(...)
      def $X(...):
        ...
  - pattern-not: $MODULE.$FUNC("...")
  - pattern-not: $MODULE.$FUNC(open("...", ...))
  - pattern-either:
    - pattern: pickle.$FUNC(...)
    - pattern: _pickle.$FUNC(...)
    - pattern: cPickle.$FUNC(...)
    - pattern: dill.$FUNC(...)
    - pattern: shelve.$FUNC(...)
    - pattern: yaml.load(...)
  severity: ERROR
- fix-regex:
    count: 1
    regex: http:\/\/
    replacement: https://
  id: python.requests.security.no-auth-over-http.no-auth-over-http
  languages:
  - python
  message: Authentication detected over HTTP. HTTP does not provide any encryption
    or protection for these authentication credentials. This may expose these credentials
    to unauthorized parties. Use 'https://' instead.
  metadata:
    category: security
    cwe: 'CWE-523: Unprotected Transport of Credentials'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://blog.r2c.dev/2020/bento-check-no-auth-over-http/
    - https://bento.dev/checks/requests/no-auth-over-http/
    shortlink: https://sg.run/B4NW
    source: https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http
    source-rule-url: https://pypi.org/project/flake8-flask/
    technology:
    - requests
  pattern-either:
  - pattern: requests.$W("=~/http:\/\/.*/", ..., auth=$X, ...)
  - pattern: |
      $URL = "=~/http:\/\/.../"
      ...
      requests.$W($URL, ..., auth=$X, ...)
  severity: ERROR
- id: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query
  languages:
  - python
  message: 'Avoiding SQL string concatenation: untrusted input concatenated with raw
    SQL query can result in SQL Injection. In order to execute raw query safely, prepared
    statement should be used. SQLAlchemy provides TextualSQL to easily used prepared
    statement with named parameters. For complex SQL composition, use SQL Expression
    Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be
    a better option.'
  metadata:
    category: security
    cwe: |
      CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
    - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm
    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column
    shortlink: https://sg.run/2b1L
    source: https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query
    technology:
    - sqlalchemy
  pattern-either:
  - pattern: |
      $CONNECTION.execute( $SQL + ..., ... )
  - pattern: |
      $CONNECTION.execute( $SQL % (...), ...)
  - pattern: |
      $CONNECTION.execute( $SQL.format(...), ... )
  - pattern: |
      $CONNECTION.execute(f"...{...}...", ...)
  - pattern: |
      $QUERY = $SQL + ...
      ...
      $CONNECTION.execute($QUERY, ...)
  - pattern: |
      $QUERY = $SQL % (...)
      ...
      $CONNECTION.execute($QUERY, ...)
  - pattern: |
      $QUERY = $SQL.format(...)
      ...
      $CONNECTION.execute($QUERY, ...)
  - pattern: |
      $QUERY = f"...{...}..."
      ...
      $CONNECTION.execute($QUERY, ...)
  severity: ERROR
- id: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
  languages:
  - python
  message: These permissions `$BITS` are widely permissive and grant access to more
    people than may be necessary. A good default is `0o644` which gives read and write
    access to yourself and read access to everyone else.
  metadata:
    category: security
    cwe: 'CWE-276: Incorrect Default Permissions'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration
    shortlink: https://sg.run/AXY4
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
    technology:
    - python
  patterns:
  - pattern-inside: os.$METHOD(...)
  - metavariable-pattern:
      metavariable: $METHOD
      patterns:
      - pattern-either:
        - pattern: chmod
        - pattern: lchmod
        - pattern: fchmod
  - pattern-either:
    - patterns:
      - pattern: os.$METHOD($FILE, $BITS, ...)
      - metavariable-comparison:
          comparison: $BITS >= 0o650 and $BITS < 0o100000
          metavariable: $BITS
    - patterns:
      - pattern: os.$METHOD($FILE, $BITS)
      - metavariable-comparison:
          comparison: $BITS >= 0o100650
          metavariable: $BITS
    - patterns:
      - pattern: os.$METHOD($FILE, $BITS, ...)
      - metavariable-pattern:
          metavariable: $BITS
          patterns:
          - pattern-either:
            - pattern: <... stat.S_IWGRP ...>
            - pattern: <... stat.S_IXGRP ...>
            - pattern: <... stat.S_IWOTH ...>
            - pattern: <... stat.S_IXOTH ...>
            - pattern: <... stat.S_IRWXO ...>
            - pattern: <... stat.S_IRWXG ...>
    - patterns:
      - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...)
      - metavariable-comparison:
          comparison: $MOD == 0o111
          metavariable: $MOD
  severity: WARNING
- id: python.lang.compatibility.python37.python37-compatibility-httpconn
  languages:
  - python
  message: Found usage of the 'blocksize' argument in a HTTPConnection call. This
    is only available on Python 3.7+ and is therefore not backwards compatible. Remove
    this in order for this code to work in Python 3.6 and below.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/vzAb
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn
    technology:
    - python
  pattern: http.client.HTTPConnection(blocksize=$X,...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-httpsconn
  languages:
  - python
  message: Found usage of the 'blocksize' argument in a HTTPSConnection call. This
    is only available on Python 3.7+ and is therefore not backwards compatible. Remove
    this in order for this code to work in Python 3.6 and below.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/dKwd
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn
    technology:
    - python
  pattern: http.client.HTTPSConnection(blocksize=$X,...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-importlib3
  languages:
  - python
  message: Found usage of 'importlib.abc.ResourceReader'. This module is only available
    on Python 3.7+ and is therefore not backwards compatible. Instead, use another
    loader.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Zv2o
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3
    technology:
    - python
  pattern: import importlib.abc.ResourceReader
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatability-os-module
  languages:
  - python
  message: this function is only available on Python 3.7+
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/J95W
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatability-os-module
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      if hasattr(os, 'pwrite'):
          ...
  - pattern: os.pwrite(...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-textiowrapper
  languages:
  - python
  message: Found usage of 'importlib.abc.ResourceReader'. This module is only available
    on Python 3.7+ and is therefore not backwards compatible. Instead, use another
    loader.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/ndL2
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper
    technology:
    - python
  pattern: TextIOWrapper.reconfigure(...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-ipv6network1
  languages:
  - python
  message: IPv6Network.subnet_of is only available on Python 3.7+ and is therefore
    not backwards compatible. Instead, check if the subnet is in 'subnets'.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/EkLe
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1
    technology:
    - python
  pattern: ipaddress.IPv6Network.subnet_of($X)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-ipv6network2
  languages:
  - python
  message: IPv6Network.supernet_of is only available on Python 3.7+ and is therefore
    not backwards compatible. Instead, check if the supernet is in 'supernet'.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/7orW
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2
    technology:
    - python
  pattern: ipaddress.IPv6Network.supernet_of($X)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-ipv4network1
  languages:
  - python
  message: IPv4Network.subnet_of is only available on Python 3.7+ and is therefore
    not backwards compatible. Instead, check if the subnet is in 'subnets'.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/LwRo
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1
    technology:
    - python
  pattern: ipaddress.IPv4Network.subnet_of($X)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-ipv4network2
  languages:
  - python
  message: IPv4Network.supernet_of is only available on Python 3.7+ and is therefore
    not backwards compatible. Instead, check if the supernet is in 'supernet'.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/8y3E
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2
    technology:
    - python
  pattern: ipaddress.IPv4Network.supernet_of($X)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-locale1
  languages:
  - python
  message: Found usage of the 'monetary' argument in a function call of 'locale.format_string'.
    This is only available on Python 3.7+ and is therefore not backwards compatible.
    Instead, remove the 'monetary' argument.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/gLeZ
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1
    technology:
    - python
  pattern: locale.format_string(monetary=$X, ...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-math1
  languages:
  - python
  message: math.remainder is only available on Python 3.7+ and is therefore not backwards
    compatible. Instead, use math.fmod() or calculate $X - n* $Y.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Q50Q
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1
    technology:
    - python
  pattern: math.remainder($X, $Y)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-multiprocess1
  languages:
  - python
  message: multiprocessing.Process.close() is only available on Python 3.7+ and is
    therefore not backwards compatible. Instead, use join().
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/3xjp
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1
    technology:
    - python
  pattern: multiprocessing.Process.close()
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-multiprocess2
  languages:
  - python
  message: multiprocessing.Process.kill() is only available on Python 3.7+ and is
    therefore not backwards compatible. Instead, use terminate().
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/4x1z
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2
    technology:
    - python
  pattern: multiprocessing.Process.kill()
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-os1
  languages:
  - python
  message: os.preadv() is only available on Python 3.7+ and is therefore not backwards
    compatible. Instead, use a combination of os.readv() and os.pread().
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/PJWW
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1
    technology:
    - python
  pattern: os.preadv(...)
  severity: ERROR
- id: python.lang.compatibility.python37.python37-compatibility-pdb
  languages:
  - python
  message: pdb.set_trace() with the header argument is only available on Python 3.7+
    and is therefore not backwards compatible. Instead, use set_trace() without the
    header argument.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/GeA2
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb
    technology:
    - python
  pattern: pdb.set_trace(header=$X, ...)
  severity: ERROR
- id: python.lang.correctness.baseclass-attribute-override.baseclass-attribute-override
  languages:
  - python
  message: Class $C inherits from both `$A` and `$B` which both have a method named
    `$F`; one of these methods will be overwritten.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Roze
    source: https://semgrep.dev/r/python.lang.correctness.baseclass-attribute-override.baseclass-attribute-override
    technology:
    - python
  pattern: |
    class $A(...):
      def $F(...):
       ...
    ...
    class $B(...):
      def $F(...):
       ...
    ...
    class $C(..., $A, $B, ...):
       ...
  severity: WARNING
- id: python.lang.correctness.common-mistakes.default-mutable-list.default-mutable-list
  languages:
  - python
  message: 'Function $F mutates default list $D. Python only instantiates default
    function arguments once and shares the instance across the function calls. If
    the default function argument is mutated, that will modify the instance used by
    all future function calls. This can cause unexpected results, or lead to security
    vulnerabilities whereby one function consumer can view or modify the data of another
    function consumer. Instead, use a default argument (like None) to indicate that
    no argument was provided and instantiate a new list at that time. For example:
    `if $D is None: $D = []`.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/BkPW
    source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.default-mutable-list.default-mutable-list
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern: |
        def $F(..., $D=[], ...):
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = []
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [...]
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list(...)
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.copy($D)
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list.copy($D)
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D[:]
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [... for ... in ...]
          ...
          $D.append(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D or []
          ...
          $D.append(...)
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D=[], ...):
            ...
            $D.append(...)
  - patterns:
    - pattern: |
        def $F(..., $D=[], ...):
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = []
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [...]
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list(...)
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.copy($D)
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list.copy($D)
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D[:]
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [... for ... in ...]
          ...
          $D.extend(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D or []
          ...
          $D.extend(...)
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D=[], ...):
            ...
            $D.extend(...)
  - patterns:
    - pattern: |
        def $F(..., $D=[], ...):
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = []
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [...]
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list(...)
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = copy.copy($D)
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = list.copy($D)
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D[:]
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = [... for ... in ...]
          ...
          $D.insert(...)
    - pattern-not: |
        def $F(..., $D=[], ...):
          ...
          $D = $D or []
          ...
          $D.insert(...)
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D=[], ...):
            ...
            $D.insert(...)
  severity: ERROR
- id: python.lang.correctness.common-mistakes.is-comparison-string.identical-is-comparison
  languages:
  - python
  message: Found identical comparison using is. Ensure this is what you intended.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Do5Y
    source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-comparison-string.identical-is-comparison
    technology:
    - python
  pattern: $S is $S
  severity: ERROR
- id: python.lang.correctness.common-mistakes.is-comparison-string.string-is-comparison
  languages:
  - python
  message: Found string comparison using 'is' operator. The 'is' operator is for reference
    equality, not value equality, and therefore should not be used to compare strings.
    For more information, see https://github.com/satwikkansal/wtfpython#-how-not-to-use-is-operator"
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/W814
    source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-comparison-string.string-is-comparison
    technology:
    - python
  patterns:
  - pattern-not: $S is None
  - pattern-not: type($X) is $T
  - pattern-not: $S is True
  - pattern-not: $S is False
  - pattern-not: $S is ""
  - pattern-either:
    - pattern: $S is "..."
