yaml.semgrep.missing-language-field.missing-language-field

profile photo of returntocorpreturntocorp
Author
670
Download Count*
LGPL Commons Clause
License

Please include a 'languages' field for your rule $RULEID!

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-language-field
    message: Please include a 'languages' field for your rule $RULEID!
    languages:
      - yaml
    pattern-either:
      - patterns:
          - pattern-inside: "rules: [..., $RULE, ...]"
          - pattern: "id: $RULEID"
          - pattern-not-inside: |
              - ...
                languages: ...
          - pattern-not-inside: |
              - ...
                mode: join
      - patterns:
          - pattern-inside: |
              rules: [ ..., $OUTER_RULE, ...]
          - pattern-inside: $OUTER_RULE
          - pattern-inside: |
              id: $OUTER_RULEID
              mode: join
              join:
                rules: [ ..., $INNER_RULE, ...]
                ...
              ...
          - pattern-inside: $INNER_RULE
          - pattern-not-inside: |
              - languages: ...
                ...
          - pattern: |
              id: $RULEID
    severity: WARNING
    metadata:
      references:
        - https://semgrep.dev/docs/writing-rules/rule-syntax/#required
      category: correctness
      technology:
        - semgrep
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-language-field.test.yaml

rules:
  # ruleid: missing-language-field
  - id: unchecked-subprocess-call
    patterns:
      - pattern-either:
          - pattern: |
              subprocess.call(...)
          - pattern: |
              subprocess.call(...)
      - pattern-not-inside: |
          $S = subprocess.call(...)
      - pattern-not-inside: |
          subprocess.call(...) == $X
    message: ""
    severity: WARNING
    fix: subprocess.check_call(...)
    # ok: missing-language-field
  - id: other-rule
    languages: [generic]
    message: ""
    severity: INFO
    pattern: <div>hello</div>
    # ok: missing-language-field
  - id: flask-likely-xss
    mode: join
    join:
      rules:
        # ok: missing-language-field
        - id: user-input
          pattern: |
            $VAR = flask.request.$SOMETHING.get(...)
          languages: [python]
        # ok: missing-language-field
        - id: unescaped-extensions
          languages: [python]
          patterns:
          - pattern: |
              flask.render_template("$TEMPLATE", ..., $KWARG=$VAR, ...)
          - metavariable-regex:
              metavariable: '$TEMPLATE'
              regex: ".*(?<!html)$"
        # ruleid: missing-language-field
        - id: template-vars
          #languages: [generic]
          pattern: |
            {{ $VAR }}
      on:
      - 'user-input.$VAR == unescaped-extensions.$VAR'
      - 'unescaped-extensions.$KWARG == template-vars.$VAR'
      - 'unescaped-extensions.$TEMPLATE < template-vars.path'
    message: >-
      Detected a XSS vulnerability: '$VAR' is rendered
      unsafely in '$TEMPLATE'.
    severity: ERROR