r2c-best-practices
A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Run Locally
Rules (125)
semgrepFunction $F mutates default dict $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new dictionary at that time. For example: `if $D is None: $D = {}`.
semgrepFunction $F mutates default list $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new list at that time. For example: `if $D is None: $D = []`.
semgrepIt appears that `$DICT[$KEY]` is a dict with items being deleted while in a for loop. This is usually a bad idea and will likely lead to a RuntimeError: dictionary changed size during iteration
semgrepThis expression is always True: `$X == $X` or `$X != $X`. If testing for floating point NaN, use `math.isnan($X)`, or `cmath.isnan($X)` if the number is complex.
semgrepUsing '$F.name' without '.flush()' or '.close()' may cause an error because the file may not exist when '$F.name' is used. Use '.flush()' or close the file before using '$F.name'.
semgrepif block checks for the same condition on both branches (`$X`)
semgrepDetected useless if statement. 'if (True)' and 'if (False)' always result in the same behavior, and therefore is not necessary in the code. Remove the 'if (False)' expression completely or just the 'if (True)' comparison depending on which expression is in the code.
semgrepFound string comparison using 'is' operator. The 'is' operator is for reference equality, not value equality, and therefore should not be used to compare strings. For more information, see https://github.com/satwikkansal/wtfpython#-how-not-to-use-is-operator"
semgrepIt appears that `$LIST` is a list that is being modified while in a for loop. This will likely cause a runtime error or an infinite loop.
semgrepUsing strings as booleans in Python has unexpected results. `"one" and "two"` will return "two". `"one" or "two"` will return "one". In Python, strings are truthy, and strings with a non-zero length evaluate to True.
semgrepDetected identical statements in the if body and the else body of an if-statement. This will lead to the same code being executed no matter what the if-expression evaluates to. Instead, remove the if statement.
semgrepDetected an if block that checks for the same condition on both branches (`$X`). The second condition check is useless as it is the same as the first, and therefore can be removed from the code,
semgrep`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`.
semgrepIn Python 'X is not ...' is different from 'X is (not ...)'. In the latter the 'not' converts the '...' directly to boolean.
semgrepStrings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead.
semgrep`return` should never appear inside a class __init__ function. This will cause a runtime error.
semgrep`yield` should never appear inside a class __init__ function. This will cause a runtime error.
semgrepDetected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.
semgrepThis is not checking the return value of this subprocess call; if it fails no exception will be raised. Consider subprocess.check_call() instead
semgrepFound identical comparison using is. Ensure this is what you intended.
semgrepIn Python3, a runtime `TypeError` will be thrown if you attempt to raise an object or class which does not inherit from `BaseException`
semgrepDetected use of `exit`. Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper for the interactive shell and may not be available on all Python implementations.
semgrepDetected strings that are implicitly concatenated inside a list. Python will implicitly concatenate strings when not explicitly delimited. Was this supposed to be individual elements of the list?
semgrepDetected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'.
semgrepUse tempfile.NamedTemporaryFile instead. From the official Python documentation: THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.
semgrepnull=True should be set if blank=True is set on non-text fields.
semgrepIf a text field declares unique=True and blank=True, null=True must also be set to avoid unique constraint violations when saving multiple objects with blank values.
semgrepUse JsonResponse instead
semgrepLooks like you need to determine the number of records. Django provides the count() method which is more efficient than .len(). See https://docs.djangoproject.com/en/3.0/ref/models/querysets/
semgrepLooks like you are only accessing first element of an ordered QuerySet. Use `latest()` or `earliest()` instead. See https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.latest
semgrepYou are using environment variables inside django app. Use `django-environ` as it a better alternative for deployment.
semgrepClass $C inherits from both `$A` and `$B` which both have a method named `$F`; one of these methods will be overwritten.
semgrepValues returned by thread pool map must be read in order to raise exceptions. Consider using `for _ in $EXECUTOR.map(...): pass`.
semgrepDetected a file object that is redefined and never closed. This could leak file descriptors and unnecessarily consume system resources.
semgreppdb is an interactive debugging tool and you may have forgotten to remove it before committing your code
semgrepThe file object '$FD' was opened in read mode, but is being written to. This will cause a runtime error.
semgrepAccessing request object inside a route handle for HTTP GET command will throw due to missing request body.
semgrepflask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes
semgrepDetected a django model `$MODEL` is not calling super().save() inside of the save method.
semgrepLooks like `$R` is a flask function handler that registered to two different routes. This will cause a runtime error
semgrep.delete().where(...) results in a no-op in SQLAlchemy unless the command is executed, use .filter(...).delete() instead.
semgrepUse `click.secho($X)` instead. It combines click.echo() and click.style().
semgrepThe host argument to assertRedirects is removed in Django 2.0.
semgrepThe assignment_tag helper is removed in Django 2.0.
semgrepdjango.db.backends.base.BaseDatabaseOperations.check_aggregate_support() is removed in Django 2.0.
semgrepThe django.forms.extras package is removed in Django 2.0.
semgrepThe weak argument to django.dispatch.signals.Signal.disconnect() is removed in Django 2.0.
semgrepYou should use ITEM.user_id rather than ITEM.user.id to prevent running an extra query.
semgrepdeprecated Flask API
semgrepRather than adding one element at a time, consider batch loading to improve performance.