    - pattern: '"..." is $S'
  severity: ERROR
- id: python.lang.correctness.common-mistakes.is-not-is-not.is-not-is-not
  languages:
  - python
  message: In Python 'X is not ...' is different from 'X is (not ...)'. In the latter
    the 'not' converts the '...' directly to boolean.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/0Qrv
    source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-not-is-not.is-not-is-not
    technology:
    - python
  pattern: $S is (not ...)
  severity: ERROR
- fix-regex:
    regex: xml
    replacement: defusedxml
  id: python.lang.security.use-defused-xml.use-defused-xml
  languages:
  - python
  message: The Python documentation recommends using `defusedxml` instead of `xml`
    because the native Python `xml` library is vulnerable to XML External Entity (XXE)
    attacks. These attacks can leak confidential data and "XML bombs" can cause denial
    of service.
  metadata:
    category: security
    cwe: 'CWE-611: Improper Restriction of XML External Entity Reference'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A4: XML External Entities (XXE)'
    references:
    - https://docs.python.org/3/library/xml.html
    - https://github.com/tiran/defusedxml
    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
    shortlink: https://sg.run/kX47
    source: https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml
    technology:
    - python
  pattern: import xml
  severity: ERROR
- id: python.lang.security.audit.weak-ssl-version.weak-ssl-version
  languages:
  - python
  message: An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL
    versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2'
    or higher.
  metadata:
    asvs:
      control_id: 9.1.3 Weak TLS
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements
      section: V9 Communications Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc7568
    - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
    - https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2
    shortlink: https://sg.run/RoZO
    source: https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/insecure_ssl_tls.py#L30
    technology:
    - python
  pattern-either:
  - pattern: ssl.PROTOCOL_SSLv2
  - pattern: ssl.PROTOCOL_SSLv3
  - pattern: ssl.PROTOCOL_TLSv1
  - pattern: ssl.PROTOCOL_TLSv1_1
  - pattern: pyOpenSSL.SSL.SSLv2_METHOD
  - pattern: pyOpenSSL.SSL.SSLv23_METHOD
  - pattern: pyOpenSSL.SSL.SSLv3_METHOD
  - pattern: pyOpenSSL.SSL.TLSv1_METHOD
  - pattern: pyOpenSSL.SSL.TLSv1_1_METHOD
  severity: WARNING
- fix-regex:
    count: 1
    regex: load
    replacement: safe_load
  id: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load
  languages:
  - python
  message: Avoid using `load()`. `PyYAML.load` can create arbitrary Python objects.
    A malicious actor could exploit this to run arbitrary code. Use `safe_load()`
    instead.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
    - https://nvd.nist.gov/vuln/detail/CVE-2017-18342
    shortlink: https://sg.run/we9Y
    source: https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load
    technology:
    - pyyaml
  patterns:
  - pattern-inside: |
      import yaml
      ...
  - pattern-not-inside: |
      $YAML = ruamel.yaml.YAML(...)
      ...
  - pattern-not: yaml.load(..., Loader=yaml.CSafeLoader, ...)
  - pattern-not: yaml.load(..., Loader=yaml.SafeLoader, ...)
  - pattern-not: yaml.load_all(..., Loader=yaml.CSafeLoader, ...)
  - pattern-not: yaml.load_all(..., Loader=yaml.SafeLoader, ...)
  - pattern-either:
    - pattern: yaml.load(...)
    - pattern: yaml.load_all(...)
  severity: ERROR
- id: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel
  languages:
  - python
  message: Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create
    arbitrary Python objects. A malicious actor could exploit this to run arbitrary
    code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ
    shortlink: https://sg.run/x1rz
    source: https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel
    technology:
    - ruamel.yaml
  pattern-either:
  - pattern: ruamel.yaml.YAML(..., typ='unsafe', ...)
  - pattern: ruamel.yaml.YAML(..., typ='base', ...)
  severity: ERROR
- id: python.lang.security.deserialization.pickle.avoid-dill
  languages:
  - python
  message: Avoid using `dill`, which uses `pickle`, which is known to lead to code
    execution vulnerabilities. When unpickling, the serialized data could be manipulated
    to run arbitrary code. Instead, consider serializing the relevant data as JSON
    or a similar text-based serialization format.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    shortlink: https://sg.run/vzjA
    source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill
    technology:
    - python
  pattern: dill.$FUNC(...)
  severity: WARNING
- id: python.lang.security.insecure-hash-function.insecure-hash-function
  languages:
  - python
  message: Detected use of an insecure MD4 or MD5 hash function. These functions have
    known vulnerabilities and are considered deprecated. Consider using 'SHA256' or
    a similar function instead.
  metadata:
    asvs:
      control_id: 6.2.2 Insecure Custom Algorithm
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
      section: V6 Stored Cryptography Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc6151
    - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
    - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
    shortlink: https://sg.run/rdBn
    source: https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/hashlib_new_insecure_functions.py
    technology:
    - python
  pattern-either:
  - pattern: hashlib.new("=~/[M|m][D|d][4|5]/", ...)
  - pattern: hashlib.new(..., name="=~/[M|m][D|d][4|5]/", ...)
  severity: WARNING
- id: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc
  languages:
  - python
  message: Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities.
    Use defusedxml.xmlrpc instead.
  metadata:
    category: security
    cwe: 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML
      Entity Expansion'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A4: XML External Entities (XXE)'
    references:
    - https://pypi.org/project/defusedxml/
    - https://docs.python.org/3/library/xml.html#xml-vulnerabilities
    shortlink: https://sg.run/weqY
    source: https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc
    source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160
    technology:
    - python
  pattern-either:
  - pattern: import xmlrpclib
  - pattern: import SimpleXMLRPCServer
  - pattern: import xmlrpc
  severity: ERROR
- id: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name
  languages:
  - python
  message: Data from request is passed to a file name `$FILE`.  This is a path traversal
    vulnerability, which can lead to sensitive data being leaked.  To mitigate, consider
    using os.path.abspath or os.path.realpath or the pathlib library.
  metadata:
    category: security
    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
      Traversal'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Path_Traversal
    shortlink: https://sg.run/BkO2
    source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-not-inside: |
      def $F(...):
        ...
        os.path.realpath(...)
        ...
  - pattern-not-inside: |
      def $F(...):
        ...
        os.path.abspath(...)
        ...
  - pattern-either:
    - pattern: |
        $V = request.$W.get($X)
        ...
        $FILE % ($V)
    - pattern: |
        $V = request.$W[$X]
        ...
        $FILE % ($V)
    - pattern: |
        $V = request.$W($X)
        ...
        $FILE % ($V)
    - pattern: |
        $V = request.$W
        ...
        $FILE % ($V)
        # match format use cases
    - pattern: |
        $V = request.$W.get($X)
        ...
        $FILE.format(..., $V, ...)
    - pattern: |
        $V = request.$W[$X]
        ...
        $FILE.format(..., $V, ...)
    - pattern: |
        $V = request.$W($X)
        ...
        $FILE.format(..., $V, ...)
    - pattern: |
        $V = request.$W
        ...
        $FILE.format(..., $V, ...)
  - metavariable-regex:
      metavariable: $FILE
      regex: .*\.(log|zip|txt|csv|xml|html).*
  severity: WARNING
- id: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join
  languages:
  - python
  message: Data from request is passed to os.path.join() and to open().  This is a
    path traversal vulnerability, which can lead to sensitive data being leaked.  To
    mitigate, consider using os.path.abspath or os.path.realpath or Path library.
  metadata:
    category: security
    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
      Traversal'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Path_Traversal
    shortlink: https://sg.run/Dovo
    source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-not-inside: |
      def $F(...):
        ...
        os.path.abspath(...)
        ...
  - pattern-not-inside: |
      def $F(...):
        ...
        os.path.realpath(...)
        ...
  - pattern-either:
    - pattern: open(os.path.join(..., request.$W.get(...), ...), ...)
    - pattern: open(os.path.join(..., request.$W(...), ...), ...)
    - pattern: open(os.path.join(..., request.$W, ...), ...)
    - pattern: open(os.path.join(..., request.$W[...], ...), ...)
    - pattern: |
        $P = os.path.join(..., request.$W.get(...), ...)
        ...
        open($P, ...)
    - pattern: |
        $P = os.path.join(..., request.$W(...), ...)
        ...
        open($P, ...)
    - pattern: |
        $P = os.path.join(..., request.$W, ...)
        ...
        open($P, ...)
    - pattern: |
        $P = os.path.join(..., request.$W[...], ...)
        ...
        open($P, ...)
    - pattern: |
        $V = request.$W.get($X)
        ...
        $P = os.path.join(..., $V, ...)
        ...
        open($P, ...)
    - pattern: |
        $V = request.$W($X)
        ...
        $P = os.path.join(..., $V, ...)
        ...
        open($P, ...)
    - pattern: |
        $V = request.$W[$X]
        ...
        $P = os.path.join(..., $V, ...)
        ...
        open($P, ...)
    - pattern: |
        $V = request.$W
        ...
        $P = os.path.join(..., $V, ...)
        ...
        open($P, ...)
    - pattern: |
        $P = request.$W.get(...)
        ...
        open(os.path.join(..., $P, ...), ...)
    - pattern: |
        $P = request.$W(...)
        ...
        open(os.path.join(..., $P, ...), ...)
    - pattern: |
        $P = request.$W
        ...
        open(os.path.join(..., $P, ...), ...)
    - pattern: |
        $P = request.$W[...]
        ...
        open(os.path.join(..., $P, ...), ...)
  severity: WARNING
- id: python.lang.security.audit.python-reverse-shell.python-reverse-shell
  languages:
  - python
  message: Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/gYZJ
    source: https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: pty.spawn("$BINPATH",...)
    - pattern: subprocess.call(["$BINPATH",...],...)
  - metavariable-regex:
      metavariable: $BINPATH
      regex: /bin/.*?sh\b
  - pattern-inside: |
      import socket
      ...
      $S = socket.socket(...)
      ...
      $S.connect(($IP,$PORT),...)
      ...
  severity: WARNING
- id: python.aws-lambda.security.tainted-sql-string.tainted-sql-string
  languages:
  - python
  message: Detected user input used to manually construct a SQL string. This is usually
    bad practice because manual construction could accidentally result in a SQL injection.
    An attacker could use a SQL injection to steal or modify contents of the database.
    Instead, use a parameterized query which is available by default in most database
    engines. Alternatively, consider using an object-relational mapper (ORM) such
    as Sequelize which will protect your queries.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/SQL_Injection
    shortlink: https://sg.run/wXvA
    source: https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string
    technology:
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: |
          "$SQLSTR" + ...
      - pattern: |
          "$SQLSTR" % ...
      - pattern: |
          "$SQLSTR".format(...)
      - pattern: |
          f"$SQLSTR{...}..."
    - metavariable-regex:
        metavariable: $SQLSTR
        regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*=
    - pattern-not-inside: |
        print(...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell
  languages:
  - python
  message: Detected asyncio subprocess function with argument tainted by `event` object.
    If this data can be controlled by a malicious actor, it may be an instance of
    command injection. Audit the use of this call to ensure it is not controllable
    by an external resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-subprocess.html
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/p9vZ
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell
    technology:
    - python
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - pattern-inside: $LOOP.subprocess_shell($PROTOCOL, $CMD)
      - pattern-inside: asyncio.subprocess.create_subprocess_shell($CMD, ...)
      - pattern-inside: asyncio.create_subprocess_shell($CMD, ...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process
  languages:
  - python
  message: Detected `os` function with argument tainted by `event` object. This is
    dangerous if external data can reach this function call because it allows a malicious
    actor to execute commands. Ensure no external data reaches here.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/2AjL
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
    technology:
    - python
    - aws-lambda
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - patterns:
        - pattern-inside: os.$METHOD($MODE, $CMD, ...)
        - metavariable-regex:
            metavariable: $METHOD
            regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)
      - patterns:
        - pattern-inside: os.$METHOD($MODE, $BASH, ["-c", $CMD,...],...)
        - metavariable-regex:
            metavariable: $METHOD
            regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)
        - metavariable-regex:
            metavariable: $BASH
            regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
      - patterns:
        - pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...)
