Semgrep 3 #85
Closed
Semgrep 3 #85
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We have finished reviewing your PR. We have found no vulnerabilities. Reply to this PR with |
![corgea[bot]](https://avatars.githubusercontent.com/in/673913?s=60&v=4){kind=small}
Comment on lines
+16
to
+17
| ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); | ||
| Object deserializedObject = ois.readObject(); |
There was a problem hiding this comment.
🐕 Corgea found a CWE-502: Deserialization of Untrusted Data vulnerability that is rated as 🔴 Critical.
View in Corgea.
🎟️Issue Explanation: Deserializing untrusted data can lead to security risks, as attackers might exploit it to execute harmful code or actions on your system.
More issue details
- The code uses "ObjectInputStream" to deserialize data, which can be manipulated if the data is untrusted.- Attackers can craft data to trigger harmful actions during deserialization, like executing unauthorized code.
- Without verifying data integrity, deserialization can lead to security breaches, especially with sensitive information.
Fix Details
The fix replaces the use of Java's native deserialization with Jackson's JSON deserialization, mitigating the risk of executing malicious code during deserialization by ensuring only expected data structures are processed.-Replaced "ObjectInputStream" with "ObjectMapper" from Jackson to handle deserialization.
-Jackson's "readValue" method is used to deserialize data into a specific class, "MySafeObject", ensuring type safety.
-By specifying "MySafeObject.class", the code restricts deserialization to a known, safe object type, preventing arbitrary code execution.
💡 Important Instructions: Ensure that
MySafeObject is properly defined and validated to handle expected data safely.
Suggested change
| ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); | |
| Object deserializedObject = ois.readObject(); | |
| // Use a safer deserialization library like Jackson |
![semgrep-code-latiotech[bot]](https://avatars.githubusercontent.com/u/104798912?s=60&v=4){kind=small}
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const compiled = _.template(postData.template); |
There was a problem hiding this comment.
Risk: lodash versions prior to 4.17.21 (or lodash.template version 4.6.2) are vulnerable to Command Injection via the template function. Please remediate by updating to version 4.17.21 (or 4.6.2). GHSA-35jh-r3h4-6jhm
Fix: Upgrade this library to at least version 4.17.21 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1087.
Reference(s): GHSA-35jh-r3h4-6jhm, CVE-2021-23337
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-c6bc1896-7044-4b22-b31a-753d52070423.
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const parsedObject = JSON5.parse(postData.json5data); |
There was a problem hiding this comment.
Risk: The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named proto, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.
Fix: Upgrade this library to at least version 2.2.2 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1076.
Reference(s): GHSA-9c47-m6qq-7p4h, CVE-2022-46175
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-9573292b-0077-44a6-b92f-3111f0ffbaca.
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const compiled = _.template(postData.template); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.17.12 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1087.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 24 important findings in this PR that you should review.
The first 10 findings are detailed below as separate comments.
Click here to view all the findings on Jit.
It’s highly recommended that you fix these security issues before merging.
Alternatively, comment #jit_ignore_all in this PR to ignore all findings. Admin privileges required.
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sql Injection Risk From Raw Sql String Construction In Flask
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQL Injection risk from raw SQL string construction in Flask" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| def fetch_url_content(url: str): | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Potential Ssrf With Request Data In Server-Side Requests
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Potential SSRF with request data in server-side requests" in insecure-api/main-2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
User Data In Subprocess Function Risks Command Injection Vulnerability
Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "User data in subprocess function risks command injection vulnerability" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main-2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| try: | ||
| # Use lxml to parse the XML data | ||
| parser = etree.XMLParser(load_dtd=True, resolve_entities=True) | ||
| tree = etree.fromstring(xml_data.encode(), parser) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Potential Xxe Vulnerability With Native Python Xml Libraries
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE)
attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'.
See https://github.com/tiran/defusedxml for more information.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Potential XXE vulnerability with native Python XML libraries" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
User Input In Unsafe Subprocess Call In Flask
Detected user input entering a subprocess call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "User input in unsafe subprocess call in Flask" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| import os | ||
| import sqlite3 | ||
| import requests | ||
| from lxml import etree |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Potential Xxe Vulnerability With Native Python Xml Libraries
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE)
attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'.
See https://github.com/tiran/defusedxml for more information.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Potential XXE vulnerability with native Python XML libraries" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM tiles WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sql Injection Risk From Raw Sql String Construction In Django
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQL Injection risk from raw SQL string construction in Django" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
Comment on lines
+32
to
+33
| hostPath: | ||
| path: /var/run/docker.sock |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by exposing-docker-socket-hostpath.
You can view more details about this finding in the Semgrep AppSec Platform.
| metadata: | ||
| labels: | ||
| app: {{ .Values.insecureApp.appName }} | ||
| spec: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| spec: | |
| spec: | |
| securityContext: | |
| runAsNonRoot: true #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-as-non-root.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+87
to
+98
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) | ||
| result = cursor.fetchone() | ||
| if result: | ||
| output = f"Password for {username}: {result[0]}" | ||
| else: | ||
| output = "User not found." | ||
| except Exception as e: | ||
| output = f"SQL Error: {e}" |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use Entry.objects.filter(date=2006).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sql-injection-db-cursor-execute.
You can view more details about this finding in the Semgrep AppSec Platform.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by active-debug-code-flask.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected possible formatted SQL query. Use parameterized queries instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by formatted-sql-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by debug-enabled.
You can view more details about this finding in the Semgrep AppSec Platform.
| kind: Pod | ||
| metadata: | ||
| name: s-5 | ||
| spec: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| spec: | |
| spec: | |
| securityContext: | |
| runAsNonRoot: true #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-as-non-root.
You can view more details about this finding in the Semgrep AppSec Platform.
| @app.get("/redirect") | ||
| def unsafe_redirect(next: str): | ||
| # Vulnerability: Unvalidated redirect (API10:2019 - Unsafe Consumption of APIs) | ||
| return RedirectResponse(url=next) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L212 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 212] next</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L212 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 212] next</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L214 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 214] next</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-redirect-fastapi.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+100
to
+165
| return render_template_string(""" | ||
| <h1>Intentionally Insecure App</h1> | ||
| <hr> | ||
| <!-- Command Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>Command Injection</h2> | ||
| <input type="text" name="command" value="ls -la"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- File Upload --> | ||
| <form action="/" method="post" enctype="multipart/form-data"> | ||
| <h2>Path Traversal via File Upload</h2> | ||
| <input type="file" name="file"> | ||
| <input type="submit" value="Upload"> | ||
| </form> | ||
| <p>Try uploading a file named: <code>../../../../etc/passwd</code></p> | ||
| <br> | ||
| <!-- SQL Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>SQL Injection</h2> | ||
| <input type="text" name="sql" value="SELECT * FROM users WHERE username = 'admin' OR '1'='1'"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- Cross-Site Scripting (XSS) --> | ||
| <form action="/" method="post"> | ||
| Enter XSS payload: <input type="text" name="xss" value="<script>alert('XSS');</script>"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- XML External Entity (XXE) Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>XML External Entity (XXE) Injection</h2> | ||
| <textarea name="xml" rows="5" cols="50"> | ||
| <?xml version="1.0"?> | ||
| <!DOCTYPE root [ | ||
| <!ENTITY xxe SYSTEM "file:///etc/passwd"> | ||
| ]> | ||
| <root>&xxe;</root> | ||
| </textarea> | ||
| <input type="submit" value="Parse XML"> | ||
| </form> | ||
| <br> | ||
| <!-- Server-Side Request Forgery (SSRF) --> | ||
| <form action="/" method="post"> | ||
| <h2>Server-Side Request Forgery (SSRF)</h2> | ||
| <input type="text" name="url" value="http://localhost:8080/"> | ||
| <input type="submit" value="Request"> | ||
| </form> | ||
| <br> | ||
| <!-- SQL Injection 2 --> | ||
| <h2>SQL Injection 2</h2> | ||
| <form action="/" method="post"> | ||
| Enter Username: <input type="text" name="username" value="' UNION SELECT username || ' : ' || password FROM users --"> | ||
| <input type="submit" value="Lookup"> | ||
| </form> | ||
| <hr> | ||
| <pre>{{ output|safe }}</pre> | ||
| """, output=output) |
There was a problem hiding this comment.
