Merge Develop into Release (#3442)

* Fix CSharp SQLI rule (#3440) * use https instead of http (#3441) --------- Co-authored-by: Lewis <[email protected]> Co-authored-by: Drew Dennison <[email protected]>
semgrep · Aug 12, 2024 · 329608e · 329608e
1 parent 75eba81
commit 329608e
Show file tree

Hide file tree

Showing 27 changed files with 44 additions and 38 deletions.
diff --git a/ai/csharp/detect-openai.yaml b/ai/csharp/detect-openai.yaml
@@ -10,7 +10,7 @@ rules:
       - pattern: (ChatClient $CLIENT).$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/dart/detect-gemini.yaml b/ai/dart/detect-gemini.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: final $MODEL = GenerativeModel(...);
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/generic/detect-generic-ai-anthprop.yaml b/ai/generic/detect-generic-ai-anthprop.yaml
@@ -10,7 +10,7 @@ rules:
       - pattern: claude
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/generic/detect-generic-ai-api.yaml b/ai/generic/detect-generic-ai-api.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: api.openai.com
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/generic/detect-generic-ai-gem.yaml b/ai/generic/detect-generic-ai-gem.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: GoogleGenerativeAI
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/generic/detect-generic-ai-oai.yaml b/ai/generic/detect-generic-ai-oai.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: OpenAI
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/go/detect-gemini.yaml b/ai/go/detect-gemini.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: genai.NewClient(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/go/detect-openai.yaml b/ai/go/detect-openai.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: gogpt.NewClient(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/kotlin/detect-gemini.yaml b/ai/kotlin/detect-gemini.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: GenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-anthropic.yaml b/ai/python/detect-anthropic.yaml
@@ -12,7 +12,7 @@ rules:
       - pattern: $CLIENT.messages.$FUNC(...,model=...,...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-gemini.yaml b/ai/python/detect-gemini.yaml
@@ -8,7 +8,7 @@ rules:
       - pattern: import google.generativeai
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-huggingface.yaml b/ai/python/detect-huggingface.yaml
@@ -8,7 +8,7 @@ rules:
       - pattern: import huggingface_hub
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-langchain.yaml b/ai/python/detect-langchain.yaml
@@ -17,7 +17,7 @@ rules:
       - pattern: import langchain
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-mistral.yaml b/ai/python/detect-mistral.yaml
@@ -10,7 +10,7 @@ rules:
       - pattern: $CLIENT.chat(...,model=...,...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-openai.yaml b/ai/python/detect-openai.yaml
@@ -11,7 +11,7 @@ rules:
       - pattern: $CLIENT.chat.completions.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-pytorch.yaml b/ai/python/detect-pytorch.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: torch.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/python/detect-tensorflow.yaml b/ai/python/detect-tensorflow.yaml
@@ -8,7 +8,7 @@ rules:
       - pattern: import tensorflow
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/swift/detect-apple-core-ml.yaml b/ai/swift/detect-apple-core-ml.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: MLModelConfiguration(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/swift/detect-gemini.yaml b/ai/swift/detect-gemini.yaml
@@ -9,7 +9,7 @@ rules:
       - pattern: GenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-anthropic.yaml b/ai/typescript/detect-anthropic.yaml
@@ -12,7 +12,7 @@ rules:
       - pattern: anthropic.messages.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-gemini.yaml b/ai/typescript/detect-gemini.yaml
@@ -12,7 +12,7 @@ rules:
       - pattern: $GENAI.getGenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-mistral.yaml b/ai/typescript/detect-mistral.yaml
@@ -12,7 +12,7 @@ rules:
           $CLIENT.chat({model: ...})
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-openai.yaml b/ai/typescript/detect-openai.yaml
@@ -12,7 +12,7 @@ rules:
       - pattern: $CLIENT.chat.completions.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-promptfoo.yaml b/ai/typescript/detect-promptfoo.yaml
@@ -10,7 +10,7 @@ rules:
       - pattern: promptfoo.evaluate(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/ai/typescript/detect-vercel-ai.yaml b/ai/typescript/detect-vercel-ai.yaml
@@ -12,7 +12,7 @@ rules:
       - pattern: generateText({prompt:...})
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

diff --git a/csharp/lang/security/sqli/csharp-sqli.cs b/csharp/lang/security/sqli/csharp-sqli.cs
@@ -135,17 +135,21 @@ public void sqli11(string sqli)
          }
       }
 
-      public void sqli12(string sqli)
-      {
-         using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) {
-            connection.Open();
-            SqlCommand command= connection.CreateCommand();
-            // ruleid: csharp-sqli
-            command.CommandText = sqli;
-            command.CommandTimeout = 15;
-            command.CommandType = CommandType.Text;
-         }
-      }
+        public void sqli2(string sqli)
+        {
+            using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) {
+               connection.Open();
+               SqlCommand command= connection.CreateCommand();
+               // ruleid: csharp-sqli
+               command.CommandText = String.Format("SELECT c.name AS column_name,t.name AS type_name,c.max_length,c.precision,c.scale,             CAST(CASE WHEN EXISTS(SELECT * FROM sys.index_columns AS i WHERE i.object_id=c.object_id AND i.column_id=c.column_id) THEN 1 ELSE 0 END AS BIT) AS column_indexed             FROM sys.columns AS c              JOIN sys.types AS t ON c.user_type_id=t.user_type_id              WHERE c.object_id = OBJECT_ID('{0}')              ORDER BY c.column_id;", sqli);
+               command.CommandTimeout = 15;
+               command.CommandType = CommandType.Text;
+               await using var connection = new SqlConnection(configuration.GetVaultConnectionString(sqli, "B", true));
+               await using var command = connection.CreateCommand();
+               // ok: csharp-sqli
+               command.CommandText = "SELECT 1;";
+            }
+        }
 
       public void sqli13()
       {

diff --git a/csharp/lang/security/sqli/csharp-sqli.yaml b/csharp/lang/security/sqli/csharp-sqli.yaml
@@ -18,8 +18,10 @@ rules:
               - pattern: |
                   new $PATTERN($CMD,...)
               - focus-metavariable: $CMD
-            - pattern: |
-                $CMD.$PATTERN = ...;
+            - patterns:
+              - pattern: |
+                  $CMD.$PATTERN = $VALUE;
+              - focus-metavariable: $VALUE
           - metavariable-regex:
               metavariable: $PATTERN
               regex: ^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$