        - metavariable-regex:
            metavariable: $METHOD
            regex: (spawnl|spawnle|spawnlp|spawnlpe)
        - metavariable-regex:
            metavariable: $BASH
            regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use
  languages:
  - python
  message: Detected subprocess function with argument tainted by `event` object. If
    this data can be controlled by a malicious actor, it may be an instance of command
    injection. Audit the use of this call to ensure it is not controllable by an external
    resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/subprocess.html
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/XZ7B
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use
    technology:
    - python
    - aws-lambda
  mode: taint
  pattern-sanitizers:
  - pattern: shlex.escape(...)
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - pattern-inside: subprocess.$FUNC($CMD, ...)
      - pattern-inside: subprocess.$FUNC([$CMD,...], ...)
      - pattern-inside: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD,
          ...)
      - pattern-inside: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",
          $CMD, ...], ...)
      - pattern-inside: subprocess.$FUNC("=~/(python)/", $CMD, ...)
      - pattern-inside: subprocess.$FUNC(["=~/(python)/",$CMD,...],...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.aws-lambda.security.dangerous-system-call.dangerous-system-call
  languages:
  - python
  message: Detected `os` function with argument tainted by `event` object. This is
    dangerous if external data can reach this function call because it allows a malicious
    actor to execute commands. Use the 'subprocess' module instead, which is easier
    to use without accidentally exposing a command injection vulnerability.
  metadata:
    asvs:
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/jDvN
    source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
    technology:
    - python
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern: $CMD
    - pattern-either:
      - pattern: os.system($CMD,...)
      - pattern: os.popen($CMD,...)
      - pattern: os.popen2($CMD,...)
      - pattern: os.popen3($CMD,...)
      - pattern: os.popen4($CMD,...)
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: ERROR
- id: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq
  languages:
  - regex
  message: Detected a template variable where autoescaping is explicitly disabled
    with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure
    no user data is rendered here, otherwise this is a cross-site scripting (XSS)
    vulnerability. If you must do this, use `mark_safe` in your Python code.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq
    shortlink: https://sg.run/5Q30
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq
    technology:
    - django
  paths:
    include:
    - '*.html'
  pattern-regex: '{{.*?\|\s+safeseq(\s+}})?'
  severity: WARNING
- id: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated
  languages:
  - python
  message: '''ssl.wrap_socket()'' is deprecated. This function creates an insecure
    socket without server name indication or hostname matching. Instead, create an
    SSL context using ''ssl.SSLContext()'' and use that to wrap a socket.'
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
    - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket
    shortlink: https://sg.run/PJOY
    source: https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated
    technology:
    - python
  pattern: ssl.wrap_socket(...)
  severity: WARNING
- fix-regex:
    regex: (shell\s*=\s*)True
    replacement: \1False
  id: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
  languages:
  - python
  message: Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous
    because this call will spawn the command using a shell process. Doing so propagates
    current shell settings and variables, which makes it much easier for a malicious
    actor to execute commands. Use 'shell=False' instead.
  metadata:
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess
    - https://docs.python.org/3/library/subprocess.html
    shortlink: https://sg.run/J92w
    source: https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
    technology:
    - python
  patterns:
  - pattern: subprocess.$FUNC(..., shell=True, ...)
  - pattern-not: subprocess.$FUNC("...", shell=True, ...)
  severity: ERROR
- id: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected
  languages:
  - python
  message: Detected use of the wildcard character in a system call that spawns a shell.
    This subjects the wildcard to normal shell expansion, which can have unintended
    consequences if there exist any non-standard file names. Consider a file named
    '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
    for more information.
  metadata:
    category: security
    cwe: 'CWE-155: Improper Neutralization of Wildcards or Matching Symbols'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
    shortlink: https://sg.run/5QXA
    source: https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected
    source-url-open: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern-inside: os.system("...")
    - pattern-inside: os.popen("...")
    - pattern-inside: os.popen2("...")
    - pattern-inside: os.popen3("...")
    - pattern-inside: os.popen4("...")
    - pattern-inside: subprocess.$W(..., shell=True, ...)
  - pattern-regex: (tar|chmod|chown|rsync)(.*?)\*
  severity: WARNING
- id: python.django.security.passwords.password-empty-string.password-empty-string
  languages:
  - python
  message: '''$VAR'' is the empty string and is being used to set the password on
    ''$MODEL''. If you meant to set an unusable password, set the password to None
    or call ''set_unusable_password()''.'
  metadata:
    category: security
    cwe: 'CWE-521: Weak Password Requirements'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password
    shortlink: https://sg.run/oxnR
    source: https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern: |
        $MODEL.set_password($EMPTY)
        ...
        $MODEL.save()
    - pattern: |
        $VAR = $EMPTY
        ...
        $MODEL.set_password($VAR)
        ...
        $MODEL.save()
  - metavariable-regex:
      metavariable: $EMPTY
      regex: (\'\'|\"\")
  severity: ERROR
- fix-regex:
    regex: (def.*|request.*)(""|'')
    replacement: \1None
  id: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default
  languages:
  - python
  message: '''$VAR'' is using the empty string as its default and is being used to
    set the password on ''$MODEL''. If you meant to set an unusable password, set
    the default value to ''None'' or call ''set_unusable_password()''.'
  metadata:
    category: security
    cwe: 'CWE-521: Weak Password Requirements'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password
    shortlink: https://sg.run/zvBW
    source: https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default
    technology:
    - django
  pattern-either:
  - pattern: |
      $VAR = request.$W.get($X, "")
      ...
      $MODEL.set_password($VAR)
      ...
      $MODEL.save(...)
  - pattern: |
      def $F(..., $VAR="", ...):
        ...
        $MODEL.set_password($VAR)
  severity: ERROR
- id: python.flask.security.audit.render-template-string.render-template-string
  languages:
  - python
  message: Found a template created with string formatting. This is susceptible to
    server-side template injection and cross-site scripting attacks.
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html
    shortlink: https://sg.run/8yjE
    source: https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string
    technology:
    - flask
  pattern: flask.render_template_string(...)
  severity: WARNING
- id: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled
  languages:
  - python
  message: Setting 'WTF_CSRF_ENABLED' to 'False' explicitly disables CSRF protection.
  metadata:
    category: security
    cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://flask-wtf.readthedocs.io/en/stable/csrf.html
    shortlink: https://sg.run/Q5AQ
    source: https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled
    technology:
    - flask
  pattern: $APP.config['WTF_CSRF_ENABLED'] = False
  severity: WARNING
- id: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content
  languages:
  - python
  message: Be careful with `flask.make_response()`. If this response is rendered onto
    a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()`
    will not autoescape HTML. If you are rendering HTML, write your HTML in a template
    file and use `flask.render_template()` which will take care of escaping. If you
    are returning data from an API, consider using `flask.jsonify()`.
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11
    - https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response
    - https://flask.palletsprojects.com/en/1.1.x/api/#response-objects
    shortlink: https://sg.run/3x3p
    source: https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content
    technology:
    - flask
  patterns:
  - pattern: flask.make_response(...)
  - pattern-not-inside: flask.make_response()
  - pattern-not-inside: flask.make_response("...", ...)
  - pattern-not-inside: 'flask.make_response({"...": "..."}, ...)'
  - pattern-not-inside: flask.make_response(flask.redirect(...), ...)
  - pattern-not-inside: flask.make_response(flask.render_template(...), ...)
  - pattern-not-inside: flask.make_response(flask.jsonify(...), ...)
  - pattern-not-inside: flask.make_response(json.dumps(...), ...)
  - pattern-not-inside: |
      $X = flask.render_template(...)
      ...
      flask.make_response($X, ...)
  - pattern-not-inside: |
      $X = flask.jsonify(...)
      ...
      flask.make_response($X, ...)
  - pattern-not-inside: |
      $X = json.dumps(...)
      ...
      flask.make_response($X, ...)
  severity: WARNING
- id: python.flask.security.injection.path-traversal-open.path-traversal-open
  languages:
  - python
  message: Found request data in a call to 'open'. Ensure the request data is validated
    or sanitized, otherwise it could result in path traversal attacks.
  metadata:
    category: security
    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
      Traversal'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Path_Traversal
    shortlink: https://sg.run/PJRW
    source: https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open
    technology:
    - flask
  pattern-either:
  - patterns:
    - pattern: open(...)
    - pattern-either:
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            open(..., <... $ROUTEVAR ...>, ...)
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            with open(..., <... $ROUTEVAR ...>, ...) as $FD:
              ...
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
            $INTERM = <... $ROUTEVAR ...>
            ...
            open(..., <... $INTERM ...>, ...)
  - pattern: open(..., <... flask.request.$W.get(...) ...>, ...)
  - pattern: open(..., <... flask.request.$W[...] ...>, ...)
  - pattern: open(..., <... flask.request.$W(...) ...>, ...)
  - pattern: open(..., <... flask.request.$W ...>, ...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        open(<... $INTERM ...>, ...)
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        open(<... $INTERM ...>, ...)
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        open(<... $INTERM ...>, ...)
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        open(<... $INTERM ...>, ...)
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        with open(<... $INTERM ...>, ...) as $F:
          ...
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        with open(<... $INTERM ...>, ...) as $F:
          ...
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        with open(<... $INTERM ...>, ...) as $F:
          ...
    - pattern: open(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        with open(<... $INTERM ...>, ...) as $F:
          ...
    - pattern: open(...)
  severity: ERROR
- id: python.flask.security.injection.ssrf-requests.ssrf-requests
  languages:
  - python
  message: Data from request object is passed to a new server-side request. This could
    lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes
    and hosts are validated against an allowlist, do not forward the response to the
    user, and ensure proper authentication and transport-layer security in the proxied
    request.
  metadata:
    category: security
    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    shortlink: https://sg.run/J9LW
    source: https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests
    technology:
    - flask
  pattern-either:
  - patterns:
    - pattern: requests.$FUNC(...)
    - pattern-either:
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $ROUTE_FUNC(..., $ROUTEVAR, ...):
            ...
            requests.$FUNC(..., <... $ROUTEVAR ...>, ...)
      - pattern-inside: |
          @$APP.route($ROUTE, ...)
          def $ROUTE_FUNC(..., $ROUTEVAR, ...):
            ...
            $INTERM = <... $ROUTEVAR ...>
            ...
            requests.$FUNC(..., <... $INTERM ...>, ...)
  - pattern: requests.$FUNC(..., <... flask.request.$W.get(...) ...>, ...)
  - pattern: requests.$FUNC(..., <... flask.request.$W[...] ...>, ...)
  - pattern: requests.$FUNC(..., <... flask.request.$W(...) ...>, ...)
  - pattern: requests.$FUNC(..., <... flask.request.$W ...>, ...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W.get(...) ...>
        ...
        requests.$FUNC(<... $INTERM ...>, ...)
    - pattern: requests.$FUNC(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W[...] ...>
        ...
        requests.$FUNC(<... $INTERM ...>, ...)
    - pattern: requests.$FUNC(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W(...) ...>
        ...
        requests.$FUNC(<... $INTERM ...>, ...)
    - pattern: requests.$FUNC(...)
  - patterns:
    - pattern-inside: |
        $INTERM = <... flask.request.$W ...>
        ...
        requests.$FUNC(<... $INTERM ...>, ...)
    - pattern: requests.$FUNC(...)
  severity: ERROR
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open
  languages:
  - python
  message: Detected an unsecured transmission channel. 'OpenerDirector.open(...)'
    is being used with 'http://'. Use 'https://' instead to secure the channel.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open
    shortlink: https://sg.run/qxKz
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.OpenerDirector(...).open("=~/[Hh][Tt][Tt][Pp]://.*/",
      ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
        ...
    - pattern: $OPENERDIRECTOR.open("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
        ...
    - pattern: |
        $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.open($URL, ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.OpenerDirector(...).open($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.OpenerDirector(...).open($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.OpenerDirector(...)
            ...
        - pattern: $OPENERDIRECTOR.open($URL, ...)
  severity: WARNING
- fix-regex:
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve
  languages:
  - python
  message: Detected 'urllib.urlretrieve()' using 'http://'. This request will not
    be encrypted. Use 'https://' instead.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve
    shortlink: https://sg.run/1Zqw
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.urlretrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.urlretrieve($URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        urllib.request.urlretrieve($URL, ...)
  severity: WARNING
- fix: |
    if django.contrib.auth.password_validation.validate_password($X, user=$MODEL):
        $MODEL.set_password($X)
  id: python.django.security.audit.unvalidated-password.unvalidated-password
  languages:
  - python
  message: The password on '$MODEL' is being set without validating the password.