Semgrep identified an issue, but thinks it may be safe to ignore.
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Why this might be safe to ignore:
The matched code is part of an intentionally insecure application, likely for educational or testing purposes. The use of 'render_template_string' here is deliberate to demonstrate vulnerabilities, and not a security risk in a production context.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by render-template-string.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+18
to
+29
| - name: {{ .Values.insecureApp.appName }} | ||
| image: "{{ .Values.insecureApp.image.repository }}:{{ .Values.insecureApp.image.tag }}" | ||
| env: | ||
| - name: AWS_ACCESS_KEY_ID | ||
| value: AKIA2JAPX77RGLB664VE | ||
| - name: AWS_SECRET_ACCESS_KEY | ||
| value: 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 | ||
| securityContext: | ||
| privileged: true | ||
| volumeMounts: | ||
| - name: docker-socket | ||
| mountPath: /var/run/docker.sock |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by privileged-container.
You can view more details about this finding in the Semgrep AppSec Platform.
| value: AKIA2JAPX77RGLB664VE | ||
| - name: AWS_SECRET_ACCESS_KEY | ||
| value: v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5 | ||
| securityContext: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain setuid or setgid binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container in the pod, with the parameter allowPrivilegeEscalation set to false. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the allowPrivilegeEscalation parameter to your the securityContext, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| securityContext: | |
| securityContext: | |
| allowPrivilegeEscalation: false #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by allow-privilege-escalation.
You can view more details about this finding in the Semgrep AppSec Platform.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Running flask app with host 0.0.0.0 could expose the server publicly.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by avoid_app_run_with_bad_host.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected possible formatted SQL query. Use parameterized queries instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by formatted-sql-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| sql = request.form['sql'] | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] request.form['sql']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] sql</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L49 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 49] cursor.execute(sql)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute(sql) | |
| # Use parameterized queries to prevent SQL injection | |
| query = "SELECT * FROM users WHERE username = %s AND password = %s" | |
| cursor.execute(query, (username, password)) |
View step-by-step instructions
- Change the
cursor.execute(sql)line to use a parameterized query. Instead of executing the SQL directly, use placeholders for any user input. - Modify the SQL query to use placeholders. For example, if the query is
SELECT * FROM table WHERE column = ?, replace?with the appropriate placeholder syntax for your database. - Pass the user input as a parameter to the
executemethod. For example,cursor.execute("SELECT * FROM table WHERE column = ?", (user_input,)). - Ensure that the
sqlvariable is not directly used in the query. Instead, construct the query with static SQL and use placeholders for dynamic parts.
This approach separates SQL commands from user data, preventing SQL injection by ensuring that user input is treated as data rather than executable code.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by flask-without-url-path-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] "SELECT password FROM users WHERE username = '{}'".format(username)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-sql-string.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sqlalchemy-execute-raw-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
|
|
||
| connection.query(query, (err, rows) => { |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] chunk</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v4["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] postData</a>"]
v5["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L76 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 76] query</a>"]
end
v2 --> v3
v3 --> v4
v4 --> v5
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L79 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 79] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| connection.query(query, (err, rows) => { | |
| if (postData.orderNumber3) { | |
| try { | |
| const orderNumber = parseInt(postData.orderNumber3, 10); // Ensure it's a number | |
| const query = 'SELECT product FROM Orders WHERE orderNumber = ?'; | |
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | |
| connection.query(query, [orderNumber], (err, rows) => { | |
| if (err) { | |
| console.error("SQL query error:", err); | |
| responseMessages.push(`<p>An error occurred: ${err.message}</p>`); | |
| } else { | |
| if (rows.length > 0) { | |
| responseMessages.push(`<p>Order details (Product only):</p><pre>${JSON.stringify(rows, null, 2)}</pre>`); | |
| } else { | |
| responseMessages.push(`<p>No orders found with order number ${postData.orderNumber3}</p>`); | |
| } | |
| } | |
| if (res) { | |
| res.end(responseMessages.join("")); | |
| } | |
| }); | |
| } catch (error) { | |
| console.error("SQL query execution error:", error); | |
| responseMessages.push(`<p>An unexpected error occurred: ${error.message}</p>`); | |
| } | |
| } |
View step-by-step instructions
- Change the SQL query to use parameterized queries to prevent SQL injection. Replace the query string with a parameterized version:
const query = 'SELECT product FROM Orders WHERE orderNumber = ?';
- Pass the dynamic value as a parameter to the
querymethod:connection.query(query, [postData.orderNumber3], (err, rows) => {
- Ensure that
postData.orderNumber3is validated or sanitized before being used in the query. For example, if it should be a number, convert it usingparseInt:Then useconst orderNumber = parseInt(postData.orderNumber3, 10);
orderNumberin the query parameter array:connection.query(query, [orderNumber], (err, rows) => {
Using parameterized queries ensures that user input is treated as data rather than executable code, effectively preventing SQL injection attacks.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L118 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 118] sql_query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L119 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 119] sql_query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by generic-sql-fastapi.
You can view more details about this finding in the Semgrep AppSec Platform.
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| process = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by subprocess-shell-true.
You can view more details about this finding in the Semgrep AppSec Platform.
