minusworld

rules:
  - id: detect-child-process
    metadata:
      cwe:
        "CWE-78: Improper Neutralization of Special Elements used in an OS Command
        ('OS Command Injection')"
      owasp:
        - A03:2021 - Injection
        - A01:2017 - Injection
      references:

minusworld

rules:
  - id: tainted-sql-string
    languages:
      - java
    severity: ERROR
    message: User data flows into this manually-constructed SQL string. User data
      can be safely inserted into SQL strings using prepared statements or an
      object-relational mapper (ORM). Manually-constructed SQL strings is a
      possible indicator of SQL injection, which could let an attacker steal or
      manipulate data from the database. Instead, use prepared statements

minusworld

rules:
- id: nan-injection
  message: blah
  languages: [python]
  severity: ERROR
  mode: taint
  pattern-sources:
  - pattern: flask.request
  pattern-sinks:
  - pattern-either:

minusworld

rules:
- id: spring-sql-injection
  message: >-
    SQLi
  severity: ERROR
  mode: join
  join:
    refs:
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/java/spring/user-input.yaml
      as: spring-user-input

minusworld

import json
import boto3
import os
import io

BUCKET="YOUR_BUCKET_HERE"

s3 = boto3.client("s3")

def lambda_handler(event, context):

minusworld

from collections import defaultdict
def group(items: List[Any], key: Callable[[Any], Any]) -> Dict[Any, Any]:
    dd = defaultdict(list)
    for item in items:
        k = key(item)
        dd[k].append(item)
    return dd

minusworld

Individual Contributor
License Agreement
("Agreement") V2.0
Thank you for your interest in The Apache Software Foundation (the
"Foundation"). In order to clarify the intellectual property license
granted with Contributions from any person or entity, the Foundation
must have a Contributor License Agreement ("CLA") on file that has
been signed by each Contributor, indicating agreement to the license
terms below. This license is for your protection as a Contributor as
well as the protection of the Foundation and its users; it does not

minusworld

rules:
- id: user-input-unescaped-extension
  mode: join
  join:
    refs:
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/flask-user-input.yaml
      as: user-input
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/unescaped-template-extension.yaml
      as: unescaped-extensions
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/any-template-var.yaml

minusworld

rules:
- id: user-input-escaped-with-safe
  mode: join
  join:
    refs:
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/flask-user-input.yaml
      as: user-input
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/render-template-input.yaml
      as: render-template-input
    - rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/template-var-safe.yaml

minusworld

rules:
- id: detected-aws-secret-access-key-new
  pattern-regex: |-
    (("|'|`)?((?i)aws)_?\w*((?i)secret)_?\w*("|'|`)?\s{0,50}(:|=>|=)\s{0,50}("|'|`)?[A-Za-z0-9/+=]{40}("|'|`)?)
  languages: [regex]
  message: AWS Secret Access Key detected
  severity: ERROR
  metadata:
    source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
- id: detected-aws-secret-access-key-old