    Call django.contrib.auth.password_validation.validate_password() with validation
    functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/
    for more information.
  metadata:
    category: security
    cwe: 'CWE-521: Weak Password Requirements'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation
    shortlink: https://sg.run/OPBL
    source: https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password
    technology:
    - django
  patterns:
  - pattern-not-inside: |
      if <... django.contrib.auth.password_validation.validate_password(...) ...>:
          ...
  - pattern-not-inside: |
      django.contrib.auth.password_validation.validate_password(...)
      ...
  - pattern-not-inside: |
      try:
        ...
        django.contrib.auth.password_validation.validate_password(...)
        ...
      except $EX:
        ...
      ...
  - pattern-not-inside: |
      try:
        ...
        django.contrib.auth.password_validation.validate_password(...)
        ...
      except $EX as $E:
        ...
      ...
  - pattern-not: UserModel().set_password($X)
  - pattern: $MODEL.set_password($X)
  severity: WARNING
- id: python.lang.maintainability.improper-list-concat.improper-list-concat
  languages:
  - python
  message: 'This expression will evaluate to be ONLY value the of the `else` clause
    if the condition `$EXPRESSION` is false. If you meant to do list concatenation,
    put parentheses around the entire concatenation expression, like this: `[''a'',
    ''b'', ''c''] + ([''d''] if x else [''e''])`. If this is the intended behavior,
    the expression may be confusing to others, and you may wish to add parentheses
    for readability.'
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/668w
    source: https://semgrep.dev/r/python.lang.maintainability.improper-list-concat.improper-list-concat
    technology:
    - python
  pattern: '[...] + [...] if $EXPRESSION else [...]'
  severity: INFO
- fix: |
    True
  id: python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled
  languages:
  - python
  message: Detected a Jinja2 environment with autoescaping disabled. This is dangerous
    if you are rendering to a browser because this allows for cross-site scripting
    (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.'
    You may also consider using 'jinja2.select_autoescape()' to only enable automatic
    escaping for certain file extensions.
  metadata:
    category: security
    cwe: 'CWE-116: Improper Encoding or Escaping of Output'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
    shortlink: https://sg.run/L2L7
    source: https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
    technology:
    - jinja2
  patterns:
  - pattern: jinja2.Environment(... , autoescape=$VAL, ...)
  - pattern-not: jinja2.Environment(... , autoescape=True, ...)
  - pattern-not: jinja2.Environment(... , autoescape=jinja2.select_autoescape(...),
      ...)
  - focus-metavariable: $VAL
  severity: WARNING
- fix-regex:
    regex: (.*)\)
    replacement: \1, autoescape=True)
  id: python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled
  languages:
  - python
  message: Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape
    by default. This is dangerous if you are rendering to a browser because this allows
    for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping
    by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()'
    to only enable automatic escaping for certain file extensions.
  metadata:
    category: security
    cwe: 'CWE-116: Improper Encoding or Escaping of Output'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
    shortlink: https://sg.run/8kY4
    source: https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
    technology:
    - jinja2
  patterns:
  - pattern-not: jinja2.Environment(..., autoescape=$VAL, ...)
  - pattern: jinja2.Environment(...)
  severity: WARNING
- id: python.lang.correctness.cannot-cache-generators.cannot-cache-generators
  languages:
  - python
  message: Generators can only be consumed once, so in most cases, caching them will
    cause an error when the already-consumed generator is retrieved from cache.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/gG8y
    source: https://semgrep.dev/r/python.lang.correctness.cannot-cache-generators.cannot-cache-generators
    technology:
    - python
  patterns:
  - pattern-inside: |
      @functools.lru_cache(...)
      def $FUNC(...):
          ...
          yield ...
  - pattern: functools.lru_cache(...)
  severity: WARNING
- id: python.correctness.socket-shutdown-close.socket-shutdown-close
  languages:
  - python
  message: Socket is not closed if shutdown fails. When socket.shutdown fails on an
    OSError, socket.close is not called and the code fails to clean up the socket
    and allow garbage collection to release the memory used for it. The OSError on
    shutdown can occur when the remote side of the connection closes the connection
    first.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://www.paulsprogrammingnotes.com/2021/12/python-memory-leaks.html
    shortlink: https://sg.run/Bel5
    source: https://semgrep.dev/r/python.correctness.socket-shutdown-close.socket-shutdown-close
    technology:
    - python
  patterns:
  - pattern: |
      $SOCK.shutdown(socket.$A)
      $SOCK.close()
  - pattern-not-inside: |
      try:
          ...
      except ...:
          ...
          $SOCK.close()
  - pattern-not-inside: |
      try:
          ...
      finally:
          ...
          $SOCK.close()
  severity: WARNING
- id: python.lang.maintainability.useless-assign-keyed.useless-assignment-keyed
  languages:
  - python
  message: key `$Y` in `$X` is assigned twice; the first assignment is useless
  metadata:
    category: maintainability
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/zv6G
    source: https://semgrep.dev/r/python.lang.maintainability.useless-assign-keyed.useless-assignment-keyed
    technology:
    - python
  pattern-either:
  - pattern: |
      $X[$Y] = ...
      $X[$Y] = ...
  - pattern: |
      $X[$Y][$Z] = ...
      $X[$Y][$Z] = ...
  severity: WARNING
- id: python.lang.security.audit.dangerous-asyncio-shell.dangerous-asyncio-shell
  languages:
  - python
  message: Detected asyncio subprocess function without a static string. If this data
    can be controlled by a malicious actor, it may be an instance of command injection.
    Audit the use of this call to ensure it is not controllable by an external resource.
    You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-subprocess.html
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/GwWp
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell.dangerous-asyncio-shell
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: $LOOP.subprocess_shell($PROTOCOL, $CMD)
    - pattern: asyncio.subprocess.create_subprocess_shell($CMD, ...)
    - pattern: asyncio.create_subprocess_shell($CMD, ...)
  - pattern-not-inside: |
      $CMD = "..."
      ...
  - pattern-not: $LOOP.subprocess_shell($PROTOCOL, "...")
  - pattern-not: asyncio.subprocess.create_subprocess_shell("...", ...)
  - pattern-not: asyncio.create_subprocess_shell("...", ...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec
  languages:
  - python
  message: Detected 'create_subprocess_exec' function without a static string. If
    this data can be controlled by a malicious actor, it may be an instance of command
    injection. Audit the use of this call to ensure it is not controllable by an external
    resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/qqrz
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not: asyncio.create_subprocess_exec($PROG, "...", ...)
    - pattern-not: asyncio.create_subprocess_exec($PROG, ["...",...], ...)
    - pattern: asyncio.create_subprocess_exec(...)
  - patterns:
    - pattern-not: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...)
    - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c",...)
  - patterns:
    - pattern-not: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...], ...)
    - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", ...], ...)
  - patterns:
    - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "...", ...)
    - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["...",...], ...)
    - pattern: asyncio.subprocess.create_subprocess_exec(...)
  - patterns:
    - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...)
    - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c",...)
  - patterns:
    - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...], ...)
    - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", ...], ...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-asyncio-exec.dangerous-asyncio-exec
  languages:
  - python
  message: Detected subprocess function '$LOOP.subprocess_exec' without a static string.
    If this data can be controlled by a malicious actor, it may be an instance of
    command injection. Audit the use of this call to ensure it is not controllable
    by an external resource. You may consider using 'shlex.escape()'.
  metadata:
    asvs:
      control_id: 5.3.8 OS Command Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      version: '4'
    category: security
    cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command
      (''OS Command Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec
    - https://docs.python.org/3/library/shlex.html
    shortlink: https://sg.run/lxjy
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec.dangerous-asyncio-exec
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "...", ...)
    - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["...",...], ...)
    - pattern: $LOOP.subprocess_exec(...)
  - patterns:
    - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...)
    - pattern: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c",...)
  - patterns:
    - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", "...", ...], ...)
    - pattern: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/",
        "-c", ...], ...)
  severity: ERROR
- id: python.boto3.security.hardcoded-token.hardcoded-token
  languages:
  - python
  message: Hardcoded AWS access token detected. Attackers can possibly freely read
    this value and gain access to the AWS environment. Instead, use environment variables
    to access tokens (e.g., os.environ.get(...)) or use non version-controlled configuration
    files.
  metadata:
    category: security
    cwe: 'CWE-798: Use of Hard-coded Credentials'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A2: Broken Authentication'
    references:
    - https://bento.dev/checks/boto3/hardcoded-access-token/
    - https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
    shortlink: https://sg.run/LwQ6
    source: https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token
    source-rule-url: https://pypi.org/project/flake8-boto3/
    technology:
    - boto3
  pattern-either:
  - patterns:
    - pattern: |
        $W(..., aws_secret_access_key="$ACCESSKEY", ...)
    - metavariable-regex:
        metavariable: $ACCESSKEY
        regex: ^[A-Za-z0-9/+=]+$
    - metavariable-analysis:
        analyzer: entropy
        metavariable: $ACCESSKEY
  - patterns:
    - pattern: |
        $W(..., aws_access_key_id="$KEYID", ...)
    - metavariable-regex:
        metavariable: $KEYID
        regex: ^AKI
    - metavariable-analysis:
        analyzer: entropy
        metavariable: $KEYID
  - patterns:
    - pattern: |
        $W(..., aws_session_token="$TOKEN", ...)
    - metavariable-analysis:
        analyzer: entropy
        metavariable: $TOKEN
  severity: WARNING
- id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-blowfish
  languages:
  - python
  message: Detected Blowfish cipher algorithm which is considered insecure. The algorithm
    has many known vulnerabilities. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://sweet32.info/
    shortlink: https://sg.run/Q5QZ
    source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-blowfish
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L96
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)
  severity: WARNING
- id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea
  languages:
  - python
  message: Detected IDEA cipher algorithm which is considered insecure. The algorithm
    is considered weak and has been deprecated. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://tools.ietf.org/html/rfc5469
    shortlink: https://sg.run/3xyK
    source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.ciphers.algorithms.IDEA(...)
  severity: WARNING
- id: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb
  languages:
  - python
  message: Detected ECB cipher mode which is considered insecure. The algorithm can
    potentially leak information about the plaintext. Use CBC mode instead.
  metadata:
    bandit-code: B305
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
    shortlink: https://sg.run/4xr5
    source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
    technology:
    - cryptography
  pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...)
  severity: WARNING
- id: python.django.best-practice.json_response.use-json-response
  languages:
  - python
  message: Use JsonResponse instead
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/BkQA
    source: https://semgrep.dev/r/python.django.best-practice.json_response.use-json-response
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $X(...):
        ...
  - pattern: |
      $Y = json.dumps(...)
      ...
      django.http.HttpResponse($Y, ...)
  severity: ERROR
- id: python.django.compatibility.django-2_0-compat.django-compat-2_0-check-aggregate-support
  languages:
  - python
  message: django.db.backends.base.BaseDatabaseOperations.check_aggregate_support()
    is removed in Django 2.0.
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/KlQ5
    source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-check-aggregate-support
    technology:
    - django
  pattern: django.db.backends.base.BaseDatabaseOperations.check_aggregate_support(...)
  severity: WARNING
- id: python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true
  languages:
  - python
  message: null=True should be set if blank=True is set on non-text fields.
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/ox40
    source: https://semgrep.dev/r/python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true
    technology:
    - django
  patterns:
  - pattern-inside: |
      class $M(...):
        ...
  - pattern-not: $F = django.db.models.CharField(...)
  - pattern-not: $F = django.db.models.TextField(...)
  - pattern-not: $F = django.db.models.SlugField(...)
  - pattern-not: $F = django.db.models.EmailField(...)
  - pattern-not: $F = django.db.models.FileField(...)
  - pattern-not: $F = django.db.models.ImageField(...)
  - pattern-not: $F = django.db.models.URLField(...)
  - pattern-not: $F = django.db.models.UUIDField(...)
  - pattern-not: $F = django.db.models.ManyToManyField(...)
  - pattern-not: $F = django.db.models.NullBooleanField(...)
  - pattern-not: $F = phonenumber_field.modelfields.PhoneNumberField(...)
  - pattern-not: $F = $X(..., null=True, blank=True, ...)