| @@ -0,0 +1 @@ | |||
| {"version":"1.99.0","results":[{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-api/Dockerfile","start":{"line":21,"col":1,"offset":515},"end":{"line":21,"col":67,"offset":581},"extra":{"metavars":{"$...VARS":{"start":{"line":21,"col":5,"offset":519},"end":{"line":21,"col":67,"offset":581},"abstract_content":"[\"uvicorn\"\"main:app\"\"--host\"\"0.0.0.0\"\"--port\"\"8000\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"uvicorn\", \"main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"25f3812a6390e38eca84b059a4836996e8a499976b2733ecfc3a15af0e3ab8a06edab7651035844e2cbce09e1a8b7b31970a2d7c3e4bc873153beabc64fa5610_0","lines":"CMD [\"uvicorn\", \"main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-api/main.py","start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":34,"offset":4572},"extra":{"metavars":{"$X":{"start":{"line":118,"col":65,"offset":4530},"end":{"line":118,"col":70,"offset":4535},"abstract_content":"query"},"$DB":{"start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":15,"offset":4553},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":116,"col":14,"offset":4443},"svalue_end":{"line":116,"col":27,"offset":4456},"svalue_abstract_content":"conn.cursor()"}},"$SQL":{"start":{"line":119,"col":24,"offset":4562},"end":{"line":119,"col":33,"offset":4571},"abstract_content":"sql_query","propagated_value":{"svalue_start":{"line":118,"col":21,"offset":4486},"svalue_end":{"line":118,"col":73,"offset":4538},"svalue_abstract_content":"f\"SELECT * FROM video_games WHERE title = '{query}'\""}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"c84a51a76657aa903cb26be4bb0a60c776dad0b186e5cfeca8de49b1100d223a0079207827b48de997c97f92526ec0509bfe21c3587dda43bb2ffd3dc27a7a59_0","lines":" cursor.execute(sql_query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-api/main.py","start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":34,"offset":4572},"extra":{"metavars":{"$CONNECTION":{"start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":15,"offset":4553},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":116,"col":14,"offset":4443},"svalue_end":{"line":116,"col":27,"offset":4456},"svalue_abstract_content":"conn.cursor()"}},"$QUERY":{"start":{"line":119,"col":24,"offset":4562},"end":{"line":119,"col":33,"offset":4571},"abstract_content":"sql_query","propagated_value":{"svalue_start":{"line":118,"col":21,"offset":4486},"svalue_end":{"line":118,"col":73,"offset":4538},"svalue_abstract_content":"f\"SELECT * FROM video_games WHERE title = '{query}'\""}}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"d66c7cd53b2919cf51e6625ae54a536489fdd8ea3ee6330b5a0fb2fd8bde2c819a5bc02728be7489ec513a519455c15b9c01ad0b3f43db19902a99f6220b7dfe_0","lines":" cursor.execute(sql_query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.ssrf-requests.ssrf-requests","path":"insecure-api/main.py","start":{"line":205,"col":20,"offset":8279},"end":{"line":205,"col":37,"offset":8296},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":4,"offset":3},"abstract_content":"get"},"$APP":{"start":{"line":201,"col":2,"offset":8108},"end":{"line":201,"col":5,"offset":8111},"abstract_content":"app"},"$ROUTE_METHOD":{"start":{"line":201,"col":6,"offset":8112},"end":{"line":201,"col":9,"offset":8115},"abstract_content":"get"},"$ROUTE":{"start":{"line":201,"col":10,"offset":8116},"end":{"line":201,"col":22,"offset":8128},"abstract_content":"\"/fetch_url\""},"$ROUTE_FUNC":{"start":{"line":202,"col":5,"offset":8134},"end":{"line":202,"col":22,"offset":8151},"abstract_content":"fetch_url_content"},"$ROUTEVAR":{"start":{"line":202,"col":23,"offset":8152},"end":{"line":202,"col":26,"offset":8155},"abstract_content":"url"},"$FUNC":{"start":{"line":205,"col":29,"offset":8288},"end":{"line":205,"col":32,"offset":8291},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["flask"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests","shortlink":"https://sg.run/J9LW","semgrep.dev":{"rule":{"origin":"community","r_id":9546,"rule_id":"WAUoRx","rv_id":946226,"url":"https://semgrep.dev/playground/r/o5TZe8r/python.flask.security.injection.ssrf-requests.ssrf-requests","version_id":"o5TZe8r"}}},"severity":"ERROR","fingerprint":"9e243fdc21bcced9424a80b9158edd83090c25b66dceae7cd494643a58b03a05f86accfcec4bc79b0255a5401dee3d746946ab804283eed20604266d0e5dd9a0_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-app/Dockerfile","start":{"line":34,"col":1,"offset":1048},"end":{"line":34,"col":31,"offset":1078},"extra":{"metavars":{"$...VARS":{"start":{"line":34,"col":5,"offset":1052},"end":{"line":34,"col":31,"offset":1078},"abstract_content":"[\"python3\"\"/app/app.py\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"python3\", \"/app/app.py\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"af5e9dedee89e966f4a977ada65c8cf6eddc2c5c8bd31c9d5e6ade032a2f62b150ebe50e2f3aa6796806d4881ee2ded63e7cdf7b427f3a98e24a6dde432ad2ef_0","lines":"CMD [\"python3\", \"/app/app.py\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-app/app.py","start":{"line":9,"col":22,"offset":231},"end":{"line":9,"col":42,"offset":251},"extra":{"metavars":{"$1":{"start":{"line":9,"col":22,"offset":231},"end":{"line":9,"col":26,"offset":235},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"892f89afd53ea85da48c96befb7a856343567d35c775f901480c221b6b048d9ece1928a7cceeedc1d30e8d7c762a4c2f7730d46151e699a477824161b3859c88_0","lines":"aws_access_key_id = 'AKIA2JAPX77RGLB664VE'","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","path":"insecure-app/app.py","start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":56,"offset":308},"extra":{"metavars":{"$3":{"start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":4,"offset":256},"abstract_content":"aws"},"$1":{"start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":56,"offset":308},"abstract_content":"aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'"},"$4":{"start":{"line":10,"col":5,"offset":257},"end":{"line":10,"col":11,"offset":263},"abstract_content":"secret"},"$6":{"start":{"line":10,"col":12,"offset":264},"end":{"line":10,"col":13,"offset":265},"abstract_content":"="},"$7":{"start":{"line":10,"col":14,"offset":266},"end":{"line":10,"col":15,"offset":267},"abstract_content":"'"},"$8":{"start":{"line":10,"col":55,"offset":307},"end":{"line":10,"col":56,"offset":308},"abstract_content":"'"}},"message":"AWS Secret Access Key detected","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","shortlink":"https://sg.run/Bk39","semgrep.dev":{"rule":{"origin":"community","r_id":9051,"rule_id":"2ZUbe8","rv_id":945487,"url":"https://semgrep.dev/playground/r/kbTYkWD/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","version_id":"kbTYkWD"}}},"severity":"ERROR","fingerprint":"13e25a7e818f3f0cd4c3ad50c3011eb98a0974336fb4790385234062c218c6931f0323eb80fe101996bebcadbae4de0f7ee5fc03f90632544d2c701619374ab0_0","lines":"aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-app/app.py","start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":111,"offset":647},"extra":{"metavars":{"$DB":{"start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":15,"offset":551},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":19,"col":14,"offset":480},"svalue_end":{"line":19,"col":25,"offset":491},"svalue_abstract_content":"db.cursor()"}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"bd3ed91c83ee049b51adf30ea5466f1461a8ff279db4115fdc50481292f4bd5a7eb1d0a541c81817dcba1091d202020a2ad429adad88ba47bf95ae3de09dc82e_0","lines":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-app/app.py","start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":111,"offset":647},"extra":{"metavars":{"$CONNECTION":{"start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":15,"offset":551},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":19,"col":14,"offset":480},"svalue_end":{"line":19,"col":25,"offset":491},"svalue_abstract_content":"db.cursor()"}},"$SQL":{"start":{"line":23,"col":24,"offset":560},"end":{"line":23,"col":87,"offset":623},"abstract_content":"\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\""}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"1fb224609ca4d43b11a045658892258157b1de945c0814280f9f46badbd9f5400b93a2859da72a325226c083771a13fcd20474bff7e1efb084d3f2c0d8debc09_0","lines":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.subprocess-injection.subprocess-injection