From 92f60a319a8549dbd1e40a755c76c78129dc89a0 Mon Sep 17 00:00:00 2001 From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 09:54:26 +0200 Subject: [PATCH] Merge Develop into Release (#3469) * Added Onfido API token detection to recognize this type of secrets (#3463) * PHP tainted-callable (#3464) A callable is the name of a function, or an array with a class/object and a method. Basing these on user input makes it possible to call arbitrary functions. Co-authored-by: Pieter De Cremer (Semgrep) * chore: put ruleid annotation alone on its own line for tainted-sql-string.py (#3467) This is the only file doing that, so let's be consistent. It also helps osemgrep test which does not handle this case. This was mentioned in https://linear.app/semgrep/issue/SAF-1529/same-line-annotations-fail-when-running-semgrep-test-but-work-with test plan: make test --------- Co-authored-by: lucasan1 <70696858+lucasan1@users.noreply.github.com> Co-authored-by: Sjoerd Langkemper Co-authored-by: Pieter De Cremer (Semgrep) Co-authored-by: Yoann Padioleau --- .../security/injection/tainted-sql-string.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/python/django/security/injection/tainted-sql-string.py b/python/django/security/injection/tainted-sql-string.py index 0aaa70d7b8..b4ae971fa2 100644 --- a/python/django/security/injection/tainted-sql-string.py +++ b/python/django/security/injection/tainted-sql-string.py @@ -10,7 +10,8 @@ class Person(models.Model): ##### True Positives ######### def get_user_age1(request): user_name = request.POST.get("user_name") - user_age = Person.objects.raw( # ruleid: tainted-sql-string + user_age = Person.objects.raw( + # ruleid: tainted-sql-string "SELECT user_age FROM myapp_person where user_name = %s" % user_name ) html = "User Age %s." % user_age @@ -19,7 +20,8 @@ def get_user_age1(request): def get_user_age2(request): user_name = request.POST.get("user_name") - user_age = Person.objects.raw( # ruleid: tainted-sql-string + user_age = Person.objects.raw( + # ruleid: tainted-sql-string f"SELECT user_age FROM myapp_person where user_name = {user_name}" ) html = "User Age %s." % user_age @@ -28,7 +30,8 @@ def get_user_age2(request): def get_user_age3(request): user_name = request.POST.get("user_name") - user_age = Person.objects.raw( # ruleid: tainted-sql-string + user_age = Person.objects.raw( + # ruleid: tainted-sql-string "SELECT user_age FROM myapp_person where user_name = %s".format(user_name) ) html = "User Age %s." % user_age @@ -37,7 +40,8 @@ def get_user_age3(request): def get_user_age4(request): user_name = request.POST.get("user_name") - user_age = Person.objects.raw( # ruleid: tainted-sql-string + user_age = Person.objects.raw( + # ruleid: tainted-sql-string "SELECT user_age FROM myapp_person where user_name = " + user_name ) html = "User Age %s." % user_age @@ -63,7 +67,8 @@ def get_user_age6(request): def get_users1(request): client_id = request.headers.get("client_id") - users = Person.objects.raw( # ruleid: tainted-sql-string + users = Person.objects.raw( + # ruleid: tainted-sql-string "SELECT * FROM myapp_person where client_id = %s" % client_id ) html = "Users %s." % users @@ -72,7 +77,8 @@ def get_users1(request): def get_users2(request): client_id = request.headers.get("client_id") - users = Person.objects.raw( # ruleid: tainted-sql-string + users = Person.objects.raw( + # ruleid: tainted-sql-string f"SELECT * FROM myapp_person where client_id = {client_id}" ) html = "Users %s." % users