yaml.semgrep.slow-pattern-single-metavariable.slow-pattern-single-metavariable

profile photo of returntocorpreturntocorp
Author
225
Download Count*
LGPL Commons Clause
License

Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: slow-pattern-single-metavariable
    languages:
      - yaml
    message: Using a single metavariable as a pattern drastically slows down the
      rule performance because it will match every expression in a file.
      Instead, try to match something specific such as a function name, or
      anchor on a statement that may occur above or below the pattern. The more
      specific you can be, the faster the pattern will run.
    patterns:
      - pattern-either:
          - pattern-inside: |
              pattern-inside: $PATTERN
          - pattern-inside: |
              pattern-not-inside: $PATTERN
          - pattern-inside: |
              pattern: $PATTERN
          - pattern-inside: |
              pattern-not: $PATTERN
      - metavariable-regex:
          metavariable: $PATTERN
          regex: \$[A-Z_]*
    severity: WARNING
    metadata:
      category: performance
      technology:
        - semgrep
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

slow-pattern-single-metavariable.test.yaml

rules:
  - id: typescript.react.best-practice.react-props-in-state.react-props-in-state
    pattern-either:
      - patterns:
          # ok: slow-pattern-single-metavariable
          - pattern-inside: |
              class $CN extends React.Component {
                ...
              }
          - pattern-either:
              # ok: slow-pattern-single-metavariable
              - pattern: |
                  state = {$NAME: <... this.props.$PROP ...>}
              # ok: slow-pattern-single-metavariable
              - pattern: |
                  this.state = {$NAME: <... this.props.$PROP ...>}
      - patterns:
          # ok: slow-pattern-single-metavariable
          - pattern-inside: |
              function $FN({$PROP},...) {
                ...
              }
          # ok: slow-pattern-single-metavariable
          - pattern-inside: useState(...)
          # ruleid: slow-pattern-single-metavariable
          - pattern: $PROP
      - patterns:
          # ok: slow-pattern-single-metavariable
          - pattern-inside: |
              function $FN($PROP,...) {
                ...
              }
          # ok: slow-pattern-single-metavariable
          - pattern-inside: useState(...)
          # ruleid: slow-pattern-single-metavariable
          - pattern-not: $PROP
    message: >-
      It is a bad practice to stop the data flow in rendering by copying props into state.
    metadata:
      references:
        - https://overreacted.io/writing-resilient-components/#principle-1-dont-stop-the-data-flow
    languages:
      - typescript
      - javascript
    severity: WARNING