","path":"insecure-app/app.py","start":{"line":31,"col":23,"offset":841},"end":{"line":31,"col":104,"offset":922},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"}},"message":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.","metadata":{"category":"security","technology":["flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"references":["https://semgrep.dev/docs/cheat-sheets/python-command-injection/"],"confidence":"HIGH","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","shortlink":"https://sg.run/5gW3","semgrep.dev":{"rule":{"origin":"community","r_id":31147,"rule_id":"8GU3qp","rv_id":946227,"url":"https://semgrep.dev/playground/r/zyTlk7Y/python.flask.security.injection.subprocess-injection.subprocess-injection","version_id":"zyTlk7Y"}}},"severity":"ERROR","fingerprint":"3c4c4959625cb597aa8cf78e5feb44e5b02a16808ab6755551da9a678a7d7b2fb68b312e92a7f8368402331a094719ba4a2599894b5384ffd4d059c82b08374f_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":23,"offset":841},"end":{"line":31,"col":104,"offset":922}},"subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":30,"col":27,"offset":803},"end":{"line":30,"col":31,"offset":807},"abstract_content":"form"},"$SINK":{"start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"abstract_content":"cmd","propagated_value":{"svalue_start":{"line":30,"col":19,"offset":795},"svalue_end":{"line":30,"col":42,"offset":818},"svalue_abstract_content":"request.form['command']"}}},"message":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"OS Command Injection with Flask","functional-categories":["os::sink::os-command-or-thread::commands","os::sink::os-command-or-thread::os","os::sink::os-command-or-thread::popen2","os::sink::os-command-or-thread::stdlib","os::sink::os-command-or-thread::stdlib2","os::sink::os-command-or-thread::stdlib3","os::sink::os-command-or-thread::subprocess","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.python.org/3/library/os.html","https://docs.python.org/3/library/subprocess.html#subprocess.Popen","https://owasp.org/Top10/A03_2021-Injection","https://semgrep.dev/docs/cheat-sheets/python-command-injection/","https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html"],"technology":["commands","flask","flask-wtf","os","popen2","stdlib","stdlib2","stdlib3","subprocess","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","shortlink":"https://sg.run/bwjrP","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":139670,"rule_id":"PeUJ9BR","rv_id":947955,"url":"https://semgrep.dev/playground/r/kbTYREe/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","version_id":"kbTYREe"}}},"severity":"ERROR","fingerprint":"11ab4317b1cc9c256e619e6eca976181caf7c7671e75dde752d0e6b5191147c9ee4983369ccb7414b693729c0b958333f0472b9b723e59e30443c9b145f7e7e8_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861}},"cmd"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"},"$CMD":{"start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"abstract_content":"cmd","propagated_value":{"svalue_start":{"line":30,"col":19,"offset":795},"svalue_end":{"line":30,"col":42,"offset":818},"svalue_abstract_content":"request.form['command']"}}},"message":"Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"asvs":{"control_id":"5.3.8 OS Command Injection","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements","section":"V5: Validation, Sanitization and Encoding Verification Requirements","version":"4"},"references":["https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess","https://docs.python.org/3/library/subprocess.html","https://docs.python.org/3/library/shlex.html","https://semgrep.dev/docs/cheat-sheets/python-command-injection/"],"category":"security","technology":["python"],"confidence":"MEDIUM","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","shortlink":"https://sg.run/NWxp","semgrep.dev":{"rule":{"origin":"community","r_id":27271,"rule_id":"JDUz3R","rv_id":946391,"url":"https://semgrep.dev/playground/r/9lTy1bg/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","version_id":"9lTy1bg"}}},"severity":"ERROR","fingerprint":"6f0e63c619f951b4450d30c3b6e9d0078a540b139173b9dd62a26b4bb030219ef3541aaa9b1718d5ffecedd92bd4a6d528d14f1d3b12995cf0bcedd09a4bacf0_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861}},"cmd"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","path":"insecure-app/app.py","start":{"line":31,"col":51,"offset":869},"end":{"line":31,"col":55,"offset":873},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"},"$TRUE":{"start":{"line":31,"col":51,"offset":869},"end":{"line":31,"col":55,"offset":873},"abstract_content":"True"}},"message":"Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.","fix":"False","metadata":{"source-rule-url":"https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"references":["https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess","https://docs.python.org/3/library/subprocess.html"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["secure default"],"likelihood":"HIGH","impact":"LOW","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","shortlink":"https://sg.run/J92w","semgrep.dev":{"rule":{"origin":"community","r_id":9646,"rule_id":"DbUpz2","rv_id":946382,"url":"https://semgrep.dev/playground/r/YDTvReW/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","version_id":"YDTvReW"}}},"severity":"ERROR","fingerprint":"67b3f01781e5320338a679e28d25eb74a0afbdff9a8e8bf3e384dec075532a176d5d3a10c438e7756a4e38cd767938cdc9fef681fde2f488e574fd027b27a5f2_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":58,"col":43,"offset":2133},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579},"abstract_content":"sql"},"$W":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$CURSOR":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"}},"message":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","shortlink":"https://sg.run/qx7y","semgrep.dev":{"rule":{"origin":"community","r_id":9512,"rule_id":"2ZUbDL","rv_id":946186,"url":"https://semgrep.dev/playground/r/X0TL8rA/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","version_id":"X0TL8rA"}}},"severity":"WARNING","fingerprint":"b35bc65f56ad96a3e7dd4426467722cfb9fa4098152b35bfcb26998d73f364cccec3bc08fb082f6ea9c665dc2e40f5ee544cce5e89249b6b6d5542f95968849e_0","lines":" sql = request.form['sql']\n try:\n # Execute the user's SQL query\n cursor.execute(sql)\n # Fetch all rows from the query result\n rows = cursor.fetchall()\n # Format the results for display\n if rows:\n output = \"Results:\\n\" + \"\\n\".join(str(row) for row in rows)\n else:\n output = \"Query executed successfully, but no results found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.db.generic-sql-flask.generic-sql-flask","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$AIOMYSQL_CURSOR":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with Flask","functional-categories":["db::sink::sql-or-nosql-query::aiomysql","db::sink::sql-or-nosql-query::aiopg","db::sink::sql-or-nosql-query::mysql-connector","db::sink::sql-or-nosql-query::mysqldb","db::sink::sql-or-nosql-query::pep249","db::sink::sql-or-nosql-query::psycopg2","db::sink::sql-or-nosql-query::pymssql","db::sink::sql-or-nosql-query::pymysql","db::sink::sql-or-nosql-query::pyodbc","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["aiomysql","aiopg","db-api","flask","flask-wtf","mssql","mysql","mysql-connector","mysqldb","pep249","postgres","psycopg2","pymssql","pymysql","pyodbc","sql","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.flask.db.generic-sql-flask.generic-sql-flask","shortlink":"https://sg.run/AbKXQ","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116506,"rule_id":"0oULG2d","rv_id":947908,"url":"https://semgrep.dev/playground/r/rxT6kpn/python.flask.db.generic-sql-flask.generic-sql-flask","version_id":"rxT6kpn"}}},"severity":"ERROR","fingerprint":"45f29ae146b3bd34ec3dba49040437a0367c6109b5f020c58ca02551748a3e73c850103ae2374abdaed85b1d8fc26d668175f9a872279dd517cc3f59de3b4e4d_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$O":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","shortlink":"https://sg.run/Ab2Y4","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151050,"rule_id":"qNU2nYq","rv_id":974114,"url":"https://semgrep.dev/playground/r/kbTYe8A/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","version_id":"kbTYe8A"}}},"severity":"ERROR","fingerprint":"c707a7a8c1c44bf1b4460caeefe5febb977ac53dc883c7c310feb3faf39c7dca59c64330ec471754f350d004adf7eb7a8e93ddc54ba4df384fbd4eaf9c94b81a_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$O":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask-without-url-path","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","shortlink":"https://sg.run/BYXN5","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151051,"rule_id":"lBU4OQB","rv_id":974115,"url":"https://semgrep.dev/playground/r/w8TKyGQ/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","version_id":"w8TKyGQ"}}},"severity":"ERROR","fingerprint":"d0e545872c07965feb05279b73bc6eac98db46912ddc00dbef6a08ed6b4e161fd03cc8ca02606d1350676ec9e34a6ec8d32f1fed8e31a2f8464ede46ceba1687_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","path":"insecure-app/app.py","start":{"line":78,"col":13,"offset":2923},"end":{"line":83,"col":44,"offset":3154},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926},"abstract_content":"url"},"$W":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$METHOD":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","shortlink":"https://sg.run/YvY4","semgrep.dev":{"rule":{"origin":"community","r_id":9514,"rule_id":"j2UvEw","rv_id":946188,"url":"https://semgrep.dev/playground/r/1QToK1Y/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","version_id":"1QToK1Y"}}},"severity":"ERROR","fingerprint":"fab6dfa09b05c5b55536041ea9183547a03254003da91e929744c051374c388e8d971e3ab4ca41e66fc7d1e22f889877016e2990bf9f711d2be4b13c8bc16fd6_0","lines":" url = request.form['url']\n try:\n response = requests.get(url)\n output = f\"SSRF Response: {response.text[:200]}\"\n except Exception as e:\n output = f\"SSRF Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.ssrf-requests.ssrf-requests","path":"insecure-app/app.py","start":{"line":80,"col":28,"offset":2993},"end":{"line":80,"col":45,"offset":3010},"extra":{"metavars":{"$INTERM":{"start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926},"abstract_content":"url"},"$W":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$FUNC":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["flask"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests","shortlink":"https://sg.run/J9LW","semgrep.dev":{"rule":{"origin":"community","r_id":9546,"rule_id":"WAUoRx","rv_id":946226,"url":"https://semgrep.dev/playground/r/o5TZe8r/python.flask.security.injection.ssrf-requests.ssrf-requests","version_id":"o5TZe8r"}}},"severity":"ERROR","fingerprint":"4525c51704f25a76ff79dff00f116f744a0ee0e4df50661c6c0076b01455629a344469a5ba828e963fa20f78f9d8c8b632b49623a9ff9ef4ad241a301d1617e5_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","path":"insecure-app/app.py","start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$FUNC":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"},"$URL":{"start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009},"abstract_content":"url","propagated_value":{"svalue_start":{"line":78,"col":19,"offset":2929},"svalue_end":{"line":78,"col":38,"offset":2948},"svalue_abstract_content":"request.form['url']"}}},"message":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","category":"security","subcategory":["vuln"],"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"Server-Side Request Forgery (SSRF) with Flask","functional-categories":["net::sink::http-request::requests","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"],"technology":["flask","flask-wtf","requests","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","shortlink":"https://sg.run/109zk","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116522,"rule_id":"bwUbEzL","rv_id":947949,"url":"https://semgrep.dev/playground/r/1QToZr7/python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","version_id":"1QToZr7"}}},"severity":"ERROR","fingerprint":"b9ea27fee0799df8f4a4afd40cbd61dccca7c131e69366e582ff71ce00d5e7e990fcb5adf0c4e4656360f9d85e36588e47e177df2cb2e179cb7417e68cdfb5f2_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":78,"col":19,"offset":2929},"end":{"line":78,"col":38,"offset":2948}},"request.form['url']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926}},"content":"url"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009}},"url"]]},"engine_kind":"OSS"}},{"check_id":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":98,"col":43,"offset":3811},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285},"abstract_content":"username"},"$W":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$INTERM":{"start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417},"abstract_content":"query"},"$STR":{"start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":75,"offset":3470},"abstract_content":"\"SELECT password FROM users WHERE username = '{}'\""},"$CURSOR":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"}},"message":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","shortlink":"https://sg.run/qx7y","semgrep.dev":{"rule":{"origin":"community","r_id":9512,"rule_id":"2ZUbDL","rv_id":946186,"url":"https://semgrep.dev/playground/r/X0TL8rA/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","version_id":"X0TL8rA"}}},"severity":"WARNING","fingerprint":"7de13c47abcf430754420a48d341c9be3f7c9616b721a91fad2547e88f3a1ec7f778a8689a2d00e9752f224332372edb09cec074030cc5031feadeaf9c42e487_0","lines":" username = request.form['username']\n try:\n # Vulnerable SQL query using string interpolation\n query = \"SELECT password FROM users WHERE username = '{}'\".format(username)\n cursor.execute(query)\n result = cursor.fetchone()\n if result:\n output = f\"Password for {username}: {result[0]}\"\n else:\n output = \"User not found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$ANYTHING":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$SQLSTR":{"start":{"line":90,"col":26,"offset":3421},"end":{"line":90,"col":74,"offset":3469},"abstract_content":"SELECT password FROM users WHERE username = '{}'"}},"message":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.","metadata":{"cwe":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"],"owasp":["A08:2021 - Software and Data Integrity Failures"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"subcategory":["audit"],"impact":"LOW","likelihood":"MEDIUM","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mass Assignment"],"source":"https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/PbZp","semgrep.dev":{"rule":{"origin":"community","r_id":14701,"rule_id":"lBU8Ad","rv_id":946190,"url":"https://semgrep.dev/playground/r/yeT0nKx/python.django.security.injection.tainted-sql-string.tainted-sql-string","version_id":"yeT0nKx"}}},"severity":"ERROR","fingerprint":"131b5e7e7d2ac6fc49fe8d7468f54e651a09d4a4706cdea3961e2fa888007b16999046aff46b29fadd3e0fa30f6ae43e0b461b4ae3bf39a7323b33e3c32d2ff8_0","lines":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":36,"offset":3300}},"request.form"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487}},"\"SELECT password FROM users WHERE username = '{}'\".format(username)"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$ANYTHING":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$SQLSTR":{"start":{"line":90,"col":26,"offset":3421},"end":{"line":90,"col":74,"offset":3469},"abstract_content":"SELECT password FROM users WHERE username = '{}'"}},"message":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.","metadata":{"cwe":["CWE-704: Incorrect Type Conversion or Cast"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy","flask"],"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Validation"],"source":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/JxZj","semgrep.dev":{"rule":{"origin":"community","r_id":14702,"rule_id":"YGUDKQ","rv_id":946228,"url":"https://semgrep.dev/playground/r/pZTNO7z/python.flask.security.injection.tainted-sql-string.tainted-sql-string","version_id":"pZTNO7z"}}},"severity":"ERROR","fingerprint":"d78139633035de6bf1b9a560172a84f789b9ddd923facc66df7a193b8e313841e015366f2216bfa6d2a311380594d28e7b5da825a9eaeabb73bf9613adbdb29d_0","lines":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":36,"offset":3300}},"request.form"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487}},"\"SELECT password FROM users WHERE username = '{}'\".format(username)"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-app/app.py","start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":38,"offset":3525},"extra":{"metavars":{"$DB":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SQL":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"a74600ac310bdab04cc5ea8c2e7c25221703979f0286dde9018a90d2dbd6c16ea381c5d4f9cb97fbcac0b0aeef454a63c3f82f078d6fa9512358b6566e5263a3_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-app/app.py","start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":38,"offset":3525},"extra":{"metavars":{"$SQL":{"start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":75,"offset":3470},"abstract_content":"\"SELECT password FROM users WHERE username = '{}'\""},"$CONNECTION":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$QUERY":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"97cb38d9b784f2ccc9d408311b424efd2db86f21a63023679b620bdd2800fa8befdbbd093b704ba25840091646bc7b85382022dc1d4d980c88b5252c8720390a_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.db.generic-sql-flask.generic-sql-flask","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$AIOMYSQL_CURSOR":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with Flask","functional-categories":["db::sink::sql-or-nosql-query::aiomysql","db::sink::sql-or-nosql-query::aiopg","db::sink::sql-or-nosql-query::mysql-connector","db::sink::sql-or-nosql-query::mysqldb","db::sink::sql-or-nosql-query::pep249","db::sink::sql-or-nosql-query::psycopg2","db::sink::sql-or-nosql-query::pymssql","db::sink::sql-or-nosql-query::pymysql","db::sink::sql-or-nosql-query::pyodbc","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["aiomysql","aiopg","db-api","flask","flask-wtf","mssql","mysql","mysql-connector","mysqldb","pep249","postgres","psycopg2","pymssql","pymysql","pyodbc","sql","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.flask.db.generic-sql-flask.generic-sql-flask","shortlink":"https://sg.run/AbKXQ","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116506,"rule_id":"0oULG2d","rv_id":947908,"url":"https://semgrep.dev/playground/r/rxT6kpn/python.flask.db.generic-sql-flask.generic-sql-flask","version_id":"rxT6kpn"}}},"severity":"ERROR","fingerprint":"a80f7e2b4c23589f94ab602f17de0c81936ee0e90bae9e1716a1ceca152f7466301e0b6af164ffe2e311facac9f4f61b278c6c1c47ef1e2e07fce41c0042a588_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$O":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","shortlink":"https://sg.run/Ab2Y4","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151050,"rule_id":"qNU2nYq","rv_id":974114,"url":"https://semgrep.dev/playground/r/kbTYe8A/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","version_id":"kbTYe8A"}}},"severity":"ERROR","fingerprint":"d775a8b630cffbbe8eca881c9cfcdb41f1712b6b4725bd2eff0e62d0a2a62a2d7dd68d3d0f894ebc17c9eac9ae138a5d02473baf772d07f06ff34bb0f87a7b60_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$O":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask-without-url-path","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","shortlink":"https://sg.run/BYXN5","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151051,"rule_id":"lBU4OQB","rv_id":974115,"url":"https://semgrep.dev/playground/r/w8TKyGQ/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","version_id":"w8TKyGQ"}}},"severity":"ERROR","fingerprint":"3b031ef816c35b352f70682b3f4b652864376d5a11968a80b3f91b46993f639a7a3fb6cae975a6fe9eea99a57629691ca54b76eb0a7433160e96197f9a646858_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.render-template-string.render-template-string","path":"insecure-app/app.py","start":{"line":100,"col":12,"offset":3824},"end":{"line":165,"col":24,"offset":6152},"extra":{"metavars":{},"message":"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.","metadata":{"cwe":["CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"],"owasp":["A03:2021 - Injection"],"references":["https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html"],"category":"security","technology":["flask"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Code Injection"],"source":"https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string","shortlink":"https://sg.run/8yjE","semgrep.dev":{"rule":{"origin":"community","r_id":9540,"rule_id":"5rUOv1","rv_id":946214,"url":"https://semgrep.dev/playground/r/GxTP7pA/python.flask.security.audit.render-template-string.render-template-string","version_id":"GxTP7pA"}}},"severity":"WARNING","fingerprint":"1fef9f2ee425958911da7faac417e1f471bdc7ae487cbabd9a91be4ea84a6f83752210264ba5524b467e6c75922346531ffa23e80c7cbb432772b1e9135c7eed_0","lines":" return render_template_string(\"\"\"\n <h1>Intentionally Insecure App</h1>\n <hr>\n\n <!-- Command Injection -->\n <form action=\"/\" method=\"post\">\n <h2>Command Injection</h2>\n <input type=\"text\" name=\"command\" value=\"ls -la\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- File Upload -->\n <form action=\"/\" method=\"post\" enctype=\"multipart/form-data\">\n <h2>Path Traversal via File Upload</h2>\n <input type=\"file\" name=\"file\">\n <input type=\"submit\" value=\"Upload\">\n </form>\n <p>Try uploading a file named: <code>../../../../etc/passwd</code></p>\n <br>\n\n <!-- SQL Injection -->\n <form action=\"/\" method=\"post\">\n <h2>SQL Injection</h2>\n <input type=\"text\" name=\"sql\" value=\"SELECT * FROM users WHERE username = 'admin' OR '1'='1'\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- Cross-Site Scripting (XSS) -->\n <form action=\"/\" method=\"post\">\n Enter XSS payload: <input type=\"text\" name=\"xss\" value=\"<script>alert('XSS');</script>\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- XML External Entity (XXE) Injection -->\n <form action=\"/\" method=\"post\">\n <h2>XML External Entity (XXE) Injection</h2>\n <textarea name=\"xml\" rows=\"5\" cols=\"50\">\n<?xml version=\"1.0\"?>\n<!DOCTYPE root [\n<!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<root>&xxe;</root>\n </textarea>\n <input type=\"submit\" value=\"Parse XML\">\n </form>\n <br>\n\n <!-- Server-Side Request Forgery (SSRF) -->\n <form action=\"/\" method=\"post\">\n <h2>Server-Side Request Forgery (SSRF)</h2>\n <input type=\"text\" name=\"url\" value=\"http://localhost:8080/\">\n <input type=\"submit\" value=\"Request\">\n </form>\n <br>\n <!-- SQL Injection 2 -->\n <h2>SQL Injection 2</h2>\n <form action=\"/\" method=\"post\">\n Enter Username: <input type=\"text\" name=\"username\" value=\"' UNION SELECT username || ' : ' || password FROM users --\">\n <input type=\"submit\" value=\"Lookup\">\n </form>\n <hr>\n <pre>{{ output|safe }}</pre>\n \"\"\", output=output)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.debug.debug-flask.active-debug-code-flask","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{},"message":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.","metadata":{"likelihood":"LOW","impact":"MEDIUM","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-489: Active Debug Code"],"display-name":"Active Debug Code in Flask","functional-categories":["debug::search::active-debug-code"],"references":["https://flask.palletsprojects.com/en/3.0.x/debugging/"],"technology":["flask","python"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/python.flask.debug.debug-flask.active-debug-code-flask","shortlink":"https://sg.run/lBbpB","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116513,"rule_id":"zdUKBnK","rv_id":947918,"url":"https://semgrep.dev/playground/r/ZRT3q9v/python.flask.debug.debug-flask.active-debug-code-flask","version_id":"ZRT3q9v"}}},"severity":"INFO","fingerprint":"c23e60005fcb1bcebdf227cb9726b160a35d2a257d070ed02e48086267e9fc89bc16c372bb201f498a69977f671255ee8a9f79ff39693f60f42f6b326b1cbef7_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{},"message":"Running flask app with host 0.0.0.0 could expose the server publicly.","metadata":{"cwe":["CWE-668: Exposure of Resource to Wrong Sphere"],"owasp":["A01:2021 - Broken Access