  - pattern: $F = $X(..., blank=True, ...)
  severity: ERROR
- id: python.django.security.audit.csrf-exempt.no-csrf-exempt
  languages:
  - python
  message: Detected usage of @csrf_exempt, which indicates that there is no CSRF token
    set for this route. This could lead to an attacker manipulating the user's account
    and exfiltration of private data. Instead, create a function without this decorator.
  metadata:
    category: security
    cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    shortlink: https://sg.run/rd5e
    source: https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt
    technology:
    - django
  pattern: |
    @django.views.decorators.csrf.csrf_exempt
    def $R(...):
      ...
  severity: WARNING
- id: python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql
  languages:
  - python
  message: Detected a Custom Expression ''$EXPRESSION'' calling ''as_sql(...).'' This
    could lead to SQL injection, which can result in attackers exfiltrating sensitive
    data. Instead, ensure no user input enters this function or that user input is
    properly sanitized.
  metadata:
    category: security
    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
      (''SQL Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql
    - https://blog.r2c.dev/2020/preventing-sql-injection-a-django-authors-perspective/
    shortlink: https://sg.run/b7bW
    source: https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql
    technology:
    - django
  pattern: $EXPRESSION.as_sql(...)
  severity: WARNING
- fix-regex:
    regex: (autoescape.*?)False
    replacement: \1True
  id: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off
  languages:
  - python
  message: 'Detected a Context with autoescape disabled. If you are rendering any
    web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities.
    Remove ''autoescape: False'' or set it to ''True''.'
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.1/ref/settings/#templates
    - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates
    shortlink: https://sg.run/nd7Y
    source: https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off
    technology:
    - django
  pattern-either:
  - pattern: '{..., "autoescape": False, ...}'
  - pattern: $D["autoescape"] = False
  severity: WARNING
- id: python.django.security.audit.xss.html-safe.html-safe
  languages:
  - python
  message: '`html_safe()` add the `__html__` magic method to the provided class. The
    `__html__` method indicates to the Django template engine that the value is ''safe''
    for rendering. This means that normal HTML escaping will not be applied to the
    return value. This exposes your application to cross-site scripting (XSS) vulnerabilities.
    If you need to render raw HTML, consider instead using `mark_safe()` which more
    clearly marks the intent to render raw HTML than a class with a magic method.'
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe
    - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5
    shortlink: https://sg.run/gLO0
    source: https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe
    technology:
    - django
  pattern-either:
  - pattern: django.utils.html.html_safe(...)
  - pattern: |
      @django.utils.html.html_safe
      class $CLASS(...):
        ...
  severity: WARNING
- id: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off
  languages:
  - regex
  message: Detected a template block where autoescaping is explicitly disabled with
    '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn
    autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider
    instead, using `mark_safe` in Python code.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape
    shortlink: https://sg.run/Q5WZ
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off
    technology:
    - django
  paths:
    include:
    - '*.html'
  pattern-regex: '{%\s+autoescape\s+off\s+%}'
  severity: WARNING
- id: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape
  languages:
  - generic
  message: Translated strings will not be escaped when rendered in a template. This
    leads to a vulnerability where translators could include malicious script tags
    in their translations. Consider using `force_escape` to explicitly escape a translated
    text.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
    - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
    shortlink: https://sg.run/PJDz
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern: |
        {% translate ... as $TRANS ... %}
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        {{ ... $TRANS ... }}
    - pattern: |
        {% trans ... as $TRANS ... %}
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        ...
        {{ ... $TRANS ... }}
  - pattern-not: |
      {% translate ... as $TRANS ... %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {{ ... $TRANS ... | ... force_escape ... }}
  - pattern-not: |
      {% trans ... as $TRANS ... %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {{ ... $TRANS ... | ... force_escape ... }}
  - pattern-not: |
      {% translate ... as $TRANS ... %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {% filter force_escape %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {{ ... $TRANS ... }}
  - pattern-not: |
      {% trans ... as $TRANS ... %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {% filter force_escape %}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {{ ... $TRANS ... }}
  severity: INFO
- id: python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape
  languages:
  - generic
  message: Translated strings will not be escaped when rendered in a template. This
    leads to a vulnerability where translators could include malicious script tags
    in their translations. Consider using `force_escape` to explicitly escape a translated
    text.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates
    - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code
    shortlink: https://sg.run/J9Jy
    source: https://semgrep.dev/r/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape
    technology:
    - django
  patterns:
  - pattern-either:
    - pattern: |
        {% translate...%}
    - pattern: |
        {% trans...%}
  - pattern-not: |
      {% translate...as...%}
  - pattern-not: |
      {% trans...as...%}
  - pattern-not-inside: |
      {%...filter...force_escape...%}
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      ...
      {%...endfilter...%}
  severity: INFO
- id: python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
  languages:
  - generic
  message: Detected a template variable used in a script tag. Although template variables
    are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS)
    attacks when used directly in JavaScript. If you need this data on the rendered
    page, consider placing it in the HTML portion (outside of a script tag). Alternatively,
    use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For
    Django, you may also consider using the 'json_script' template tag and retrieving
    the data in your script by using the element ID (e.g., `document.getElementById`).
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    references:
    - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A
    - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
    - https://github.com/ESAPI/owasp-esapi-js
    shortlink: https://sg.run/Ge7q
    source: https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
    technology:
    - django
  paths:
    include:
    - '*.html'
  patterns:
  - pattern-inside: <script ...> ... </script>
  - pattern: '{{ ... }}'
  severity: ERROR
- id: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution
  languages:
  - python
  message: Found request data as an index to 'globals()'. This is extremely dangerous
    because it allows an attacker to execute arbitrary code on the system. Refactor
    your code not to use 'globals()'.
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186
    shortlink: https://sg.run/Kl55
    source: https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals().get($DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals().get("..." % $DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals().get(f"...{$DATA}...", ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals().get("...".format(..., $DATA, ...), ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals()[$DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals()["..." % $DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals()[f"...{$DATA}..."]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = globals()["...".format(..., $DATA, ...)]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals().get($DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals().get("..." % $DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals().get(f"...{$DATA}...", ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals().get("...".format(..., $DATA, ...), ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals()[$DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals()["..." % $DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals()[f"...{$DATA}..."]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = globals()["...".format(..., $DATA, ...)]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals().get($DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals().get("..." % $DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals().get(f"...{$DATA}...", ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals().get("...".format(..., $DATA, ...), ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals()[$DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals()["..." % $DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals()[f"...{$DATA}..."]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = globals()["...".format(..., $DATA, ...)]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals().get($DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals().get("..." % $DATA, ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals().get(f"...{$DATA}...", ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals().get("...".format(..., $DATA, ...), ...)
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals()[$DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals()["..." % $DATA]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals()[f"...{$DATA}..."]
        ...
        $INTERM(...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = globals()["...".format(..., $DATA, ...)]
        ...
        $INTERM(...)
  severity: WARNING
- id: python.django.security.injection.code.user-eval.user-eval
  languages:
  - python
  message: Found user data in a call to 'eval'. This is extremely dangerous because
    it can enable an attacker to execute arbitrary remote code on the system. Instead,
    refactor your code to not use 'eval' and instead use a safe library for the specific
    functionality you need.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
    - https://owasp.org/www-community/attacks/Code_Injection
    shortlink: https://sg.run/PJDW
    source: https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-either:
    - pattern: eval(..., request.$W.get(...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        eval(..., $V, ...)
    - pattern: eval(..., request.$W(...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        eval(..., $V, ...)
    - pattern: eval(..., request.$W[...], ...)
    - pattern: |
        $V = request.$W[...]
        ...
        eval(..., $V, ...)
  severity: WARNING
- id: python.django.security.injection.code.user-exec-format-string.user-exec-format-string
  languages:
  - python
  message: Found user data in a call to 'exec'. This is extremely dangerous because
    it can enable an attacker to execute arbitrary remote code on the system. Instead,
    refactor your code to not use 'eval' and instead use a safe library for the specific
    functionality you need.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Code_Injection
    shortlink: https://sg.run/J9JW
    source: https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $F(...):
        ...
  - pattern-either:
    - pattern: exec(..., $STR % request.$W.get(...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        exec(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = $STR % $V
        ...
        exec(..., $S, ...)
    - pattern: exec(..., "..." % request.$W(...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        exec(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = $STR % $V
        ...
        exec(..., $S, ...)
    - pattern: exec(..., $STR % request.$W[...], ...)
    - pattern: |
        $V = request.$W[...]
        ...
        exec(..., $STR % $V, ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = $STR % $V
        ...
        exec(..., $S, ...)
    - pattern: exec(..., $STR.format(..., request.$W.get(...), ...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        exec(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = $STR.format(..., $V, ...)
        ...
        exec(..., $S, ...)
    - pattern: exec(..., $STR.format(..., request.$W(...), ...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        exec(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = $STR.format(..., $V, ...)
        ...
        exec(..., $S, ...)
    - pattern: exec(..., $STR.format(..., request.$W[...], ...), ...)
    - pattern: |
        $V = request.$W[...]
        ...
        exec(..., $STR.format(..., $V, ...), ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = $STR.format(..., $V, ...)
        ...
        exec(..., $S, ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        exec(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W.get(...)
        ...
        $S = f"...{$V}..."
        ...
        exec(..., $S, ...)
    - pattern: |
        $V = request.$W(...)
        ...
        exec(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W(...)
        ...
        $S = f"...{$V}..."
        ...
        exec(..., $S, ...)
    - pattern: |
        $V = request.$W[...]
        ...
        exec(..., f"...{$V}...", ...)
    - pattern: |
        $V = request.$W[...]
        ...
        $S = f"...{$V}..."
        ...
        exec(..., $S, ...)
    - pattern: exec(..., base64.decodestring($S.format(..., request.$W.get(...), ...),
        ...), ...)
    - pattern: exec(..., base64.decodestring($S % request.$W.get(...), ...), ...)
    - pattern: exec(..., base64.decodestring(f"...{request.$W.get(...)}...", ...),
        ...)
    - pattern: exec(..., base64.decodestring(request.$W.get(...), ...), ...)
    - pattern: exec(..., base64.decodestring(bytes($S.format(..., request.$W.get(...),
        ...), ...), ...), ...)
    - pattern: exec(..., base64.decodestring(bytes($S % request.$W.get(...), ...),
        ...), ...)
    - pattern: exec(..., base64.decodestring(bytes(f"...{request.$W.get(...)}...",
        ...), ...), ...)
    - pattern: exec(..., base64.decodestring(bytes(request.$W.get(...), ...), ...),
        ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        exec(..., base64.decodestring($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = base64.decodestring($DATA, ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        exec(..., base64.decodestring(bytes($DATA, ...), ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = base64.decodestring(bytes($DATA, ...), ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        exec(..., base64.decodestring($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = base64.decodestring($DATA, ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        exec(..., base64.decodestring(bytes($DATA, ...), ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = base64.decodestring(bytes($DATA, ...), ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        exec(..., base64.decodestring($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = base64.decodestring($DATA, ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        exec(..., base64.decodestring(bytes($DATA, ...), ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = base64.decodestring(bytes($DATA, ...), ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        exec(..., base64.decodestring($DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = base64.decodestring($DATA, ...)
        ...
        exec(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        exec(..., base64.decodestring(bytes($DATA, ...), ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = base64.decodestring(bytes($DATA, ...), ...)
        ...
        exec(..., $INTERM, ...)
  severity: WARNING
- id: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message
  languages:
  - python
  message: Found request data in 'send_mail(...)' that uses 'html_message'. This is
    dangerous because HTML emails are susceptible to XSS. An attacker could inject
    data into this HTML email, causing XSS.
  metadata:
    category: security
    cwe: 'CWE-74: Improper Neutralization of Special Elements in Output Used by a
      Downstream Component (''Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://www.damonkohler.com/2008/12/email-injection.html
    shortlink: https://sg.run/Avx8
    source: https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: django.core.mail.send_mail(..., html_message=request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.send_mail(..., html_message=$DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W.get(...),
        ...)
    - pattern: return django.core.mail.send_mail(..., html_message=request.$W.get(...),
        ...)
    - pattern: django.core.mail.send_mail(..., html_message=request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.send_mail(..., html_message=$DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        django.core.mail.send_mail(..., html_message=$STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W(...),
        ...)
    - pattern: return django.core.mail.send_mail(..., html_message=request.$W(...),
        ...)
    - pattern: django.core.mail.send_mail(..., html_message=request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.send_mail(..., html_message=$DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.send_mail(..., html_message=$STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        django.core.mail.send_mail(..., html_message=$STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W[...],
        ...)
