trailofbits
Written by the Trail of Bits security experts. See https://github.com/trailofbits/semgrep-rules for more.
Run Locally
Rules (78)
trailofbitsPotential goroutine leak due to unbuffered channel send inside loop or unbuffered channel receive in select block
trailofbitsPotential `$FOO` nil dereference when `$BAR` is called
trailofbitsAppending `$SLICE` from multiple goroutines is not concurrency safe
trailofbitsWriting `$MAP` from multiple goroutines is not concurrency safe
trailofbitsThe `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service
trailofbitsDowncasting or changing sign of an integer with `$CAST_METHOD` method
trailofbitsA `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended
trailofbitsCalling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` waiting for more or less calls to `$WG.Done()` than expected
trailofbitsCalling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`
trailofbitsPossible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker
trailofbitsFound container command (docker, podman) with extended privileges
trailofbitsFound container command running as root
trailofbitsFound `curl` command disabling SSL verification
trailofbitsFound `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound `gpg` command using insecure flags
trailofbitsFound `installer` command allowing untrusted installations
trailofbitsFound `openssl` command using insecure flags
trailofbitsFound `ssh` command disabling host key checking
trailofbitsFound `tar` command using insecure flags
trailofbitsFound `wget` command disabling SSL verification
trailofbitsFound `wget` command with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsVariable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference
trailofbitsIteration over a possibly empty map `$C`. This is likely a bug or redundant code
trailofbitsMissing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function
trailofbitsMissing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations
trailofbitsThe function is vulnerable to DLL hijacking attacks. Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory
trailofbitsThe Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4.
trailofbitsThe Apollo GraphQL server is using the graphql-upload library. This library allows file uploads using POSTs with content-type: multipart/form-data, which can enable to CSRF attacks. Ensure that you are enabling CSRF protection if you really need to use graphql-upload .
trailofbitsThe Apollo GraphQL server is setup with a CORS policy that does not deny all origins. Carefully review the origins to see if any of them are incorrectly setup (third-party websites, bad regexes, functions that reflect every origin, etc.).
trailofbitsThe Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.
trailofbitsThe Apollo GraphQL server lacks a CORS policy. By default, the server uses the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
trailofbitsThe Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws.
trailofbitsThe Apollo GraphQL server lacks a CORS policy. By default, the batteries-included apollo-server package serves the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
trailofbitsThe Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.
trailofbitsThe Apollo GraphQL server sets the 'csrfPrevention' option to false. This can enable CSRF attacks.
trailofbitsCalling `gc` suggests to the JVM that the garbage collector should be run, and memory should be reclaimed. This is only a suggestion, and there is no guarantee that anything will happen. Relying on this behavior for correctness or memory management is an anti-pattern.
trailofbitsFound MongoDB client with SSL hostname verification disabled
trailofbitsIf possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency
trailofbitsFound usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks
trailofbitsFound usage of msgpack-numpy unpacking, which relies on pickle to deserialize numpy arrays containing objects. Functions reliant on pickle can result in arbitrary code execution. Consider switching to a safer serialization method.
trailofbitsNumPy distutils is deprecated, and will be removed in the future
trailofbitsCompiling arbitrary code can result in code execution. Ensure the source code is from a trusted location
trailofbitsUsing the NumPy RNG inside of a PyTorch dataset can lead to a number of issues with loading data, including identical augmentations. Instead, use the random number generators built into Python and PyTorch
trailofbitsUsage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading
trailofbitsLoading custom operator libraries can result in arbitrary code execution
trailofbitsLoading custom operator libraries can result in arbitrary code execution
trailofbitsPandas eval() and query() may be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
trailofbitsThe usage of pickle and hdf5 formats for model files are deprecated in Keras. The keras.models.load_model function is deprecated as well. Keras is now embedded in Tensorflow 2 under tensorflow.keras.
trailofbitsKeras' load_model function may result in arbitrary code execution: - It can load vulnerable pickled models - It can load an hdf5 model that contains a lambda layer with arbitrary code that will be executed every time the model is used (loading, training, eval) Note: Keras loading with the built-in file format should be safe as long as checks are not disabled.
trailofbitsFunctions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method
trailofbitsFunctions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method
trailofbitsFunctions reliant on pickle can result in arbitrary code execution
trailofbitsFunctions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX
trailofbitsTensorflow's low-level load function may result in arbitrary code execution.
trailofbitsLoading custom operator libraries can result in arbitrary code execution
trailofbitsAvoid importing torch.package - it can result in arbitrary code execution via pickle
trailofbitsAvoid using `torch.Tensor()` to directly create a tensor for efficiency and proper parsing
trailofbitsScikit `joblib` uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. Consider using `skops` instead.
trailofbitsLoading custom operator libraries can result in arbitrary code execution
trailofbitsNot waiting for requests is a source of undefined behavior
trailofbits`expect` or `unwrap` called in function returning a `Result`
trailofbitsFound apt key download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound apt key with SSL verification disabled
trailofbitsFound apt deb with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound dnf download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound dnf with SSL verification disabled
trailofbitsFound file download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound file download with SSL verification disabled
trailofbitsFound RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound RPM key with SSL verification disabled
trailofbitsFound unarchive download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound unarchive download with SSL verification disabled
trailofbitsFound Windows Remote Management connection with certificate validation disabled
trailofbitsFound yum download with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound yum with SSL verification disabled
trailofbitsFound Zypper repository with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsFound Zypper package with unencrypted URL (e.g. HTTP, FTP, etc.)
trailofbitsService port is exposed on all interfaces