5881c5dbec
* ci(semgrep): add more rules, r/python.correctness - Added file for defining rules as per frappe data model: frappe_correctness.yml - Add rule for SQLi, with WARNING only for now - Add rule file for UX - WARNING | INFO do not fail the build now * ci(semgrep): on_cancel, on_submit correctness rule * ci(semgrep): split workflow in steps * ci(semgrep): catch line breaks in _() * chore: fix sider issue
29 lines
929 B
YAML
29 lines
929 B
YAML
rules:
|
|
- id: frappe-codeinjection-eval
|
|
patterns:
|
|
- pattern-not: eval("...")
|
|
- pattern: eval(...)
|
|
message: |
|
|
Detected the use of eval(). eval() can be dangerous if used to evaluate
|
|
dynamic content. Avoid it or use safe_eval().
|
|
languages: [python]
|
|
severity: ERROR
|
|
paths:
|
|
exclude:
|
|
- frappe/__init__.py
|
|
- frappe/commands/utils.py
|
|
|
|
- id: frappe-sqli-format-strings
|
|
patterns:
|
|
- pattern-inside: |
|
|
@frappe.whitelist()
|
|
def $FUNC(...):
|
|
...
|
|
- pattern-either:
|
|
- pattern: frappe.db.sql("..." % ...)
|
|
- pattern: frappe.db.sql(f"...", ...)
|
|
- pattern: frappe.db.sql("...".format(...), ...)
|
|
message: |
|
|
Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
|
|
languages: [python]
|
|
severity: WARNING
|