This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.
Visit Testing Handbook for Semgrep guidance.
The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:
$ semgrep --config "p/trailofbits"Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :
$ semgrep --config /path/to/semgrep-rules/semgreprule.ymlTo run all rules from the cloned repository:
$ semgrep --config /path/to/semgrep-rules/ .Semgrep will run against all supported code files except for those in your .gitignore file. If you want to run the rules against all files and directories, including those in your .gitignore, add the --no-git-ignore flag.
$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignoreYou can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:
$ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'Use -o to output results to a file:
$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'| ID | Playground | Impact | Confidence | Description |
|---|---|---|---|---|
| eth-rpc-tracetransaction | ππ | π₯ | π | Detects attempts to extract trace information from an EVM transaction or block |
| eth-txreceipt-status | ππ | π₯ | π | Detects when a transaction receipt's status is read |
| hanging-goroutine | ππ | π© | π | Goroutine leaks |
| invalid-usage-of-modified-variable | ππ | π§ | π | Possible unintentional assignment when an error occurs |
| iterate-over-empty-map | ππ | π© | π | Probably redundant iteration over an empty map |
| missing-runlock-on-rwmutex | ππ | π§ | π | Missing RUnlock on an RWMutex lock before returning from a function |
| missing-unlock-before-return | ππ | π§ | π | Missing mutex unlock before returning from a function |
| nil-check-after-call | ππ | π§ | π | Possible nil dereferences |
| racy-append-to-slice | ππ | π§ | π | Concurrent calls to append from multiple goroutines |
| racy-write-to-map | ππ | π§ | π | Concurrent writes to the same map in multiple goroutines |
| servercodec-readrequestbody-unhandled-nil | ππ | π© | π | Possible incorrect ServerCodec interface implementation |
| string-to-int-signedness-cast | ππ | π§ | π | Integer underflows |
| sync-mutex-value-copied | ππ | π© | π | Copying of sync.Mutex via value receivers |
| unsafe-dll-loading | ππ | π₯ | π | Use of function vulnerable to DLL hijacking attacks |
| waitgroup-add-called-inside-goroutine | ππ | π§ | π | Calls to sync.WaitGroup.Add inside of anonymous goroutines |
| waitgroup-wait-inside-loop | ππ | π§ | π | Calls to sync.WaitGroup.Wait inside a loop |
| ID | Playground | Impact | Confidence | Description |
|---|---|---|---|---|
| automatic-memory-pinning | ππ | π© | π | PyTorch memory not automatically pinned |
| lxml-in-pandas | ππ | π§ | π | Potential XXE attacks from loading lxml in pandas |
| msgpack-numpy | ππ | π₯ | π | Potential arbitrary code execution from functions reliant on pickling |
| numpy-distutils | ππ | π© | π | Use of deprecated numpy.distutils |
| numpy-f2py-compile | ππ | π₯ | π | Potential arbitrary code execution from NumPy f2py compilation |
| numpy-in-pytorch-datasets | ππ | π© | π | Calls to the NumPy RNG inside of a Torch dataset |
| numpy-in-pytorch-modules | ππ | π«οΈ | π | Uses of NumPy functions inside PyTorch modules |
| numpy-load-library | ππ | π₯ | π | Potential arbitrary code execution from NumPy library loading |
| onnx-session-options | ππ | π₯ | π | Potential arbitrary code execution from ONNX library loading |
| pandas-eval | ππ | π₯ | π | Potential arbitrary code execution from pandas functions that evaluate user-provided expressions |
| pickles-in-keras-deprecation | ππ | π₯ | π | Potential arbitrary code execution from Keras' load_model function |
| pickles-in-keras | ππ | π₯ | π | Potential arbitrary code execution from Keras' load_model function |
| pickles-in-numpy | ππ | π₯ | π | Potential arbitrary code execution from NumPy functions reliant on pickling |
| pickles-in-pandas | ππ | π₯ | π | Potential arbitrary code execution from Pandas functions reliant on pickling |
| pickles-in-pytorch-distributed | ππ | π₯ | π | Potential arbitrary code execution from PyTorch.Distributed functions reliant on pickling |
| pickles-in-pytorch | ππ | π₯ | π | Potential arbitrary code execution from PyTorch functions reliant on pickling |
| pickles-in-tensorflow | ππ | π₯ | π | Potential arbitrary code execution from tensorflow's load function |
| pytorch-classes-load-library | ππ | π₯ | π | Potential arbitrary code execution from PyTorch library loading |
| pytorch-package | ππ | π₯ | π | Potential arbitrary code execution from torch.package |
| pytorch-tensor | ππ | π«οΈ | π | Possible parsing issues and inefficiency from improper tensor creation |
| scikit-joblib-load | ππ | π₯ | π | Potential arbitrary code execution from SciKit.Joblib functions reliant on pickling |
| tarfile-extractall-traversal | ππ | π§ | π | Potential path traversal in call to extractall for a tarfile |
| tensorflow-load-library | ππ | π₯ | π | Potential arbitrary code execution from TensorFlow library loading |
| waiting-with-pytorch-distributed | ππ | π© | π | Possible PyTorch undefined behavior when not waiting for requests |
| ID | Playground | Impact | Confidence | Description |
|---|---|---|---|---|
| panic-in-function-returning-result | ππ | π© | π | Calling unwrap or expect in a function returning a Result |
| ID | Playground | Impact | Confidence | Description |
|---|---|---|---|---|
| schema-directives | ππ | π₯ | π | Use of outdated ApolloServer option 'schemaDirectives' |
| use-of-graphql-upload | ππ | π§ | π | Use of the graphql-upload library |
| v3-potentially-bad-cors | ππ | π§ | π | Potentially bad CORS policy |
| v3-express-bad-cors | ππ | π₯ | π | Bad CORS policy |
| v3-express-no-cors | ππ | π© | π | Lack of CORS policy |
| v3-bad-cors | ππ | π₯ | π | Bad CORS policy |
| v3-no-cors | ππ | π© | π | Lack of CORS policy |
| v3-csrf-prevention | ππ | π§ | π | Lack of CSRF prevention |
| v4-csrf-prevention | ππ | π§ | π | CSRF protection disabled |
Pull Requests and issues are welcomed!
See CONTRIBUTING.md for more information.
The rules defined in this repository are licensed under AGPLv3.
The sidecar examples may be derived from other works, and retain their original licenses where required.