    - pattern: return django.core.mail.send_mail(..., html_message=request.$W[...],
        ...)
    - pattern: django.core.mail.send_mail(..., html_message=request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.send_mail(..., html_message=$DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.send_mail(..., html_message=$STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        django.core.mail.send_mail(..., html_message=$STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        django.core.mail.send_mail(..., html_message=$INTERM, ...)
    - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W, ...)
    - pattern: return django.core.mail.send_mail(..., html_message=request.$W, ...)
  severity: WARNING
- id: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib
  languages:
  - python
  message: Data from request object is passed to a new server-side request. This could
    lead to a server-side request forgery (SSRF), which could result in attackers
    gaining access to private organization data. To mitigate, ensure that schemes
    and hosts are validated against an allowlist, do not forward the response to the
    user, and ensure proper authentication and transport-layer security in the proxied
    request.
  metadata:
    category: security
    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
    shortlink: https://sg.run/6n2B
    source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib
    technology:
    - django
  patterns:
  - pattern-inside: |
      def $FUNC(...):
        ...
  - pattern-either:
    - pattern: urllib.request.urlopen(..., $S.format(..., request.$W.get(...), ...),
        ...)
    - pattern: urllib.request.urlopen(..., $S % request.$W.get(...), ...)
    - pattern: urllib.request.urlopen(..., f"...{request.$W.get(...)}...", ...)
    - pattern: urllib.request.urlopen(..., request.$W.get(...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        urllib.request.urlopen(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        urllib.request.urlopen(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR % $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        urllib.request.urlopen(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        urllib.request.urlopen(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W.get(...)
        ...
        $INTERM = $STR + $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: $A = urllib.request.urlopen(..., request.$W.get(...), ...)
    - pattern: return urllib.request.urlopen(..., request.$W.get(...), ...)
    - pattern: urllib.request.urlopen(..., $S.format(..., request.$W(...), ...), ...)
    - pattern: urllib.request.urlopen(..., $S % request.$W(...), ...)
    - pattern: urllib.request.urlopen(..., f"...{request.$W(...)}...", ...)
    - pattern: urllib.request.urlopen(..., request.$W(...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        urllib.request.urlopen(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        urllib.request.urlopen(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR % $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        urllib.request.urlopen(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = f"...{$DATA}..."
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        urllib.request.urlopen(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W(...)
        ...
        $INTERM = $STR + $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: $A = urllib.request.urlopen(..., request.$W(...), ...)
    - pattern: return urllib.request.urlopen(..., request.$W(...), ...)
    - pattern: urllib.request.urlopen(..., $S.format(..., request.$W[...], ...), ...)
    - pattern: urllib.request.urlopen(..., $S % request.$W[...], ...)
    - pattern: urllib.request.urlopen(..., f"...{request.$W[...]}...", ...)
    - pattern: urllib.request.urlopen(..., request.$W[...], ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        urllib.request.urlopen(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        urllib.request.urlopen(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR % $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        urllib.request.urlopen(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = f"...{$DATA}..."
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        urllib.request.urlopen(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W[...]
        ...
        $INTERM = $STR + $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: $A = urllib.request.urlopen(..., request.$W[...], ...)
    - pattern: return urllib.request.urlopen(..., request.$W[...], ...)
    - pattern: urllib.request.urlopen(..., $S.format(..., request.$W, ...), ...)
    - pattern: urllib.request.urlopen(..., $S % request.$W, ...)
    - pattern: urllib.request.urlopen(..., f"...{request.$W}...", ...)
    - pattern: urllib.request.urlopen(..., request.$W, ...)
    - pattern: |
        $DATA = request.$W
        ...
        urllib.request.urlopen(..., $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR.format(..., $DATA, ...)
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        urllib.request.urlopen(..., $STR % $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR % $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        urllib.request.urlopen(..., f"...{$DATA}...", ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = f"...{$DATA}..."
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: |
        $DATA = request.$W
        ...
        urllib.request.urlopen(..., $STR + $DATA, ...)
    - pattern: |
        $DATA = request.$W
        ...
        $INTERM = $STR + $DATA
        ...
        urllib.request.urlopen(..., $INTERM, ...)
    - pattern: $A = urllib.request.urlopen(..., request.$W, ...)
    - pattern: return urllib.request.urlopen(..., request.$W, ...)
  severity: ERROR
- fix-regex:
    count: 1
    regex: (json\.){0,1}dumps
    replacement: flask.jsonify
  id: python.flask.best-practice.use-jsonify.use-jsonify
  languages:
  - python
  message: flask.jsonify() is a Flask helper method which handles the correct settings
    for returning JSON from Flask routes
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/XBlb
    source: https://semgrep.dev/r/python.flask.best-practice.use-jsonify.use-jsonify
    technology:
    - flask
  patterns:
  - pattern-inside: |
      @app.route(...)
      def $X():
        ...
  - pattern-either:
    - pattern: return json.dumps(...)
    - pattern: |
        $DATA = json.dumps(...)
        ...
        return <... $DATA ...>
  severity: ERROR
- id: python.flask.caching.query-string.flask-cache-query-string
  languages:
  - python
  message: Flask-caching doesn't cache query strings by default. You have to use `query_string=True`.
    Also you shouldn't cache verbs that can mutate state.
  metadata:
    category: caching
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/jROJ
    source: https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string
    technology:
    - flask
  patterns:
  - pattern-either:
    - pattern: |
        @app.route("...")
        @cache.cached(...)
        def $HANDLER(...):
          ...
          request.args.get(...)
    - pattern: |
        @app.route("...", methods=[..., "POST", ...])
        @cache.cached(...)
        def $HANDLER(...):
          ...
    - pattern: |
        @app.route("...", methods=[..., "PUT", ...])
        @cache.cached(...)
        def $HANDLER(...):
          ...
    - pattern: |
        @app.route("...", methods=[..., "DELETE", ...])
        @cache.cached(...)
        def $HANDLER(...):
          ...
    - pattern: |
        @app.route("...", methods=[..., "PATCH", ...])
        @cache.cached(...)
        def $HANDLER(...):
          ...
  - pattern-not: |
      @app.route("...")
      @cache.cached(..., query_string=True)
      def $HANDLER(...):
        ...
        request.args.get(...)
  severity: WARNING
- id: python.flask.security.dangerous-template-string.dangerous-template-string
  languages:
  - python
  message: Found a template created with string formatting. This is susceptible to
    server-side template injection and cross-site scripting attacks.
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html
    - https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti
    shortlink: https://sg.run/b79E
    source: https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string
    technology:
    - flask
  pattern-either:
  - pattern: |
      $V = "...".format(...)
      ...
      flask.render_template_string($V, ...)
  - pattern: |
      $V = "...".format(...)
      ...
      return flask.render_template_string($V, ...), $MORE
  - pattern: |
      $V = "..." % $S
      ...
      flask.render_template_string($V, ...)
  - pattern: |
      $V = "..." % $S
      ...
      return flask.render_template_string($V, ...), $MORE
  - pattern: |
      $V = "..."
      ...
      $V += $O
      ...
      flask.render_template_string($V, ...)
  - pattern: |
      $V = "..."
      ...
      $V += $O
      ...
      return flask.render_template_string($V, ...), $MORE
  - pattern: |
      $V = f"...{$X}..."
      ...
      flask.render_template_string($V, ...)
  - pattern: |
      $V = f"...{$X}..."
      ...
      return flask.render_template_string($V, ...), $CODE
  severity: ERROR
- id: python.flask.security.audit.debug-enabled.debug-enabled
  languages:
  - python
  message: Detected Flask app with debug=True. Do not deploy to production with this
    flag enabled as it will leak sensitive information. Instead, consider using Flask
    configuration variables or setting 'debug' using system environment variables.
  metadata:
    category: security
    cwe: 'CWE-489: Active Debug Code'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
    shortlink: https://sg.run/dKrd
    source: https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled
    technology:
    - flask
  patterns:
  - pattern-inside: |
      import flask
      ...
  - pattern: $APP.run(..., debug=True, ...)
  severity: WARNING
- id: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string
  languages:
  - python
  message: Detected Flask route directly returning a formatted string. This is subject
    to cross-site scripting if user input can reach the string. Consider using the
    template engine instead and rendering pages with 'render_template()'.
  metadata:
    category: security
    cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
      Scripting'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A7: Cross-Site Scripting (XSS)'
    shortlink: https://sg.run/Zv6o
    source: https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string
    technology:
    - flask
  mode: taint
  pattern-sinks:
  - patterns:
    - pattern-not-inside: return "..."
    - pattern-either:
      - pattern: return "...".format(...)
      - pattern: return "..." % ...
      - pattern: return "..." + ...
      - pattern: return ... + "..."
      - pattern: return f"...{...}..."
      - patterns:
        - pattern: return $X
        - pattern-either:
          - pattern-inside: |
              $X = "...".format(...)
              ...
          - pattern-inside: |
              $X = "..." % ...
              ...
          - pattern-inside: |
              $X = "..." + ...
              ...
          - pattern-inside: |
              $X = ... + "..."
              ...
          - pattern-inside: |
              $X = f"...{...}..."
              ...
        - pattern-not-inside: |
            $X = "..."
            ...
  pattern-sources:
  - pattern-either:
    - patterns:
      - pattern-inside: |
          @$APP.route(...)
          def $FUNC(..., $PARAM, ...):
            ...
      - pattern: $PARAM
    - pattern: |
        request.$FUNC.get(...)
    - pattern: |
        request.$FUNC(...)
    - pattern: request.$FUNC[...]
  severity: WARNING
- id: python.lang.best-practice.hardcoded-tmp-path.hardcoded-tmp-path
  languages:
  - python
  message: Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile'
    instead.
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://docs.python.org/3/library/tempfile.html#tempfile.TemporaryFile
    shortlink: https://sg.run/zv0W
    source: https://semgrep.dev/r/python.lang.best-practice.hardcoded-tmp-path.hardcoded-tmp-path
    technology:
    - python
  pattern: open("=~/^\/tmp.*/", ...)
  severity: WARNING
- id: python.lang.best-practice.manual-collections-create.manual-defaultdict-dict-create
  languages:
  - python
  message: manually creating a defaultdict - use collections.defaultdict(dict)
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/px4L
    source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-dict-create
    technology:
    - python
  pattern-either:
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          if $KEY not in $DICT:
              ...
              $DICT[$KEY] = {}
              ...
          $DICT[$KEY].update(...)
  - pattern: |
      $DICT = {}
      ...
      for $KEY, $VALUE in $OTHERDICT.items():
          ...
          $DICT.setdefault($KEY, {}).update(...)
  severity: WARNING
- id: python.lang.best-practice.manual-collections-create.manual-counter-create
  languages:
  - python
  message: manually creating a counter - use collections.Counter
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/jRZJ
    source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-counter-create
    technology:
    - python
  pattern: |
    $DICT = {}
    ...
    for $KEY, $VALUE in $OTHERDICT.items():
        ...
        if $KEY not in $DICT:
            ...
            $DICT[$KEY] = 0
            ...
        $DICT[$KEY] += 1
  severity: WARNING
- id: python.lang.best-practice.pdb.python-debugger-found
  languages:
  - python
  message: Importing the python debugger; did you mean to leave this in?
  metadata:
    category: best-practice
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/b7NE
    source: https://semgrep.dev/r/python.lang.best-practice.pdb.python-debugger-found
    technology:
    - python
  pattern-either:
  - pattern: import pdb
  - pattern: pdb.set_trace()
  severity: WARNING
- id: python.lang.compatibility.python37.python37-compatibility-os2-ok2
  languages:
  - python
  message: os.pwritev() is only available on Python 3.3+ and is therefore not backwards
    compatible. Instead, use a combination of pwrite() and writev().
  metadata:
    category: compatibility
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/5Q9X
    source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2
    technology:
    - python
  patterns:
  - pattern-not-inside: |
      if hasattr(os, 'pwritev'):
          ...
  - pattern: os.pwritev(...)
  severity: ERROR
- id: python.lang.correctness.return-in-init.yield-in-init
  languages:
  - python
  message: '`yield` should never appear inside a class __init__ function. This will
    cause a runtime error.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/PJ6Y
    source: https://semgrep.dev/r/python.lang.correctness.return-in-init.yield-in-init
    technology:
    - python
  patterns:
  - pattern-inside: |
      class $A(...):
          ...
  - pattern-inside: |
      def __init__(...):
          ...
