semgrep-sast missing python request-without-timeout issues
Summary
The current semgrep-sast rules for python request-without-timeout
don't catch potential instances of the vulnerability if the argument to requests.get()
is a variable that isn't resolved in the same module (e.g. in a function that isn't called directly in the same file).
See e.g: https://semgrep.dev/playground/s/9AOp2
The same code is available from https://gitlab.com/duncanmmacleod/gitlab-sast-python-requests-timeout/ where the CI pipeline demonstrates that bandit
identifies the right vulnerabilities, but semgrep-sast
does not.
Potential fix?
I don't really understand the semgrep syntax, but the following might be a patch that addresses the issue by not attempting to resolve the first argument to requests.method()
as a string (which I think is what happens now):
diff --git a/python/requests/rule-request-without-timeout.yml b/python/requests/rule-request-without-timeout.yml
index 7c0c523a..f4c5dd38 100644
--- a/python/requests/rule-request-without-timeout.yml
+++ b/python/requests/rule-request-without-timeout.yml
@@ -27,20 +27,20 @@ rules:
patterns:
- pattern-either:
- patterns:
- - pattern: "requests.$METHOD('...', timeout=$VAL)"
+ - pattern: "requests.$METHOD(..., timeout=$VAL, ...)"
- metavariable-comparison:
comparison: "$VAL <= 0"
metavariable: "$VAL"
- patterns:
- - pattern: "requests.$METHOD('...', timeout=$VAL)"
+ - pattern: "requests.$METHOD(..., timeout=$VAL, ...)"
- metavariable-regex:
metavariable: "$VAL"
regex: "(^None)"
- patterns:
- - pattern-not: "requests.$METHOD('...', timeout=$VAL, ...)"
+ - pattern-not: "requests.$METHOD(..., timeout=$VAL, ...)"
- pattern-either:
- - pattern: "requests.$METHOD('...', ...)"
- - pattern: "requests.$METHOD('...')"
+ - pattern: "requests.$METHOD(..., ...)"
+ - pattern: "requests.$METHOD(...)"
- metavariable-regex:
metavariable: "$METHOD"
regex: "(get|put|delete|post|options|head|patch)"
[I didn't identify a template I should use for this issue, if there is one, or if I should reformat anything to make it easier to action, please let me know, sorry]