Comments (4)
Another example of the same bug I believe: https://semgrep.dev/playground/s/BYDb9
There are three sanitization rules, each of them matching the relevant test example when the other two are commented out, but as soon as any two are enabled, they all get effectively cancelled and produce three false positives:
![image](https://private-user-images.githubusercontent.com/122047699/326016354-c144092f-dda9-49bc-8e4d-64d708e2b623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTc2ODU4NDcsIm5iZiI6MTcxNzY4NTU0NywicGF0aCI6Ii8xMjIwNDc2OTkvMzI2MDE2MzU0LWMxNDQwOTJmLWRkYTktNDliYy04ZTRkLTY0ZDcwOGUyYjYyMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjA2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwNlQxNDUyMjdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT04ZWQ5MGVkMjM4ZDVlYmEwYTNlOTE3Y2Y5OWNjMjQ3N2U2NjQzNDUxYzdmY2M1MTA1YzA1ZmI4NTNkMWY0YjJiJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.ebpSTJNX5eGvjGhTW0BypFZikn5x3T7ZR-CGFEZBE2w)
from semgrep.
@andrew-konstantinov for the first issue here you have a workaround: https://semgrep.dev/playground/s/7KNqw; the second rule I would have written it like this: https://semgrep.dev/playground/s/8GNlB. Since sources/sanitizers/sinks can be arbitrary search-mode formulas, there is often a way to work around things. But yeah we need to address those limitations to make it simpler to write taint rules, both were known to us, but still very useful to get this bug report, so thanks for that and for the examples.
from semgrep.
Thank you, @IagoAbal! I will try to apply this approach to my rules.
Are there any resources you could share about debugging issues such as this one, besides https://semgrep.dev/docs/troubleshooting/rules? I like the "Inspect Rule" gadget in the Playground UI, but it's sometimes it's not enough. I'm comfortable reading/hacking the source code, so pointers to useful methods would suffice as well.
from semgrep.
Hope it helps! For the issues you reported here, I think "Inspect Rule" is probably one of the best tools you have. In the second example, you can observe that the individual pattern-inside
s are matching code, but the patterns
matches nothing (because it computes the intersection). If you use the semgrep-core
binary you also have the -dfg_tainting
flag, although I don't think it would have helped you for any of these issues. You are also welcome to tag me in our Community Slack ("iago (Semgrep)") any time.
from semgrep.
Related Issues (20)
- osemgrep: no files scanned when they should be
- Pattern parser throws an error when parsing patterns with explicit private attributes
- Ruby scanning not working in JS version of Semgrep VSCode Extension HOT 2
- Syntax when parsing kotlin code
- High Semgrep LSP CPU usage caused by recurring Git operations
- Whether the current feature supports taint analysis to detect memory leakage
- `--output` seems ignored when running `--test`
- "taint_assume_safe_functions: true" dosen't work while setting "control: true" in pattern-sources filed HOT 1
- Support for non-file configuration (and tests, maybe) HOT 4
- Failing to parse valid Java 21 syntax: case when statement
- Semgrep Pro language server seems to force downloading rules online HOT 4
- Request for ppc64le Support for Semgrep Binary and Docker Image HOT 3
- Join Mode - TypeError: unhashable type: 'list'
- Gitlab SAST report is not generated when there is error running Semgrep in >=1.64.0 HOT 2
- Ruby metavariable-pattern failed because $KEY does not bind to a sub-program HOT 1
- Python's class pattern of structural pattern matching is treated as class instantiation
- TypeScript non-null assertion operator `!` parsed with wrong precedence HOT 1
- semgrep ci [targets] is not supported
- Engine(PartialParsing) error when parsing Dockerfile with square brackets ([ ])
- --junit-xml-output option not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from semgrep.