Control"],"category":"security","technology":["flask"],"references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Other"],"source":"https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","shortlink":"https://sg.run/eLby","semgrep.dev":{"rule":{"origin":"community","r_id":9532,"rule_id":"L1Uy1n","rv_id":946204,"url":"https://semgrep.dev/playground/r/7ZTrQkG/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","version_id":"7ZTrQkG"}}},"severity":"WARNING","fingerprint":"031046540eb43011ccbcd463edf2c3003737673f6218b7a22e609d94ff6b0ad99d098ec0307291bb508e6c1ec8d7e08ebdbe7f7670245df69c0a42db45854bd3_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.debug-enabled.debug-enabled","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{"$APP":{"start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":8,"offset":6188},"abstract_content":"app","propagated_value":{"svalue_start":{"line":12,"col":7,"offset":316},"svalue_end":{"line":12,"col":22,"offset":331},"svalue_abstract_content":"Flask(__name__)"}}},"message":"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.","metadata":{"cwe":["CWE-489: Active Debug Code"],"owasp":"A06:2017 - Security Misconfiguration","references":["https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/"],"category":"security","technology":["flask"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled","shortlink":"https://sg.run/dKrd","semgrep.dev":{"rule":{"origin":"community","r_id":9534,"rule_id":"gxU1bd","rv_id":946206,"url":"https://semgrep.dev/playground/r/8KTKjwR/python.flask.security.audit.debug-enabled.debug-enabled","version_id":"8KTKjwR"}}},"severity":"WARNING","fingerprint":"688f60f63bb45fb9ddf9a179de37f66efa8644f5976e2115d44c0ee91789446d3bf7d1d4351ea22ab6e616ecb66a2ed26ca94d64746ea41e289bbf71176a4022_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-app/ransomware.py","start":{"line":34,"col":16,"offset":1304},"end":{"line":34,"col":36,"offset":1324},"extra":{"metavars":{"$1":{"start":{"line":34,"col":16,"offset":1304},"end":{"line":34,"col":20,"offset":1308},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"fdd4bbda379047f46243b39d05251ca1f58d4adf6e262e3e54050a8031935e79a9bed50cdf71107e644efbf18b43f6edcde2cd2905d9bfb43caf67d59f7bcc98_0","lines":" aws = \"AKIA2JAPX77RGLB664VE\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","path":"insecure-app/ransomware.py","start":{"line":143,"col":9,"offset":6480},"end":{"line":143,"col":51,"offset":6522},"extra":{"metavars":{},"message":"Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.","metadata":{"cwe":["CWE-939: Improper Authorization in Handler for Custom URL Scheme"],"owasp":"A01:2017 - Injection","source-rule-url":"https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163","bandit-code":"B310","asvs":{"control_id":"5.2.4 Dynamic Code Execution Features","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements","section":"V5: Validation, Sanitization and Encoding Verification Requirements","version":"4"},"category":"security","technology":["python"],"references":["https://cwe.mitre.org/data/definitions/939.html"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","shortlink":"https://sg.run/dKZZ","semgrep.dev":{"rule":{"origin":"community","r_id":9634,"rule_id":"8GUj22","rv_id":946340,"url":"https://semgrep.dev/playground/r/w8TKJbO/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","version_id":"w8TKJbO"}}},"severity":"WARNING","fingerprint":"f74fd93d56d0f782bdccefe534a08a0e542f77db7f2e2bd32b3107a3049506b89945891a6570373cd6b214f08cc50198a61a8b4e680dcaadc5cd4dec38437ec0_0","lines":" urllib.request.urlretrieve(imageUrl, path)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/busybox.yaml","start":{"line":17,"col":5,"offset":308},"end":{"line":17,"col":9,"offset":312},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":17,"col":5,"offset":308},"end":{"line":17,"col":9,"offset":312},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"3302f4679b677441ee2e4f843fe636546de78ccbdf7ffa5b66486a65526a675e1ad0c1989e87283307f8e9b2170714659820d02ad476142b371afd41824422ab_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","path":"insecure-chart/templates/busybox.yaml","start":{"line":19,"col":9,"offset":340},"end":{"line":19,"col":13,"offset":344},"extra":{"metavars":{"$NAME":{"start":{"line":19,"col":9,"offset":340},"end":{"line":19,"col":13,"offset":344},"abstract_content":"name"},"$CONTAINER":{"start":{"line":19,"col":15,"offset":346},"end":{"line":19,"col":22,"offset":353},"abstract_content":"busybox"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false\n name","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","shortlink":"https://sg.run/eleR","semgrep.dev":{"rule":{"origin":"community","r_id":47276,"rule_id":"WAU5J6","rv_id":947050,"url":"https://semgrep.dev/playground/r/e1T9vzn/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","version_id":"e1T9vzn"}}},"severity":"WARNING","fingerprint":"a48a700ff4af7c51c6c89eeda133bc962da19537ab07ae0c31a3e52fa481f4483b37ae55047243392d0f979a5e17ee48f6a31f9e980c15636bb31f6068cc41ac_0","lines":" - name: busybox","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":16,"col":5,"offset":360},"end":{"line":16,"col":9,"offset":364},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":16,"col":5,"offset":360},"end":{"line":16,"col":9,"offset":364},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"aecd9bc14da55ad92c0e9f7a736c60d78bfe9d474551beb8606b92da97641b6af609317b6d0a64e78230567359a2a9889b5bd3ae0b3615997a0dd2adcf7ce4b0_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.privileged-container.privileged-container","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":18,"col":9,"offset":392},"end":{"line":29,"col":42,"offset":873},"extra":{"metavars":{},"message":"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container","shortlink":"https://sg.run/Ygr5","semgrep.dev":{"rule":{"origin":"community","r_id":10058,"rule_id":"oqUz2p","rv_id":947059,"url":"https://semgrep.dev/playground/r/gETeWJA/yaml.kubernetes.security.privileged-container.privileged-container","version_id":"gETeWJA"}}},"severity":"WARNING","fingerprint":"8d8d14c31ce0b4adf0e8554f956c7a41ec94f13ad055f4ece2cb0b87d686c8b738020157487eef0b9e5a722092576c68524c0d9200bff9f851caba9f6fd196c4_0","lines":" - name: {{ .Values.insecureApp.appName }}\n image: \"{{ .Values.insecureApp.image.repository }}:{{ .Values.insecureApp.image.tag }}\"\n env:\n - name: AWS_ACCESS_KEY_ID\n value: AKIA2JAPX77RGLB664VE\n - name: AWS_SECRET_ACCESS_KEY\n value: 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\n securityContext:\n privileged: true\n volumeMounts: \n - name: docker-socket\n mountPath: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":22,"col":18,"offset":592},"end":{"line":22,"col":38,"offset":612},"extra":{"metavars":{"$1":{"start":{"line":22,"col":18,"offset":592},"end":{"line":22,"col":22,"offset":596},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"ba1eb8f472ad179589a1a9121d0766ca94d347074ca129508802d4537dae2c423d53533f10e88538157501b54215abf7a7d0b8b024b182219f664bbd8111d6a4_0","lines":" value: AKIA2JAPX77RGLB664VE","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":25,"col":9,"offset":717},"end":{"line":25,"col":24,"offset":732},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":16,"offset":15},"abstract_content":"securityContext"},"$CONTAINER":{"start":{"line":18,"col":15,"offset":398},"end":{"line":18,"col":47,"offset":430},"abstract_content":"(())"},"$SC":{"start":{"line":25,"col":9,"offset":717},"end":{"line":25,"col":24,"offset":732},"abstract_content":"securityContext"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false #","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","shortlink":"https://sg.run/ljp6","semgrep.dev":{"rule":{"origin":"community","r_id":10057,"rule_id":"6JUqEO","rv_id":947052,"url":"https://semgrep.dev/playground/r/d6TPzeB/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","version_id":"d6TPzeB"}}},"severity":"WARNING","fingerprint":"776c179c073a251128c9a229b958fb3881849cef53c32d7c8b5634da2885d6373e79e7a39068a1679423ccd0b409c0620683f9a0c95d65177fb897fb48ffd794_0","lines":" securityContext:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":32,"col":9,"offset":950},"end":{"line":33,"col":37,"offset":996},"extra":{"metavars":{},"message":"Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/storage/volumes/#hostpath","https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","shortlink":"https://sg.run/v0pR","semgrep.dev":{"rule":{"origin":"community","r_id":10133,"rule_id":"d8Uz6v","rv_id":947054,"url":"https://semgrep.dev/playground/r/nWTpYZe/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","version_id":"nWTpYZe"}}},"severity":"WARNING","fingerprint":"7a6331004e7b6359a35200b986c57fc54a82ffc3d1eb71848fd4606545dfb3d195d9a1edd879c8d74c12364291a00adef95be1779caead61655b0590e63d01a9_0","lines":" hostPath:\n