From f11477f8fffb84a082027f006d58ba3f85ce8b0a Mon Sep 17 00:00:00 2001 From: nimratcoderabbit Date: Mon, 14 Jul 2025 12:34:02 -0400 Subject: [PATCH 1/5] Semgrep Showcase --- semgrep/example.py | 16 ++++++++++++++++ semgrep/semgrep.yml | 8 ++++++++ 2 files changed, 24 insertions(+) create mode 100644 semgrep/example.py create mode 100644 semgrep/semgrep.yml diff --git a/semgrep/example.py b/semgrep/example.py new file mode 100644 index 0000000..45ca6f3 --- /dev/null +++ b/semgrep/example.py @@ -0,0 +1,16 @@ +import os, sys # F401: sys imported but unused + +def my_function( x, y ): + print( "Result:",x+y ) # E201, E202, E231, E221 + +class myclass: # N801: class name should use CapWords convention + def __init__(self): + self.value =42 # E225: missing whitespace around operator + + def doSomething(self): # N802: function name should be snake_case + if( self.value>0 ): + print("Positive") + else: + print( "Not positive" ) + +my_function(1,2) diff --git a/semgrep/semgrep.yml b/semgrep/semgrep.yml new file mode 100644 index 0000000..405b747 --- /dev/null +++ b/semgrep/semgrep.yml @@ -0,0 +1,8 @@ +rules: + - id: hardcoded-password + pattern: password = "$SECRET" + message: "Avoid hardcoded passwords" + severity: ERROR + languages: [python] + metadata: + category: security From 603ab960a207ec7a3cb64832a8d367391c7dafaf Mon Sep 17 00:00:00 2001 From: nimratcoderabbit Date: Mon, 14 Jul 2025 12:44:00 -0400 Subject: [PATCH 2/5] Semgrep showcase --- semgrep/example.py | 48 ++++++++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/semgrep/example.py b/semgrep/example.py index 45ca6f3..6a3d3cc 100644 --- a/semgrep/example.py +++ b/semgrep/example.py @@ -1,16 +1,32 @@ -import os, sys # F401: sys imported but unused - -def my_function( x, y ): - print( "Result:",x+y ) # E201, E202, E231, E221 - -class myclass: # N801: class name should use CapWords convention - def __init__(self): - self.value =42 # E225: missing whitespace around operator - - def doSomething(self): # N802: function name should be snake_case - if( self.value>0 ): - print("Positive") - else: - print( "Not positive" ) - -my_function(1,2) +import os +import sys +import hashlib + +# Hardcoded credentials +USERNAME = "admin" +PASSWORD = "secret123" + +def dangerous_eval(): + user_input = input("Enter a Python expression: ") + result = eval(user_input) + print("Evaluated result:", result) + +def delete_data(path): + os.system("rm -rf " + path) # Semgrep: shell injection + +def hash_password(password): + hashed = hashlib.md5(password.encode()).hexdigest() # Semgrep: weak hash + return hashed + +def main(): + print("Logging in as", USERNAME) + password_hash = hash_password(PASSWORD) + print("Password hash:", password_hash) + + if len(sys.argv) > 1: + delete_data(sys.argv[1]) + + dangerous_eval() + +main() + From fb5634b8f2ce987a80f8b11311da08049d3940cd Mon Sep 17 00:00:00 2001 From: nimratcoderabbit Date: Mon, 14 Jul 2025 12:49:51 -0400 Subject: [PATCH 3/5] Semgrep --- .coderabbit.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .coderabbit.yml diff --git a/.coderabbit.yml b/.coderabbit.yml new file mode 100644 index 0000000..dcf8c91 --- /dev/null +++ b/.coderabbit.yml @@ -0,0 +1,2 @@ +reviews: + path_filters: ["**/*.yml","**/*.yaml"] From fdb231b289087ae2aaa1c635bee76787d40e55da Mon Sep 17 00:00:00 2001 From: alex Date: Wed, 16 Jul 2025 13:41:57 -0400 Subject: [PATCH 4/5] move files --- semgrep/example.py => example.py | 0 semgrep/semgrep.yml => semgrep.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename semgrep/example.py => example.py (100%) rename semgrep/semgrep.yml => semgrep.yml (100%) diff --git a/semgrep/example.py b/example.py similarity index 100% rename from semgrep/example.py rename to example.py diff --git a/semgrep/semgrep.yml b/semgrep.yml similarity index 100% rename from semgrep/semgrep.yml rename to semgrep.yml From 6cc4edb0c76392595948ec163472a30abf5f5d24 Mon Sep 17 00:00:00 2001 From: alex Date: Wed, 16 Jul 2025 13:44:35 -0400 Subject: [PATCH 5/5] fix semgrep --- .coderabbit.yml | 2 +- example.py | 32 -------------------------------- sampleReact.jsx | 11 +++++++++++ semgrep.yml | 20 +++++++++++++------- 4 files changed, 25 insertions(+), 40 deletions(-) delete mode 100644 example.py create mode 100644 sampleReact.jsx diff --git a/.coderabbit.yml b/.coderabbit.yml index dcf8c91..ce3d9c3 100644 --- a/.coderabbit.yml +++ b/.coderabbit.yml @@ -1,2 +1,2 @@ reviews: - path_filters: ["**/*.yml","**/*.yaml"] + path_filters: ["**/*","*"] diff --git a/example.py b/example.py deleted file mode 100644 index 6a3d3cc..0000000 --- a/example.py +++ /dev/null @@ -1,32 +0,0 @@ -import os -import sys -import hashlib - -# Hardcoded credentials -USERNAME = "admin" -PASSWORD = "secret123" - -def dangerous_eval(): - user_input = input("Enter a Python expression: ") - result = eval(user_input) - print("Evaluated result:", result) - -def delete_data(path): - os.system("rm -rf " + path) # Semgrep: shell injection - -def hash_password(password): - hashed = hashlib.md5(password.encode()).hexdigest() # Semgrep: weak hash - return hashed - -def main(): - print("Logging in as", USERNAME) - password_hash = hash_password(PASSWORD) - print("Password hash:", password_hash) - - if len(sys.argv) > 1: - delete_data(sys.argv[1]) - - dangerous_eval() - -main() - diff --git a/sampleReact.jsx b/sampleReact.jsx new file mode 100644 index 0000000..f5a8c19 --- /dev/null +++ b/sampleReact.jsx @@ -0,0 +1,11 @@ +function TestComponent() { + // ruleid:react-dangerouslysetinnerhtml + return
; +} + +function OkComponent() { + // OK + const discordClientKey = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'; + return {__html: 'Первый · Второй'}; +} + diff --git a/semgrep.yml b/semgrep.yml index 405b747..901f0ee 100644 --- a/semgrep.yml +++ b/semgrep.yml @@ -1,8 +1,14 @@ rules: - - id: hardcoded-password - pattern: password = "$SECRET" - message: "Avoid hardcoded passwords" - severity: ERROR - languages: [python] - metadata: - category: security + - id: docs-react-dangerouslysetinnerhtml + languages: + - typescript + - javascript + message: > + Setting HTML from code is risky because it’s easy to inadvertently expose + your users to a cross-site scripting (XSS) attack. + pattern-either: + - pattern: | + <$X dangerouslySetInnerHTML=... /> + - pattern: | + {dangerouslySetInnerHTML: ...} + severity: WARNING \ No newline at end of file