semgrepUsing QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.
semgrepmanually creating a counter - use collections.Counter
semgrepmanually creating a defaultdict - use collections.defaultdict(dict)
semgrepmanually creating a defaultdict - use collections.defaultdict(list)
semgrepmanually creating a defaultdict - use collections.defaultdict(set)
semgrepClass `$A` has defined `__eq__` which means it should also have defined `__hash__`;
semgrepfile object opened without corresponding close
semgrep`pass` is the body of function $X. Consider removing this or raise NotImplementedError() if this is a TODO
semgrep`pass` is the body of for $X in $Y. Consider removing this or raise NotImplementedError() if this is a TODO
semgrepImporting the python debugger; did you mean to leave this in?
semgreptime.sleep() call; did you mean to leave this in?
semgrepthe `errors` argument to Popen is only available on Python 3.6+
semgrepthe `encoding` argument to Popen is only available on Python 3.6+
semgrepthis function is only available on Python 3.6+
semgrepFound usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.
semgrepFound usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.
semgrepsource_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.
semgrepFound 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.
semgrepFound usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.
semgrepIPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.
semgrepIPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.
semgrepIPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.
semgrepIPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.
semgrepFound usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument.
semgrepmath.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.
semgrepmultiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().
semgrepmultiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().
semgrepos.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().
semgrepos.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().
semgreppdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.
semgrepFound usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.
semgrepcode after return statement will not be executed
semgrep`return` only makes sense inside a function
semgrepkey `$Y` in `$X` is assigned twice; the first assignment is useless
semgrepUseless if statement; both blocks have the same body
semgrepfunction `$FF` is defined inside a function but never used
semgrepAvoid using null on string-based fields such as CharField and TextField. If a string-based field has null=True, that means it has two possible values for "no data": NULL, and the empty string. In most cases, it's redundant to have two possible values for "no data;" the Django convention is to use the empty string, not NULL.
semgrepUse 'django.db.models.OneToOneField' instead of 'ForeignKey' with unique=True. 'OneToOneField' is used to create one-to-one relationships.
semgrepDetected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead.
semgrepThere's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.
semgrepDetected conversion of the result of a strconv.Atoi command to an int16. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.
semgrepDetected conversion of the result of a strconv.Atoi command to an int32. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.
semgrepDetected file permissions that are set to more than `0600` (user/owner can read and write). Setting file permissions to higher than `0600` is most likely unnecessary and violates the principle of least privilege. Instead, set permissions to be `0600` or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile
semgrepDetected useless comparison operation `$X == $X` or `$X != $X`. This will always return 'True' or 'False' and therefore is not necessary. Instead, remove this comparison operation or use another comparison expression that is not deterministic.
semgrepThe value of `$X` is being ignored and will be used in the conditional test
semgrepThis if statement will always have the same behavior and is therefore unnecessary.
semgrepFound a FloatField used for variable $F. Use DecimalField for currency fields to avoid float-rounding errors.
semgrepComparison to boolean. Just use `not $X`
semgrepComparison to boolean. Just use `$X`
semgrepYou should not use Hashtbl.find outside of a try, or you should use Hashtbl.find_opt
semgrepBackwards if. Rewrite the code as 'if not $E then $E2'.
semgrepUseless else. Just remove the else branch;
semgrepYou should not use List.find outside of a try, or you should use List.find_opt
semgrepYou should use `decr`
semgrepYou should use `incr`
semgrepUse instead `Str.first_chars`
semgrepUse instead `Str.last_chars`
semgrepUse instead `Str.string_after`
semgrepUseless sprintf
semgrepPervasives is deprecated and will not be available after 4.10. Use Stdlib.
semgrepYou probably want $X = [], which is faster.
semgrepYou probably want $X <> [], which is faster.
semgrep`$X` is assigned twice; the first assignment is useless
semgrepUnsafe usage of mutable initializer with attr.s decorator. Multiple instances of this class will re-use the same data structure, which is likely not the desired behavior. Consider instead: replace assignment to mutable initializer (ex. dict() or {}) with attr.ib(factory=type) where type is dict, set, or list
semgrepOnly comparison operators should be used inside SQLAlchemy filter expressions. Use `==` instead of `is`, `!=` instead of `is not`, `sqlalchemy.and_` instead of `and`, `sqlalchemy.or_` instead of `or`, `sqlalchemy.not_` instead of `not`, and `sqlalchemy.in_` instead of `in_`.
semgrep`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.
semgrepfound alert() call; should this be in production code?
semgrepfound confirm() call; should this be in production code?
semgrepfound debugger call; should this be in production code?
semgrepfound prompt() call; should this be in production code?
semgrepThese APIs are deprecated in Bokeh see https://docs.bokeh.org/en/latest/docs/releases.html#api-deprecations
semgrepFlask class method GET with side effects
semgrepThe string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)
semgrepDetected a channel guarded with a mutex. Channels already have an internal mutex, so this is unnecessary. Remove the mutex. See https://hackmongo.com/page/golang-antipatterns/#guarded-channel for more information.
semgrepDetected a hidden goroutine. Function invocations are expected to synchronous, and this function will execute asynchronously because all it does is call a goroutine. Instead, remove the internal goroutine and call the function using 'go'.