  - pattern-not-inside: |
      def __init__(...):
          ...
          def $F(...):
              ...
  - pattern-either:
    - pattern: yield ...
    - pattern: yield
  severity: ERROR
- id: python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict
  languages:
  - python
  message: 'Function $F mutates default dict $D. Python only instantiates default
    function arguments once and shares the instance across the function calls. If
    the default function argument is mutated, that will modify the instance used by
    all future function calls. This can cause unexpected results, or lead to security
    vulnerabilities whereby one function consumer can view or modify the data of another
    function consumer. Instead, use a default argument (like None) to indicate that
    no argument was provided and instantiate a new dictionary at that time. For example:
    `if $D is None: $D = {}`.'
  metadata:
    category: correctness
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/Av4p
    source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict
    technology:
    - python
  pattern-either:
  - patterns:
    - pattern: |
        def $F(..., $D={}, ...):
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {}
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict(...)
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D.copy()
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.copy($D)
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict.copy($D)
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {... for ... in ...}
          ...
          $D[...] = ...
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D or {}
          ...
          $D[...] = ...
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D={}, ...):
            ...
            $D[...] = ...
  - patterns:
    - pattern: |
        def $F(..., $D={}, ...):
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {}
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict(...)
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D.copy()
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.copy($D)
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict.copy($D)
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {... for ... in ...}
          ...
          $D.update(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D or {}
          ...
          $D.update(...)
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D={}, ...):
            ...
            $D.update(...)
  - patterns:
    - pattern: |
        def $F(..., $D={}, ...):
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {}
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict(...)
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D.copy()
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.deepcopy($D)
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = copy.copy($D)
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = dict.copy($D)
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = {... for ... in ...}
          ...
          $D.setdefault(...)
    - pattern-not: |
        def $F(..., $D={}, ...):
          ...
          $D = $D or {}
          ...
          $D.setdefault(...)
    - pattern-not-inside: |
        def $A(...):
          ...
          def $F(..., $D={}, ...):
            ...
            $D.setdefault(...)
  severity: ERROR
- id: python.lang.security.audit.conn_recv.multiprocessing-recv
  languages:
  - python
  message: 'The Connection.recv() method automatically unpickles the data it receives,
    which can be a security risk unless you can trust the process which sent the message.
    Therefore, unless the connection object was produced using Pipe() you should only
    use the recv() and send() methods after performing some sort of authentication.
    See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection'
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection
    shortlink: https://sg.run/x1lz
    source: https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv
    technology:
    - python
  pattern-either:
  - pattern: multiprocessing.connection.Connection.recv(...)
  - pattern: multiprocessing.connection.Client.recv(...)
  - pattern: |
      $C = multiprocessing.connection.Client(...)
      ...
      $C.recv(...)
  severity: WARNING
- fix-regex:
    regex: _create_unverified_context
    replacement: create_default_context
  id: python.lang.security.unverified-ssl-context.unverified-ssl-context
  languages:
  - python
  message: Unverified SSL context detected. This will permit insecure connections
    without verifying SSL certificates. Use 'ssl.create_default_context()' instead.
  metadata:
    category: security
    cwe: 'CWE-295: Improper Certificate Validation'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    references:
    - https://docs.python.org/3/library/ssl.html#ssl-security
    - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
    shortlink: https://sg.run/N4lp
    source: https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context
    technology:
    - python
  pattern: ssl._create_unverified_context(...)
  severity: ERROR
- id: python.lang.security.audit.ftplib.ftplib
  languages:
  - python
  message: FTP does not encrypt communications by default. This can lead to sensitive
    data being exposed. Ensure use of FTP here does not expose sensitive data.
  metadata:
    bandit-code: B321
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/telnetlib.html
    shortlink: https://sg.run/7oyZ
    source: https://semgrep.dev/r/python.lang.security.audit.ftplib.ftplib
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L265
    technology:
    - ftplib
  pattern: ftplib.$ANYTHING(...)
  severity: WARNING
- id: python.lang.security.audit.telnetlib.telnetlib
  languages:
  - python
  message: Telnet does not encrypt communications. Use SSH instead.
  metadata:
    bandit-code: B312
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/telnetlib.html
    shortlink: https://sg.run/Gelp
    source: https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L208
    technology:
    - python
  pattern: telnetlib.$ANYTHING(...)
  severity: WARNING
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http
  languages:
  - python
  message: Detected a request using 'http://'. This request will be unencrypted. Use
    'https://' instead.
  metadata:
    asvs:
      control_id: 9.1.1 Weak TLS
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
      section: V9 Communications Verification Requirements
      version: '4'
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    shortlink: https://sg.run/W8J4
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http
    technology:
    - requests
  pattern-either:
  - pattern: requests.$W("=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"
      ...
      requests.$W($URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/^[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        requests.$W($URL, ...)
  - pattern: requests.request($METHOD, "=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"
      ...
      requests.request($METHOD, $URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/^[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        requests.request($METHOD, $URL, ...)
  - pattern: requests.Request($METHOD, "=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"
      ...
      requests.Request($METHOD, $URL, ...)
  - pattern: |
      def $FUNC(..., $URL = "=~/^[Hh][Tt][Tt][Pp]://.*/", ...):
        ...
        requests.Request($METHOD, $URL, ...)
  severity: ERROR
- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp
  languages:
  - python
  message: Detected 'urllib.urlopen()' using 'ftp://'. This request will not be encrypted.
    Consider using SFTP instead. urllib does not support SFTP, so consider switching
    to a library which supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen
    shortlink: https://sg.run/6n1o
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.urlopen("=~/^[Ff][Tt][Pp]://.*/", ...)
  - pattern: |
      $URL = "=~/^[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.urlopen($URL, ...)
  - pattern: |-
      def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
        ...
        urllib.request.urlopen($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp
  languages:
  - python
  message: Detected an insecure transmission channel. 'URLopener.retrieve(...)' is
    being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider
    using a library which supports SFTP.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve
    shortlink: https://sg.run/2xY0
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.URLopener(...).retrieve("=~/[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: $OPENERDIRECTOR.retrieve("=~/[Ff][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: |
        $URL = "=~/[Ff][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.retrieve($URL, ...)
  - pattern: |
      $URL = "=~/[Ff][Tt][Pp]://.*/"
      ...
      urllib.request.URLopener(...).retrieve($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/[Ff][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.URLopener(...).retrieve($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.URLopener(...)
            ...
        - pattern: $OPENERDIRECTOR.retrieve($URL, ...)
  severity: WARNING
- fix-regex:
    count: 1
    regex: '[Hh][Tt][Tt][Pp]://'
    replacement: https://
  id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve
  languages:
  - python
  message: Detected an unsecured transmission channel. 'URLopener.retrieve(...)' is
    being used with 'http://'. Use 'https://' instead to secure the channel.
  metadata:
    category: security
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve
    shortlink: https://sg.run/XBGK
    source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve
    technology:
    - urllib
  pattern-either:
  - pattern: urllib.request.URLopener(...).retrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: $OPENERDIRECTOR.retrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
  - patterns:
    - pattern-inside: |
        $OPENERDIRECTOR = urllib.request.URLopener(...)
        ...
    - pattern: |
        $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
        ...
        $OPENERDIRECTOR.retrieve($URL, ...)
  - pattern: |
      $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
      ...
      urllib.request.URLopener(...).retrieve($URL, ...)
  - patterns:
    - pattern-inside: |
        def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
          ...
    - pattern-either:
      - pattern: urllib.request.URLopener(...).retrieve($URL, ...)
      - patterns:
        - pattern-inside: |
            $OPENERDIRECTOR = urllib.request.URLopener(...)
            ...
        - pattern: $OPENERDIRECTOR.retrieve($URL, ...)
  severity: WARNING
- id: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces
  languages:
  - python
  message: Running `socket.bind` to 0.0.0.0, ::, or empty string could unexpectedly
    expose the server publicly as it binds to all available interfaces. Consider instead
    getting correct address from an environment variable or configuration file.
  metadata:
    category: security
    cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A6: Security Misconfiguration'
    shortlink: https://sg.run/rdln
    source: https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces
    technology:
    - python
  pattern-either:
  - pattern: |
      $S = socket.socket(...)
      ...
      $S.bind(("0.0.0.0", ...))
  - pattern: |
      $S = socket.socket(...)
      ...
      $S.bind(("::", ...))
  - pattern: |
      $S = socket.socket(...)
      ...
      $S.bind(("", ...))
  severity: INFO
- id: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure
  languages:
  - python
  message: Logger call may be exposing a secret credential in $FORMAT_STRING
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/ydNx
    source: https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure
    technology:
    - python
  patterns:
  - pattern: |
      $LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...)
  - metavariable-regex:
      metavariable: $LOGGER_OBJ
      regex: (?i)(_logger|logger|self.logger|log)
  - metavariable-regex:
      metavariable: $LOGGER_CALL
      regex: (debug|info|warn|warning|error|exception|critical)
  - metavariable-regex:
      metavariable: $FORMAT_STRING
      regex: (?i).*(api.key|secret|credential|token|password).*\%s.*
  severity: WARNING
- id: python.lang.security.deserialization.pickle.avoid-pickle
  languages:
  - python
  message: Avoid using `pickle`, which is known to lead to code execution vulnerabilities.
    When unpickling, the serialized data could be manipulated to run arbitrary code.
    Instead, consider serializing the relevant data as JSON or a similar text-based
    serialization format.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    - https://davidhamann.de/2020/04/05/exploiting-python-pickle/
    shortlink: https://sg.run/OPwB
    source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle
    technology:
    - python
  pattern-either:
  - pattern: pickle.$FUNC(...)
  - pattern: _pickle.$FUNC(...)
  severity: WARNING
- id: python.lang.security.deserialization.pickle.avoid-cPickle
  languages:
  - python
  message: Avoid using `cPickle`, which is known to lead to code execution vulnerabilities.
    When unpickling, the serialized data could be manipulated to run arbitrary code.
    Instead, consider serializing the relevant data as JSON or a similar text-based
    serialization format.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://docs.python.org/3/library/pickle.html
    shortlink: https://sg.run/eLxb
    source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle
    technology:
    - python
  pattern: cPickle.$FUNC(...)
  severity: WARNING
- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor
  languages:
  - python
  message: Detected XOR cipher algorithm which is considered insecure. This algorithm
    is not cryptographically secure and can be reversed easily. Use AES instead.
  metadata:
    bandit-code: B304
    category: security
    cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption
    shortlink: https://sg.run/L0yr
    source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    technology:
    - pycryptodome
  pattern-either:
  - pattern: Cryptodome.Cipher.XOR.new(...)
  - pattern: Crypto.Cipher.XOR.new(...)
  severity: WARNING
- id: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size
  languages:
  - python
  message: Detected an insufficient key size for DSA. NIST recommends a key size of
    2048 or higher.
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
    shortlink: https://sg.run/4y8l
    source: https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
    technology:
    - pycryptodome
  patterns:
  - pattern-either:
    - pattern: Crypto.PublicKey.DSA.generate(..., bits=$SIZE, ...)
    - pattern: Crypto.PublicKey.DSA.generate($SIZE, ...)
    - pattern: Cryptodome.PublicKey.DSA.generate(..., bits=$SIZE, ...)
    - pattern: Cryptodome.PublicKey.DSA.generate($SIZE, ...)
  - metavariable-comparison:
      comparison: $SIZE < 2048
      metavariable: $SIZE
  severity: WARNING
- id: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size
  languages:
  - python
  message: Detected an insufficient key size for RSA. NIST recommends a key size of
    2048 or higher.
  metadata:
    category: security
    cwe: 'CWE-326: Inadequate Encryption Strength'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A3: Sensitive Data Exposure'
    references:
    - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
    shortlink: https://sg.run/PprY
    source: https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size
    source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
    technology:
    - pycryptodome
  patterns:
  - pattern-either:
    - pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...)
    - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...)
    - pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...)
    - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...)
  - metavariable-comparison:
      comparison: $SIZE < 2048
      metavariable: $SIZE
  severity: WARNING
- fix-regex:
    regex: MONGODB-CR
    replacement: SCRAM-SHA-256
  id: python.security.mongodb.mongo-client-bad-auth
  languages:
  - python
  message: |
    Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/DJjY
    source: https://semgrep.dev/r/python.security.mongodb.mongo-client-bad-auth
  pattern: |
    pymongo.MongoClient(..., authMechanism='MONGODB-CR')
  severity: WARNING
- id: python.lang.security.dangerous-globals-use.dangerous-globals-use
  languages:
  - python
  message: Found non static data as an index to 'globals()'. This is extremely dangerous
    because it allows an attacker to execute arbitrary code on the system. Refactor
    your code not to use 'globals()'.
