#ocaml
Rulesets (5)
A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Find common bugs, errors, and logic issues in popular languages.
Yoann PadioleauDefault ruleset for OCaml, by Semgrep
Rules (34)
semgrepThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
semgrepComparison to boolean. Just use `$X`
semgrepComparison to boolean. Just use `not $X`
semgrepYou should not re-raise exceptions using 'raise' because it loses track of where the exception was raised originally, leading to a useless and possibly confusing stack trace. Instead, you should obtain a stack backtrace as soon as the exception is caught using 'try ... with exn -> let trace = Printexc.get_raw_backtrace () in ...', and keep it around until you re-raise the exception using 'Printexc.raise_with_backtrace exn trace'. You must collect the stack backtrace before calling another function which might internally raise and catch exceptions. To avoid false positives from Semgrep, write 'raise (Foo args)' instead of 'let e = Foo args in raise e'.
semgrepYou should not use Hashtbl.find outside of a try, or you should use Hashtbl.find_opt
semgrepUseless else. Just remove the else branch;
semgrepBackwards if. Rewrite the code as 'if not $E then $E2'.
semgrepYou should not use List.find outside of a try, or you should use List.find_opt
semgrepYou should use `incr`
semgrepYou should use `decr`
semgrepUse instead `Str.first_chars`
semgrepUse instead `Str.string_after`
semgrepUse instead `Str.last_chars`
semgrepUseless sprintf
semgrepPervasives is deprecated and will not be available after 4.10. Use Stdlib.
semgrepYou probably want the structural equality operator =
semgrepYou probably want the structural inequality operator <>
semgrepThis comparison is useless because the expressions being compared are identical. This is expected to always return the same result, 0, unless your code is really strange.
semgrepThis is always true. If testing for floating point NaN, use `Float.is_nan` instead.
semgrepUseless if. Both branches are equal.
semgrepUseless let
semgrepYou probably want $X = [], which is faster.
semgrepYou probably want $X <> [], which is faster.
semgrep'input_line' leaves a '\r' (CR) character when reading lines from a Windows text file, whose lines end in "\r\n" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning.
semgrep'open_in' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_in_bin' or 'open_in_gen [Open_binary]'. If you really want CRLF-to-LF translations to take place when running on Windows, use 'open_in_gen [Open_text]'.
semgrep'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'.
semgrepYou should probably use Filename.get_temp_dirname().
semgrepDigest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.
semgrepExecuting external programs might lead to comand or argument injection vulnerabilities.
semgrepWhen attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.
semgrepCreating a Hashtbl without the optional random number parameter makes it prone to DoS attacks when attackers are able to fill the table with malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM are other ways to randomize it.
semgrepMarshaling is currently not type-safe and can lead to insecure behaviour when untrusted data is marshalled. Marshalling can lead to out-of-bound reads as well.
semgrepFilename.temp_file might lead to race conditions, since the file could be altered or replaced by a symlink before being opened.
semgrepUnsafe functions do not perform boundary checks or have other side effects, use with care.