Home

Awesome

Trail of Bits public Semgrep rules

This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.

Visit Testing Handbook for Semgrep guidance.

Using Semgrep

The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:

$ semgrep --config "p/trailofbits"

Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :

$ semgrep --config /path/to/semgrep-rules/semgreprule.yml

To run all rules from the cloned repository:

$ semgrep --config /path/to/semgrep-rules/ .

Useful flags

Semgrep will run against all supported code files except for those in your .gitignore file. If you want to run the rules against all files and directories, including those in your .gitignore, add the --no-git-ignore flag.

$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignore

You can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:

$ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'

Use -o to output results to a file:

$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'

Rules

go

IDPlaygroundImpactConfidenceDescription
eth-rpc-tracetransaction🛝🔗🟥🌕Detects attempts to extract trace information from an EVM transaction or block
eth-txreceipt-status🛝🔗🟥🌕Detects when a transaction receipt's status is read
hanging-goroutine🛝🔗🟩🌗Goroutine leaks
invalid-usage-of-modified-variable🛝🔗🟧🌘Possible unintentional assignment when an error occurs
iterate-over-empty-map🛝🔗🟩🌗Probably redundant iteration over an empty map
missing-runlock-on-rwmutex🛝🔗🟧🌗Missing RUnlock on an RWMutex lock before returning from a function
missing-unlock-before-return🛝🔗🟧🌗Missing mutex unlock before returning from a function
nil-check-after-call🛝🔗🟧🌗Possible nil dereferences
racy-append-to-slice🛝🔗🟧🌗Concurrent calls to append from multiple goroutines
racy-write-to-map🛝🔗🟧🌗Concurrent writes to the same map in multiple goroutines
servercodec-readrequestbody-unhandled-nil🛝🔗🟩🌘Possible incorrect ServerCodec interface implementation
string-to-int-signedness-cast🛝🔗🟧🌘Integer underflows
sync-mutex-value-copied🛝🔗🟩🌘Copying of sync.Mutex via value receivers
unsafe-dll-loading🛝🔗🟥🌘Use of function vulnerable to DLL hijacking attacks
waitgroup-add-called-inside-goroutine🛝🔗🟧🌗Calls to sync.WaitGroup.Add inside of anonymous goroutines
waitgroup-wait-inside-loop🛝🔗🟧🌗Calls to sync.WaitGroup.Wait inside a loop

python

IDPlaygroundImpactConfidenceDescription
automatic-memory-pinning🛝🔗🟩🌘PyTorch memory not automatically pinned
lxml-in-pandas🛝🔗🟧🌘Potential XXE attacks from loading lxml in pandas
msgpack-numpy🛝🔗🟥🌗Potential arbitrary code execution from functions reliant on pickling
numpy-distutils🛝🔗🟩🌘Use of deprecated numpy.distutils
numpy-f2py-compile🛝🔗🟥🌗Potential arbitrary code execution from NumPy f2py compilation
numpy-in-pytorch-datasets🛝🔗🟩🌘Calls to the NumPy RNG inside of a Torch dataset
numpy-in-pytorch-modules🛝🔗🌫️🌗Uses of NumPy functions inside PyTorch modules
numpy-load-library🛝🔗🟥🌗Potential arbitrary code execution from NumPy library loading
onnx-session-options🛝🔗🟥🌗Potential arbitrary code execution from ONNX library loading
pandas-eval🛝🔗🟥🌕Potential arbitrary code execution from pandas functions that evaluate user-provided expressions
pickles-in-keras-deprecation🛝🔗🟥🌗Potential arbitrary code execution from Keras' load_model function
pickles-in-keras🛝🔗🟥🌗Potential arbitrary code execution from Keras' load_model function
pickles-in-numpy🛝🔗🟥🌗Potential arbitrary code execution from NumPy functions reliant on pickling
pickles-in-pandas🛝🔗🟥🌗Potential arbitrary code execution from Pandas functions reliant on pickling
pickles-in-pytorch-distributed🛝🔗🟥🌗Potential arbitrary code execution from PyTorch.Distributed functions reliant on pickling
pickles-in-pytorch🛝🔗🟥🌗Potential arbitrary code execution from PyTorch functions reliant on pickling
pickles-in-tensorflow🛝🔗🟥🌗Potential arbitrary code execution from tensorflow's load function
pytorch-classes-load-library🛝🔗🟥🌗Potential arbitrary code execution from PyTorch library loading
pytorch-package🛝🔗🟥🌕Potential arbitrary code execution from torch.package
pytorch-tensor🛝🔗🌫️🌘Possible parsing issues and inefficiency from improper tensor creation
scikit-joblib-load🛝🔗🟥🌗Potential arbitrary code execution from SciKit.Joblib functions reliant on pickling
tarfile-extractall-traversal🛝🔗🟧🌗Potential path traversal in call to extractall for a tarfile
tensorflow-load-library🛝🔗🟥🌗Potential arbitrary code execution from TensorFlow library loading
waiting-with-pytorch-distributed🛝🔗🟩🌗Possible PyTorch undefined behavior when not waiting for requests

rs

IDPlaygroundImpactConfidenceDescription
panic-in-function-returning-result🛝🔗🟩🌘Calling unwrap or expect in a function returning a Result

javascript

IDPlaygroundImpactConfidenceDescription
schema-directives🛝🔗🟥🌗Use of outdated ApolloServer option 'schemaDirectives'
use-of-graphql-upload🛝🔗🟧🌕Use of the graphql-upload library
v3-potentially-bad-cors🛝🔗🟧🌕Potentially bad CORS policy
v3-express-bad-cors🛝🔗🟥🌗Bad CORS policy
v3-express-no-cors🛝🔗🟩🌘Lack of CORS policy
v3-bad-cors🛝🔗🟥🌗Bad CORS policy
v3-no-cors🛝🔗🟩🌘Lack of CORS policy
v3-csrf-prevention🛝🔗🟧🌘Lack of CSRF prevention
v4-csrf-prevention🛝🔗🟧🌘CSRF protection disabled

Contributing

Pull Requests and issues are welcomed!

See CONTRIBUTING.md for more information.

Licensing

The rules defined in this repository are licensed under AGPLv3.

The sidecar examples may be derived from other works, and retain their original licenses where required.