52 lines
2.0 KiB
YAML
52 lines
2.0 KiB
YAML
rules:
|
|
- id: govoplan.python.subprocess-shell-true
|
|
languages: [python]
|
|
severity: WARNING
|
|
message: Avoid shell=True for module/runtime commands; prefer argv lists and explicit argument validation.
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: subprocess.run(..., shell=True, ...)
|
|
- pattern: subprocess.call(..., shell=True, ...)
|
|
- pattern: subprocess.check_call(..., shell=True, ...)
|
|
- pattern: subprocess.check_output(..., shell=True, ...)
|
|
|
|
- id: govoplan.python.os-system
|
|
languages: [python]
|
|
severity: WARNING
|
|
message: Avoid os.system; use subprocess with argv lists and explicit environment handling.
|
|
pattern: os.system(...)
|
|
|
|
- id: govoplan.python.pickle-load
|
|
languages: [python]
|
|
severity: WARNING
|
|
message: Pickle loading is unsafe for untrusted data; use structured formats or signed payloads.
|
|
pattern-either:
|
|
- pattern: pickle.load(...)
|
|
- pattern: pickle.loads(...)
|
|
|
|
- id: govoplan.python.cors-wildcard-credentials
|
|
languages: [python]
|
|
severity: ERROR
|
|
message: Credentialed CORS must not use wildcard origins.
|
|
pattern: CORSMiddleware(..., allow_origins=["*"], allow_credentials=True, ...)
|
|
|
|
- id: govoplan.web.localstorage-sensitive-value
|
|
languages: [javascript, typescript]
|
|
severity: WARNING
|
|
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
|
|
patterns:
|
|
- pattern: localStorage.setItem($KEY, $VALUE)
|
|
- metavariable-regex:
|
|
metavariable: $KEY
|
|
regex: (?i).*(token|api.?key|secret|password|credential).*
|
|
|
|
- id: govoplan.web.window-localstorage-sensitive-value
|
|
languages: [javascript, typescript]
|
|
severity: WARNING
|
|
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
|
|
patterns:
|
|
- pattern: window.localStorage.setItem($KEY, $VALUE)
|
|
- metavariable-regex:
|
|
metavariable: $KEY
|
|
regex: (?i).*(token|api.?key|secret|password|credential).*
|