ajinabraham · January 31, 2021 15:07
diff --git a/semgrep_static_analysis.yml b/semgrep_static_analysis.yml
 rules:
  - id: env-set
    patterns:
      - pattern-either:
          - pattern: |
              subprocess.check_output([..., "=~/env|set/", ...])
          - pattern: |
              subprocess.run([..., "=~/env|set/", ...])
          - pattern: |
              subprocess.Popen([..., "=~/env|set/", ...])
    message: |
      Reading from env or set commands
    severity: ERROR
    languages:
      - python
  - id: python-os-environ
    patterns:
      - pattern-not-inside: os.environ.get(...)
      - pattern-not-inside: os.environ[...]
      - pattern-either:
          - pattern: |
              os.environ
    message: |
      Reading from python's os.environ()
    severity: ERROR
    languages:
      - python
  - id: python-proc-fs
    patterns:
      - pattern-either:
          - pattern: |
              pathlib.Path('/proc') / ... / 'environ'
    message: |
      Reading python /proc/<pid>/environ
    severity: ERROR
    languages:
      - python
  - id: environ-files
    patterns:
      - pattern-inside: |
          $X = {..., "=~/\/etc\/environment|\/etc\/profile|\/etc\/bashrc|~\/.bash_profile|~\/.bashrc|~\/.profile|~\/.cshrc|~\/.zshrc|~\/.tcshrc/", ...}
          ...
      - pattern-either:
          - pattern: |
              Path(...)
          - pattern: |
              open(...)
    message: |
      Reading from sensitve files that contain environment variables
    severity: ERROR
    languages:
      - python
  - id: libc-environ
    patterns:
      - pattern-either:
          - pattern: |
              $LIB = ctypes.CDLL(...)
              ...
              $Y.in_dll($LIB, 'environ')
    message: |
      Reading from libc.environ
    severity: ERROR
    languages:
      - python
	rules:
	- id: env-set
	patterns:
	- pattern-either:
	- pattern: \|
	subprocess.check_output([..., "=~/env\|set/", ...])
	- pattern: \|
	subprocess.run([..., "=~/env\|set/", ...])
	- pattern: \|
	subprocess.Popen([..., "=~/env\|set/", ...])
	message: \|
	Reading from env or set commands
	severity: ERROR
	languages:
	- python
	- id: python-os-environ
	patterns:
	- pattern-not-inside: os.environ.get(...)
	- pattern-not-inside: os.environ[...]
	- pattern-either:
	- pattern: \|
	os.environ
	message: \|
	Reading from python's os.environ()
	severity: ERROR
	languages:
	- python
	- id: python-proc-fs
	patterns:
	- pattern-either:
	- pattern: \|
	pathlib.Path('/proc') / ... / 'environ'
	message: \|
	Reading python /proc/<pid>/environ
	severity: ERROR
	languages:
	- python
	- id: environ-files
	patterns:
	- pattern-inside: \|
	$X = {..., "=~/\/etc\/environment\|\/etc\/profile\|\/etc\/bashrc\|~\/.bash_profile\|~\/.bashrc\|~\/.profile\|~\/.cshrc\|~\/.zshrc\|~\/.tcshrc/", ...}
	...
	- pattern-either:
	- pattern: \|
	Path(...)
	- pattern: \|
	open(...)
	message: \|
	Reading from sensitve files that contain environment variables
	severity: ERROR
	languages:
	- python
	- id: libc-environ
	patterns:
	- pattern-either:
	- pattern: \|
	$LIB = ctypes.CDLL(...)
	...
	$Y.in_dll($LIB, 'environ')
	message: \|
	Reading from libc.environ
	severity: ERROR
	languages:
	- python