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186
    shortlink: https://sg.run/jNzn
    source: https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: globals().get(...)
    - pattern: locals().get(...)
    - pattern: globals()[...]
    - pattern: locals()[...]
    - patterns:
      - pattern-either:
        - pattern-inside: |
            $G = globals()
            ...
        - pattern-inside: |
            $G = locals()
            ...
      - pattern-either:
        - pattern: $G.get(...)
        - pattern: $G[...]
    - pattern: $FUNC.__globals__[...]
  - pattern-not: globals().get("...")
  - pattern-not: locals().get("...")
  - pattern-not: globals()["..."]
  - pattern-not: locals()["..."]
  - pattern-not: $G.get("...")
  - pattern-not: $G.get["..."]
  - pattern-not: $G["..."]
  - pattern-not: $FUNC.__globals__["..."]
  - pattern-not-inside: globals()[...] = ...
  - pattern-not-inside: locals()[...] = ...
  - pattern-not-inside: $G[...] = ...
  - pattern-not-inside: $FUNC.__globals__[...] = ...
  severity: WARNING
- id: python.flask.security.flask-api-method-string-format.flask-api-method-string-format
  languages:
  - python
  message: Method $METHOD in API controller $CLASS provides user arg $ARG to requests
    method $REQMETHOD
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    shortlink: https://sg.run/bDWr
    source: https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format
    technology:
    - flask
  patterns:
  - pattern-either:
    - pattern: |
        def $METHOD(...,$ARG,...):
          ...
          $STRING = "...".format(...,$ARG,...)
          ...
          ... = requests.$REQMETHOD($STRING,...)
    - pattern: |
        def $METHOD(...,$ARG,...):
          ...
          ... = requests.$REQMETHOD("...".format(...,$ARG,...),...)
  - pattern-inside: |
      class $CLASS(...):
        method_decorators = ...
        ...
  severity: ERROR
- id: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli
  languages:
  - python
  message: 'Detected string concatenation with a non-literal variable in an aiopg
    Python SQL statement. This could lead to SQL injection if the variable is user-controlled
    and not properly sanitized. In order to prevent SQL injection, use parameterized
    queries instead. You can create parameterized queries like so: ''cur.execute("SELECT
    %s FROM table", (user_value,))''.'
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://github.com/aio-libs/aiopg
    shortlink: https://sg.run/WgGL
    source: https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli
    technology:
    - aiopg
  patterns:
  - pattern-either:
    - patterns:
      - pattern: $CUR.$METHOD(...,$QUERY,...)
      - pattern-either:
        - pattern-inside: |
            $QUERY = $X + $Y
            ...
        - pattern-inside: |
            $QUERY += $X
            ...
        - pattern-inside: |
            $QUERY = '...'.format(...)
            ...
        - pattern-inside: |
            $QUERY = '...' % (...)
            ...
        - pattern-inside: |
            $QUERY = f'...{$USERINPUT}...'
            ...
      - pattern-not-inside: |
          $QUERY += "..."
          ...
      - pattern-not-inside: |
          $QUERY = "..." + "..."
          ...
      - pattern-not-inside: |
          $QUERY = '...'.format()
          ...
      - pattern-not-inside: |
          $QUERY = '...' % ()
          ...
    - pattern: $CUR.$METHOD(..., $X + $Y, ...)
    - pattern: $CUR.$METHOD(..., '...'.format(...), ...)
    - pattern: $CUR.$METHOD(..., '...' % (...), ...)
    - pattern: $CUR.$METHOD(..., f'...{$USERINPUT}...', ...)
  - pattern-either:
    - pattern-inside: |
        $CONN = await aiopg.connect(...)
        ...
        $CUR = await $CONN.cursor(...)
        ...
    - pattern-inside: |
        $POOL = await aiopg.create_pool(...)
        ...
        async with $POOL.acquire(...) as $CONN:
          ...
          async with $CONN.cursor(...) as $CUR:
            ...
    - pattern-inside: |
        $POOL = await aiopg.create_pool(...)
        ...
        with (await $POOL.cursor(...)) as $CUR:
          ...
    - pattern-inside: |
        $POOL = await aiopg.create_pool(...)
        ...
        async with $POOL as $CONN:
          ...
          $CUR = await $CONN.cursor(...)
          ...
    - pattern-inside: |
        $POOL = await aiopg.create_pool(...)
        ...
        async with $POOL.cursor(...) as $CUR:
          ...
  - pattern-not: $CUR.$METHOD(..., "..." + "...", ...)
  - pattern-not: $CUR.$METHOD(..., '...'.format(), ...)
  - pattern-not: $CUR.$METHOD(..., '...'%(), ...)
  - metavariable-regex:
      metavariable: $METHOD
      regex: ^(execute)$
  severity: WARNING
- id: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli
  languages:
  - python
  message: 'Detected string concatenation with a non-literal variable in a asyncpg
    Python SQL statement. This could lead to SQL injection if the variable is user-controlled
    and not properly sanitized. In order to prevent SQL injection, used parameterized
    queries or prepared statements instead. You can create parameterized queries like
    so: ''conn.fetch("SELECT $1 FROM table", value)''. You can also create prepared
    statements with ''Connection.prepare'': ''stmt = conn.prepare("SELECT $1 FROM
    table"); await stmt.fetch(user_value)'''
  metadata:
    category: security
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    references:
    - https://github.com/MagicStack/asyncpg
    - https://magicstack.github.io/asyncpg/current/
    shortlink: https://sg.run/0nBB
    source: https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli
    technology:
    - asyncpg
  patterns:
  - pattern-either:
    - patterns:
      - pattern: $CONN.$METHOD(...,$QUERY,...)
      - pattern-either:
        - pattern-inside: |
            $QUERY = $X + $Y
            ...
        - pattern-inside: |
            $QUERY += $X
            ...
        - pattern-inside: |
            $QUERY = '...'.format(...)
            ...
        - pattern-inside: |
            $QUERY = '...' % (...)
            ...
        - pattern-inside: |
            $QUERY = f'...{$USERINPUT}...'
            ...
      - pattern-not-inside: |
          $QUERY += "..."
          ...
      - pattern-not-inside: |
          $QUERY = "..." + "..."
          ...
      - pattern-not-inside: |
          $QUERY = '...'.format()
          ...
      - pattern-not-inside: |
          $QUERY = '...' % ()
          ...
    - pattern: $CONN.$METHOD(..., $X + $Y, ...)
    - pattern: $CONN.$METHOD(..., '...'.format(...), ...)
    - pattern: $CONN.$METHOD(..., '...' % (...), ...)
    - pattern: $CONN.$METHOD(..., f'...{$USERINPUT}...', ...)
  - pattern-either:
    - pattern-inside: |
        $CONN = await asyncpg.connect(...)
        ...
    - pattern-inside: |
        async with asyncpg.create_pool(...) as $CONN:
            ...
    - pattern-inside: |
        async with $POOL.acquire(...) as $CONN:
            ...
    - pattern-inside: |
        $CONN = await $POOL.acquire(...)
        ...
    - pattern-inside: |
        def $FUNCNAME(..., $CONN: Connection, ...):
            ...
  - pattern-not: $CONN.$METHOD(..., "..." + "...", ...)
  - pattern-not: $CONN.$METHOD(..., '...'.format(), ...)
  - pattern-not: $CONN.$METHOD(..., '...'%(), ...)
  - metavariable-regex:
      metavariable: $METHOD
      regex: ^(fetch|fetchrow|fetchval|execute|executemany|prepare|cursor|copyfromquery)$
  severity: WARNING
- id: python.django.security.globals-as-template-context.globals-as-template-context
  languages:
  - python
  message: 'Using ''globals()'' as a context to ''render(...)'' is extremely dangerous.
    This exposes Python functions to the template that were not meant to be exposed.
    An attacker could use these functions to execute code that was not intended to
    run and could compromise the application. (This is server-side template injection
    (SSTI)). Do not use ''globals()''. Instead, specify each variable in a dictionary
    or ''django.template.Context'' object, like ''{"var1": "hello"}'' and use that
    instead.'
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.2/ref/settings/#templates
    - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates
    - https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context
    shortlink: https://sg.run/7GYv
    source: https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context
    technology:
    - django
  pattern-either:
  - pattern: django.shortcuts.render(..., globals(...), ...)
  - pattern: django.template.Template.render(..., globals(...), ...)
  - patterns:
    - pattern-inside: |
        $CONTEXT = globals(...)
        ...
    - pattern-either:
      - pattern: django.shortcuts.render(..., $CONTEXT, ...)
      - pattern: django.template.Template.render(..., $CONTEXT, ...)
  severity: ERROR
- id: python.django.security.locals-as-template-context.locals-as-template-context
  languages:
  - python
  message: 'Using ''locals()'' as a context to ''render(...)'' is extremely dangerous.
    This exposes Python functions to the template that were not meant to be exposed.
    An attacker could use these functions to execute code that was not intended to
    run and could compromise the application. (This is server-side template injection
    (SSTI)). Do not use ''locals()''. Instead, specify each variable in a dictionary
    or ''django.template.Context'' object, like ''{"var1": "hello"}'' and use that
    instead.'
  metadata:
    category: security
    cwe: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static
      Code Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    references:
    - https://docs.djangoproject.com/en/3.2/ref/settings/#templates
    - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates
    - https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context
    shortlink: https://sg.run/L8XL
    source: https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context
    technology:
    - django
  pattern-either:
  - pattern: django.shortcuts.render(..., locals(...), ...)
  - pattern: django.template.Template.render(..., locals(...), ...)
  - patterns:
    - pattern-inside: |
        $CONTEXT = locals(...)
        ...
    - pattern-either:
      - pattern: django.shortcuts.render(..., $CONTEXT, ...)
      - pattern: django.template.Template.render(..., $CONTEXT, ...)
  severity: ERROR
- id: python.lang.security.audit.dangerous-code-run.dangerous-interactive-code-run
  languages:
  - python
  message: Found dynamic content inside InteractiveConsole/InteractiveInterpreter
    method. This is dangerous if external data can reach this function call because
    it allows a malicious actor to run arbitrary Python code. Ensure no external data
    reaches here.
  metadata:
    category: security
    cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
      (''Eval Injection'')'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A1: Injection'
    shortlink: https://sg.run/y6P8
    source: https://semgrep.dev/r/python.lang.security.audit.dangerous-code-run.dangerous-interactive-code-run
    technology:
    - python
  patterns:
  - pattern-either:
    - pattern: |
        $X.push($PAYLOAD,...)
    - pattern: |
        $X.runsource($PAYLOAD,...)
    - pattern: |
        $X.runcode(code.compile_command($PAYLOAD),...)
    - pattern: |
        $PL = code.compile_command($PAYLOAD,...)
        ...
        $X.runcode($PL,...)
  - pattern-either:
    - pattern-inside: |
        $X = code.InteractiveConsole(...)
        ...
    - pattern-inside: |
        $X = code.InteractiveInterpreter(...)
        ...
  - pattern-not: |
      $X.push("...",...)
  - pattern-not: |
      $X.runsource("...",...)
  - pattern-not: |
      $X.runcode(code.compile_command("..."),...)
  - pattern-not: |
      $PL = code.compile_command("...",...)
      ...
      $X.runcode($PL,...)
  severity: WARNING
- id: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle
  languages:
  - python
  message: Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities.
    When unpickling, the serialized data could be manipulated to run arbitrary code.
    Instead, consider serializing the relevant data using `json` module.
  metadata:
    category: security
    cwe: 'CWE-502: Deserialization of Untrusted Data'
    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    owasp: 'A8: Insecure Deserialization'
    references:
    - https://github.com/jsonpickle/jsonpickle#jsonpickle
    - https://www.exploit-db.com/exploits/49585
    shortlink: https://sg.run/rkNP
    source: https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle
    technology:
    - jsonpickle
  patterns:
  - pattern: |
      jsonpickle.decode($PAYLOAD,...)
  - pattern-not: |
      jsonpickle.decode("...",...)
  severity: WARNING