25 lines
847 B
YAML
25 lines
847 B
YAML
rules:
|
|
- id: frappe-codeinjection-eval
|
|
patterns:
|
|
- pattern-not: eval("...")
|
|
- pattern: eval(...)
|
|
message: |
|
|
Detected the use of eval(). eval() can be dangerous if used to evaluate
|
|
dynamic content. Avoid it or use safe_eval().
|
|
languages: [python]
|
|
severity: ERROR
|
|
|
|
- id: frappe-sqli-format-strings
|
|
patterns:
|
|
- pattern-inside: |
|
|
@frappe.whitelist()
|
|
def $FUNC(...):
|
|
...
|
|
- pattern-either:
|
|
- pattern: frappe.db.sql("..." % ...)
|
|
- pattern: frappe.db.sql(f"...", ...)
|
|
- pattern: frappe.db.sql("...".format(...), ...)
|
|
message: |
|
|
Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
|
|
languages: [python]
|
|
severity: WARNING
|