From 7cdd632c4f96312770fe17e7f3b1a584a36f4970 Mon Sep 17 00:00:00 2001 From: clavedeluna Date: Mon, 16 Oct 2023 08:16:59 -0300 Subject: [PATCH] update codemod metadata --- .pre-commit-config.yaml | 6 ++- src/core_codemods/django_debug_flag_on.py | 2 +- .../django_session_cookie_secure_off.py | 4 +- .../pixee_python_enable-jinja2-autoescape.md | 3 +- .../docs/pixee_python_jwt-decode-verify.md | 8 ++-- .../docs/pixee_python_unused-imports.md | 2 - src/core_codemods/enable_jinja2_autoescape.py | 2 +- src/core_codemods/https_connection.py | 4 +- src/core_codemods/process_creation_sandbox.py | 2 +- src/core_codemods/secure_random.py | 2 +- src/core_codemods/with_threading_lock.py | 4 +- src/scripts/generate_docs.py | 38 ++++++++++--------- 12 files changed, 42 insertions(+), 35 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5801c8404..104b1faf3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,7 +11,11 @@ repos: rev: 23.9.1 hooks: - id: black - exclude: samples/ + exclude: | + (?x)^( + samples/.*| + core_codemods/docs/.* + )$ - repo: https://github.com/pre-commit/mirrors-mypy rev: v1.5.1 hooks: diff --git a/src/core_codemods/django_debug_flag_on.py b/src/core_codemods/django_debug_flag_on.py index a0cbdc1bd..299b6a9c6 100644 --- a/src/core_codemods/django_debug_flag_on.py +++ b/src/core_codemods/django_debug_flag_on.py @@ -29,7 +29,7 @@ class DjangoDebugFlagOn(SemgrepCodemod, Codemod): }, ], ) - SUMMARY = CHANGE_DESCRIPTION = METADATA. DESCRIPTION + SUMMARY = CHANGE_DESCRIPTION = METADATA.DESCRIPTION YAML_FILES = [ "django-debug-flag-on.yaml", ] diff --git a/src/core_codemods/django_session_cookie_secure_off.py b/src/core_codemods/django_session_cookie_secure_off.py index 86382edde..f547082d4 100644 --- a/src/core_codemods/django_session_cookie_secure_off.py +++ b/src/core_codemods/django_session_cookie_secure_off.py @@ -17,7 +17,7 @@ class DjangoSessionCookieSecureOff(SemgrepCodemod, Codemod): METADATA = CodemodMetadata( DESCRIPTION=("Sets Django's `SESSION_COOKIE_SECURE` Flag if Off or Missing."), NAME="django-session-cookie-secure-off", - REVIEW_GUIDANCE=ReviewGuidance.MERGE_AFTER_REVIEW, + REVIEW_GUIDANCE=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW, REFERENCES=[ { "url": "https://owasp.org/www-community/controls/SecureCookieAttribute", @@ -29,7 +29,7 @@ class DjangoSessionCookieSecureOff(SemgrepCodemod, Codemod): }, ], ) - SUMMARY = "Secure setting for Django `SESSION_COOKIE_SECURE` flag" + SUMMARY = "Secure Setting for Django `SESSION_COOKIE_SECURE` flag" CHANGE_DESCRIPTION = METADATA.DESCRIPTION YAML_FILES = [ "detect-django-settings.yaml", diff --git a/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md b/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md index 8e49775c9..f0b77d4e5 100644 --- a/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md +++ b/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md @@ -1,6 +1,6 @@ This codemod enables autoescaping of HTML content in `jinja2`. Unfortunately, the jinja2 default behavior is to not autoescape when rendering templates, which makes your applications -vulnerable to Cross-Site Scripting (XSS) attacks. +potentially vulnerable to Cross-Site Scripting (XSS) attacks. Our codemod checks if you forgot to enable autoescape or if you explicitly disabled it. The change looks as follows: @@ -13,4 +13,3 @@ Our codemod checks if you forgot to enable autoescape or if you explicitly disab + env = Environment(autoescape=True, loader=some_loader) ... ``` - diff --git a/src/core_codemods/docs/pixee_python_jwt-decode-verify.md b/src/core_codemods/docs/pixee_python_jwt-decode-verify.md index e900d150a..d736cc116 100644 --- a/src/core_codemods/docs/pixee_python_jwt-decode-verify.md +++ b/src/core_codemods/docs/pixee_python_jwt-decode-verify.md @@ -9,10 +9,8 @@ Our change looks as follows: - decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=False) + decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=True) ... -- decoded_payload = jwt.decode( - encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False, "verify_exp": False}) -+ decoded_payload = jwt.decode( - encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True, "verify_exp": True}) +- decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False, "verify_exp": False}) ++ decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True, "verify_exp": True}) ``` -Any `verify` parameter not listed relies on the secure `True` default value. \ No newline at end of file +Any `verify` parameter not listed relies on the secure `True` default value. diff --git a/src/core_codemods/docs/pixee_python_unused-imports.md b/src/core_codemods/docs/pixee_python_unused-imports.md index d416423df..cb3137a24 100644 --- a/src/core_codemods/docs/pixee_python_unused-imports.md +++ b/src/core_codemods/docs/pixee_python_unused-imports.md @@ -6,5 +6,3 @@ import b b.function() ``` - -If you have feedback on this codemod, [please let us know](mailto:feedback@pixee.ai)! diff --git a/src/core_codemods/enable_jinja2_autoescape.py b/src/core_codemods/enable_jinja2_autoescape.py index 66a89d0d9..7f649bc73 100644 --- a/src/core_codemods/enable_jinja2_autoescape.py +++ b/src/core_codemods/enable_jinja2_autoescape.py @@ -5,7 +5,7 @@ class EnableJinja2Autoescape(SemgrepCodemod): NAME = "enable-jinja2-autoescape" - REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW + REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW SUMMARY = "Enable Jinja2 Autoescape" DESCRIPTION = "Sets the `autoescape` parameter in jinja2.Environment to `True`." REFERENCES = [ diff --git a/src/core_codemods/https_connection.py b/src/core_codemods/https_connection.py index d4d0daa1c..0c0b34357 100644 --- a/src/core_codemods/https_connection.py +++ b/src/core_codemods/https_connection.py @@ -37,7 +37,9 @@ class HTTPSConnection(BaseCodemod, Codemod): ], ) CHANGE_DESCRIPTION = METADATA.DESCRIPTION - SUMMARY = "Changes HTTPConnectionPool to HTTPSConnectionPool to enforce secure connection." + SUMMARY = ( + "Changes HTTPConnectionPool to HTTPSConnectionPool to Enforce Secure Connection" + ) METADATA_DEPENDENCIES = (PositionProvider,) diff --git a/src/core_codemods/process_creation_sandbox.py b/src/core_codemods/process_creation_sandbox.py index 11d99e57d..5c110c20b 100644 --- a/src/core_codemods/process_creation_sandbox.py +++ b/src/core_codemods/process_creation_sandbox.py @@ -5,7 +5,7 @@ class ProcessSandbox(SemgrepCodemod): NAME = "sandbox-process-creation" - REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW + REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW SUMMARY = "Sandbox Process Creation" DESCRIPTION = ( "Replaces subprocess.{func} with more secure safe_command library functions." diff --git a/src/core_codemods/secure_random.py b/src/core_codemods/secure_random.py index 2a7908c9c..b1b6944c1 100644 --- a/src/core_codemods/secure_random.py +++ b/src/core_codemods/secure_random.py @@ -4,7 +4,7 @@ class SecureRandom(SemgrepCodemod): NAME = "secure-random" - REVIEW_GUIDANCE = ReviewGuidance.MERGE_WITHOUT_REVIEW + REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW SUMMARY = "Secure Source of Randomness" DESCRIPTION = "Replaces random.{func} with more secure secrets library functions." REFERENCES = [ diff --git a/src/core_codemods/with_threading_lock.py b/src/core_codemods/with_threading_lock.py index 2f002e68e..b7ae97059 100644 --- a/src/core_codemods/with_threading_lock.py +++ b/src/core_codemods/with_threading_lock.py @@ -6,7 +6,9 @@ class WithThreadingLock(SemgrepCodemod): NAME = "bad-lock-with-statement" SUMMARY = "Separate Lock Instantiation from `with` Call" - DESCRIPTION = "Replace deprecated usage of threading lock classes as context managers." + DESCRIPTION = ( + "Replace deprecated usage of threading lock classes as context managers." + ) REVIEW_GUIDANCE = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW REFERENCES = [ { diff --git a/src/scripts/generate_docs.py b/src/scripts/generate_docs.py index 3458d4c22..1f68c3cce 100644 --- a/src/scripts/generate_docs.py +++ b/src/scripts/generate_docs.py @@ -44,7 +44,8 @@ class DocMetadata: guidance_explained="Support for HTTPS is widespread which, save in some legacy applications, makes this change safe.", ), "jwt-decode-verify": DocMetadata( - importance="SOMETHING", guidance_explained="SOMETHING" + importance="High", + guidance_explained="This codemod ensures your code uses all available validations when calling `jwt.decode`. We believe this replacement is safe and should not result in any issues.", ), "limit-readline": DocMetadata( importance="Medium", @@ -58,10 +59,10 @@ class DocMetadata: importance="High", guidance_explained="We believe this change is safe, effective, and protects your code against very serious security attacks.", ), - # "order-imports": DocMetadata( - # importance="Low", - # guidance_explained="", - # ), + "order-imports": DocMetadata( + importance="Low", + guidance_explained="TODO SKIP FOR NOW", + ), "sandbox-process-creation": DocMetadata( importance="High", guidance_explained="We believe this change is safe and effective. The behavior of sandboxing `subprocess.run` and `subprocess.call` calls will only throw `SecurityException` if they see behavior involved in malicious code execution, which is extremely unlikely to happen in normal operation.", @@ -87,7 +88,8 @@ class DocMetadata: guidance_explained="We believe this codemod is safe and will cause no unexpected errors.", ), "upgrade-sslcontext-minimum-version": DocMetadata( - importance="SOMETHING", guidance_explained="SOMETHING" + importance="High", + guidance_explained="This codemod updates the minimum supported version of TLS. Since this is an important security fix and since all modern servers offer TLSv1.2, we believe this change can be safely merged without review.", ), "upgrade-sslcontext-tls": DocMetadata( importance="High", @@ -112,9 +114,9 @@ class DocMetadata: importance="Low", guidance_explained="We believe that using the walrus operator is an improvement in terms of clarity and readability. However, this change is only compatible with codebases that support Python 3.8 and later, so it requires quick validation before merging.", ), - # "bad-lock-with-statement": DocMetadata( - # importance="Low", guidance_explained="TODO AFTER PR MERGE" - # ), + "bad-lock-with-statement": DocMetadata( + importance="Low", guidance_explained="TODO AFTER PR MERGE" + ), } @@ -124,6 +126,11 @@ def generate_docs(codemod): except KeyError as exc: raise KeyError(f"Must add {codemod.name} to METADATA") from exc + formatted_references = [ + f"* [{ref['description']}]({ref['url']})" for ref in codemod.references + ] + markdown_references = "\n".join(formatted_references) or "N/A" + output = f"""--- title: {codemod.summary} sidebar_position: 1 @@ -131,12 +138,11 @@ def generate_docs(codemod): ## {codemod.id} -| Importance | Review Guidance | Requires SARIF Tool | -|------------|----------------------|---------------------| - | {codemod_data.importance} | {codemod.review_guidance} | {codemod_data.need_sarif} | +| Importance | Review Guidance | Requires SARIF Tool | +|------------|----------------------------|---------------------| +| {codemod_data.importance} | {codemod.review_guidance} | {codemod_data.need_sarif} | {codemod.description} - If you have feedback on this codemod, [please let us know](mailto:feedback@pixee.ai)! ## F.A.Q. @@ -150,10 +156,8 @@ def generate_docs(codemod): N/A ## References -* [https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser](https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser) -* [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing) -* [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) -#codemod.references + +{markdown_references} """ return output