yaml.semgrep.slow-pattern-top-ellipsis.slow-pattern-top-ellipsis
returntocorpAuthor
161
Download Count*
License
Using the ellipsis operator ... at the top of the pattern drastically slows down the rule performance.
Run Locally
Run in CI
Defintion
rules:
- id: slow-pattern-top-ellipsis
languages:
- yaml
message: Using the ellipsis operator `...` at the top of the pattern drastically
slows down the rule performance.
patterns:
- pattern-either:
- pattern-inside: |
pattern-inside: $X
- pattern-inside: |
pattern-not-inside: $X
- pattern-inside: |
pattern: $X
- pattern-inside: |
pattern-not: $X
- pattern-regex: \|\s*\n\s*\.\.\.\s*\n[^\n]*\n\s*\.\.\.
severity: WARNING
metadata:
category: performance
technology:
- semgrep
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
slow-pattern-top-ellipsis.test.yaml
rules:
- id: javascript.phantom.security.audit.phantom-injection.phantom-injection
message: >-
If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities
severity: WARNING
languages:
- javascript
patterns:
#ruleid: slow-pattern-top-ellipsis
- pattern: |
...
$PHANTOM = require('phantom');
...
- pattern-not-inside: |
var $INPUT = "...";
...
- id: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection
message: >-
If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
severity: WARNING
languages:
- javascript
patterns:
#ruleid: slow-pattern-top-ellipsis
- pattern-inside: |
...
require('playwright');
...
- pattern-either:
- pattern-inside: function $FUNC (...,$INPUT,...) {...}
- pattern-inside: function (...,$INPUT,...) {...}
Short Link: https://sg.run/WgBz