returntocorp
Rules (2108)
returntocorpDetected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
returntocorpDetected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
returntocorpthis function is only available on Python 3.7+
returntocorpMake sure that unverified user data can not reach vm instance.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach vm.compileFunction.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpMake sure that unverified user data can not reach vm.runInNewContext.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpYou probably want the structural inequality operator =
returntocorpYou probably want the structural inequality operator <>
returntocorpThis is always true. If testing for floating point NaN, use `Float.is_nan` instead.
returntocorpUseless if. Both branches are equal.
returntocorpUseless let
returntocorpYou should probably use Filename.get_temp_dirname().
returntocorpYou probably want $X <> [], which is faster.
returntocorpPackages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.
returntocorpUsing '--platform' with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility 'docker buildx --platform=' instead.
returntocorpSome commands such as `$CMD` do not make sense in a container. Do not use these.
returntocorp'apt-get' is preferred as an unattended tool for stability. 'apt' is discouraged.
returntocorpPackages in base images should be up-to-date, removing the need for 'apk upgrade'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base images should be up-to-date, removing the need for 'dnf update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base images should be up-to-date, removing the need for 'yum update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base images should be up-to-date, removing the need for 'zypper update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpMAINTAINER has been deprecated.
returntocorpThis apk command is missing '--no-cache'. This forces apk to use a package index instead of a local package cache, removing the need for '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to your apk command.
returntocorpThis 'dnf install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis dnf command does not end with '&& dnf clean all'. Running 'dnf clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpThis 'apt-get install' is missing '--no-install-recommends'. This prevents unnecessary packages from being installed, thereby reducing image size. Add '--no-install-recommends'.
returntocorpThis 'yum install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis yum command does not end with '&& yum clean all'. Running 'yum clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpThis 'zypper install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpPrefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.
returntocorpWarning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).
returntocorppath for `$URL` is uselessly assigned twice
returntocorppath for `$URL` is assigned twice with different names
returntocorpThe path for `$URL` is assigned once to view `$VIEW` and once to `$DIFFERENT_VIEW`, which can lead to unexpected behavior. Verify what the intended target view is and delete the other route.
returntocorpThe name `$NAME` is used for both `$URL` and `$OTHER_URL`, which can lead to unexpected behavior when using URL reversing. Pick a unique name for each path.
returntocorpTwo identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses.
returntocorpThis rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed.
returntocorpThe `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.
returntocorpThe references in rule metadata should always be a list, even if there's only one.
returntocorpYou can not use 'pattern' $A and 'pattern-not' $A together; this will always be empty.
returntocorp$...CWE The cwe tag in rule metadata should always be in the format "CWE-000: Title".
returntocorpLazy loading can complicate code bundling if care is not taken, also `require`s are run synchronously by Node.js. If they are called from within a function, it may block other requests from being handled at a more critical time. The best practice is to `require` modules at the beginning of each file, before and outside of any functions.
returntocorpUsing == on char* performs pointer comparison, use strcmp instead
returntocorpSemgrep found a bash reverse shell
returntocorpImages should be tagged with an explicit version to produce deterministic container images.
returntocorpAttribute $ATT is read from two different sources: '$X.$ATT' and '$Y.$ATT'. Make sure this is intended, as this could cause logic bugs if they are treated as if they are the same object.
returntocorpThis Semgrep rule is missing a valid 'category' field in the 'metadata'. 'category' must be one of 'security', 'correctness', 'best-practice', 'performance', 'maintainability', or 'portability'.
returntocorpUnnecessary parent operator. Remove one to fix.
returntocorpThis Semgrep rule is missing a 'technology' field in the 'metadata'. Consider adding a list of technologies based on the rule's associated library or framework, or another piece of relevant information.
returntocorpThis is always true. If testing for floating point NaN, use `Float.is_nan` instead.
returntocorpUseless if. Both branches are equal.
returntocorpUseless let
returntocorpYou should probably use Filename.get_temp_dirname().
returntocorpThe ADD command will accept and include files from a URL. This potentially exposes the container to a man-in-the-middle attack. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.
returntocorpWhen you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.
returntocorpUsing the ellipsis operator `...` at the top of the pattern drastically slows down the rule performance.
returntocorp'input_line' leaves a '\r' (CR) character when reading lines from a Windows text file, whose lines end in "\r\n" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning.
returntocorp'open_in' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_in_bin' or 'open_in_gen [Open_binary]'. If you really want CRLF-to-LF translations to take place when running on Windows, use 'open_in_gen [Open_text]'.
returntocorp'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'.
returntocorpThis application has anti CSRF protection which prevents cross site request forgery attacks.
returntocorpX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
returntocorpContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
returntocorpExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
returntocorpX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
returntocorpFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
returntocorpX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
returntocorpHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
returntocorpX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
returntocorpContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
returntocorpReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
returntocorpDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
returntocorpX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
returntocorpThis application has API rate limiting controls.
returntocorpThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exit to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name). Refer to https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on how to fiw each case.
returntocorpPotential inter-process write of RegionInfo $RI via $PIPESTREAM $P that was instantiated with a two-character culture code $REGION. Per .NET documentation, if you want to persist a RegionInfo object or communicate it between processes, you should instantiate it by using a full culture name rather than a two-letter ISO region code.
returntocorpWhen performing yarn install, make sure to use the lockfile. Without `--frozen-lockfile`, yarn will update the lockfile rather than using the pinned versions.
returntocorpCalling setState on the current state is always a no-op. Did you mean to change the state like $Y(!$X) instead?
returntocorpDES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.
returntocorpTriple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA for more information.
returntocorpThis comparison is useless because the expressions being compared are identical. This is expected to always return the same result, 0, unless your code is really strange.
returntocorpHaving a `break`, `continue`, or `return` in a `finally` block will cause strange behaviors, like exceptions not being caught.
returntocorpIt looks like no matter how $CONDITION is evaluated, this expression returns $ANS. This is probably a copy-paste error.
returntocorpThis Gitlab CI YAML will never run on default branches due to a `changes` rule with `when:never`. To fix this, make sure the triggering event is a push event. You can do this with `if: '$CI_PIPELINE_SOURCE == "push"'`. See https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'bash' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'cpp' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'csharp' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'dockerfile' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'elixir' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'go' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'hcl' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'js' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'kotlin' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'python' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'regex' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'solidity' instead.
returntocorpFound '$X' in language config which diverges from semgrep.dev normalization. Please use 'ts' instead.
returntocorpThis rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use `message: >-`, not `message: |`.