brotherton-erpnext/.github/helper/semgrep_rules/security.yml

rules:
- id: frappe-codeinjection-eval
  patterns:
  - pattern-not: eval("...")
  - pattern: eval(...)
  message: |
    Detected the use of eval(). eval() can be dangerous if used to evaluate
    dynamic content. Avoid it or use safe_eval().
  languages: [python]
  severity: ERROR

- id: frappe-sqli-format-strings
  patterns:
    - pattern-inside: |
        @frappe.whitelist()
        def $FUNC(...):
            ...
    - pattern-either:
        - pattern: frappe.db.sql("..." % ...)
        - pattern: frappe.db.sql(f"...", ...)
        - pattern: frappe.db.sql("...".format(...), ...)
  message: |
      Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
  languages: [python]
  severity: WARNING
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`rules:`
			`- id: frappe-codeinjection-eval`
			`patterns:`
			`- pattern-not: eval("...")`
			`- pattern: eval(...)`
			`message: \|`
			`Detected the use of eval(). eval() can be dangerous if used to evaluate`
			`dynamic content. Avoid it or use safe_eval().`
			`languages: [python]`
			`severity: ERROR`

			`- id: frappe-sqli-format-strings`
			`patterns:`
			`- pattern-inside: \|`
			`@frappe.whitelist()`
			`def $FUNC(...):`
			`...`
			`- pattern-either:`
			`- pattern: frappe.db.sql("..." % ...)`
			`- pattern: frappe.db.sql(f"...", ...)`
			`- pattern: frappe.db.sql("...".format(...), ...)`
			`message: \|`
			`Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines`
			`languages: [python]`
			`severity: WARNING`