path: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":16,"col":5,"offset":430},"end":{"line":16,"col":9,"offset":434},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":16,"col":5,"offset":430},"end":{"line":16,"col":9,"offset":434},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"3a55f533ac5a5a36509690fa17d989dd74b859c9205068f60ce9ebc206764744c02e0240842db0f7d7fc4dc7b2cab157033ce576fdc1904bd58eb04f84b184ec_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.privileged-container.privileged-container","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":18,"col":9,"offset":462},"end":{"line":29,"col":30,"offset":966},"extra":{"metavars":{},"message":"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container","shortlink":"https://sg.run/Ygr5","semgrep.dev":{"rule":{"origin":"community","r_id":10058,"rule_id":"oqUz2p","rv_id":947059,"url":"https://semgrep.dev/playground/r/gETeWJA/yaml.kubernetes.security.privileged-container.privileged-container","version_id":"gETeWJA"}}},"severity":"WARNING","fingerprint":"ffd554b207fb80ce294cc034390d4474858d4264f036ada1a1c11e8b6925b9d1d3231425104899b500b80be005ad1001395576ee17aff2683b9cf73520697663_0","lines":" - name: {{ .Values.workloadSecurityEvaluator.appName }}\n image: \"{{ .Values.workloadSecurityEvaluator.image.repository }}:{{ .Values.workloadSecurityEvaluator.image.tag }}\"\n env:\n - name: AWS_ACCESS_KEY_ID\n value: AKIA2JAPX77RGLB664VE\n - name: AWS_SECRET_ACCESS_KEY\n value: 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\n securityContext:\n privileged: true\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: docker-socket","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":22,"col":18,"offset":704},"end":{"line":22,"col":38,"offset":724},"extra":{"metavars":{"$1":{"start":{"line":22,"col":18,"offset":704},"end":{"line":22,"col":22,"offset":708},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"d5ec8967dc8f57fcd421997dda6a0abac3a0cc762e6534246a83ffc2a37741ad06e18ee176aa6dbbc85c400080f78f59914c17b2bb32704ae8b360092860feca_0","lines":" value: AKIA2JAPX77RGLB664VE","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":25,"col":9,"offset":829},"end":{"line":25,"col":24,"offset":844},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":16,"offset":15},"abstract_content":"securityContext"},"$CONTAINER":{"start":{"line":18,"col":15,"offset":468},"end":{"line":18,"col":61,"offset":514},"abstract_content":"(())"},"$SC":{"start":{"line":25,"col":9,"offset":829},"end":{"line":25,"col":24,"offset":844},"abstract_content":"securityContext"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false #","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","shortlink":"https://sg.run/ljp6","semgrep.dev":{"rule":{"origin":"community","r_id":10057,"rule_id":"6JUqEO","rv_id":947052,"url":"https://semgrep.dev/playground/r/d6TPzeB/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","version_id":"d6TPzeB"}}},"severity":"WARNING","fingerprint":"7021c010b8d0b11136f68b6c85d57b318861ada3d7a906b6942146314eb665dcc6e36826b1deb04c3c890bc829879387ca5ebfcd9d6960554f48900e55355b8f_0","lines":" securityContext:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":31,"col":9,"offset":990},"end":{"line":32,"col":37,"offset":1036},"extra":{"metavars":{},"message":"Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/storage/volumes/#hostpath","https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","shortlink":"https://sg.run/v0pR","semgrep.dev":{"rule":{"origin":"community","r_id":10133,"rule_id":"d8Uz6v","rv_id":947054,"url":"https://semgrep.dev/playground/r/nWTpYZe/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","version_id":"nWTpYZe"}}},"severity":"WARNING","fingerprint":"b0fa2105cf388aaf61f7d9b9f73a03a2342c2992b3a938f4e64785c6ec896ee80151e782d77db28ca4efc171718fee4f95c80bb416c5f8c965787ea2faff9d45_0","lines":" - hostPath:\n path: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","path":"insecure-java/Dockerfile","start":{"line":7,"col":1,"offset":130},"end":{"line":7,"col":38,"offset":167},"extra":{"metavars":{"$...VARS":{"start":{"line":7,"col":12,"offset":141},"end":{"line":7,"col":38,"offset":167},"abstract_content":"[\"java\"\"-jar\"\"/app.jar\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nENTRYPOINT [\"java\",\"-jar\",\"/app.jar\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","shortlink":"https://sg.run/k281","semgrep.dev":{"rule":{"origin":"community","r_id":47272,"rule_id":"ReUW9E","rv_id":945268,"url":"https://semgrep.dev/playground/r/K3TJbJg/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","version_id":"K3TJbJg"}}},"severity":"ERROR","fingerprint":"8a9ae537c70377699ac7b95add8f39d7bc1192dbb0a0a2e524f7a4e126adfa3e0bcc6c074eeb891021d031d42e016675c69dd491f4bc4116bef9ab0dba840233_0","lines":"ENTRYPOINT [\"java\",\"-jar\",\"/app.jar\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"java.spring.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":25,"col":24,"offset":763},"end":{"line":25,"col":80,"offset":819},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$METHODNAME":{"start":{"line":23,"col":19,"offset":652},"end":{"line":23,"col":25,"offset":658},"abstract_content":"search"},"$REQ":{"start":{"line":23,"col":27,"offset":660},"end":{"line":23,"col":39,"offset":672},"abstract_content":"RequestParam"},"$TYPE":{"start":{"line":23,"col":40,"offset":673},"end":{"line":23,"col":46,"offset":679},"abstract_content":"String"},"$SOURCE":{"start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684},"abstract_content":"name"},"$SQLSTR":{"start":{"line":25,"col":25,"offset":764},"end":{"line":25,"col":66,"offset":805},"abstract_content":"SELECT * FROM cat_pictures WHERE name = '"}},"message":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"],"category":"security","technology":["spring"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/9rzz","semgrep.dev":{"rule":{"origin":"community","r_id":14767,"rule_id":"10UdRR","rv_id":945745,"url":"https://semgrep.dev/playground/r/8KTKj0G/java.spring.security.injection.tainted-sql-string.tainted-sql-string","version_id":"8KTKj0G"}}},"severity":"ERROR","fingerprint":"972b22c89a9412da436c82ad486252920fb59fae559c701cb90b25028e1799517d5c6797f5fd5a85ab13c3f05366cc2a858bdb566d53fc311eb720b717fae81f_0","lines":" String query = \"SELECT * FROM cat_pictures WHERE name = '\" + name + \"'\";","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684}},"name"]],"intermediate_vars":[{"location":{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684}},"content":"name"}],"taint_sink":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":25,"col":24,"offset":763},"end":{"line":25,"col":80,"offset":819}},"\"SELECT * FROM cat_pictures WHERE name = '\" + name + \"'\""]]},"engine_kind":"OSS"}},{"check_id":"java.lang.security.audit.object-deserialization.object-deserialization","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":13,"offset":594},"end":{"line":16,"col":91,"offset":672},"extra":{"metavars":{},"message":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.","metadata":{"cwe":["CWE-502: Deserialization of Untrusted Data"],"owasp":["A08:2017 - Insecure Deserialization","A08:2021 - Software and Data Integrity Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION","references":["https://www.owasp.org/index.php/Deserialization_of_untrusted_data","https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization","shortlink":"https://sg.run/Ek0A","semgrep.dev":{"rule":{"origin":"community","r_id":9181,"rule_id":"GdU7py","rv_id":945687,"url":"https://semgrep.dev/playground/r/bZTXw4q/java.lang.security.audit.object-deserialization.object-deserialization","version_id":"bZTXw4q"}}},"severity":"WARNING","fingerprint":"774378c1d79256d5bab570074c4a6bf6703250887fca212f1a813ada0f8d5de5e786961d4f0b746e5f6292cc9b46c41ca4308c9367ddf6932267ba763012620e_0","lines":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":12,"offset":11},"abstract_content":"RequestBody"},"$RET":{"start":{"line":14,"col":12,"offset":495},"end":{"line":14,"col":34,"offset":517},"abstract_content":"ResponseEntity<String>"},"$METHOD":{"start":{"line":14,"col":35,"offset":518},"end":{"line":14,"col":56,"offset":539},"abstract_content":"unsafeDeserialization"},"$REQ":{"start":{"line":14,"col":58,"offset":541},"end":{"line":14,"col":69,"offset":552},"abstract_content":"RequestBody"},"$TYPE":{"start":{"line":14,"col":70,"offset":553},"end":{"line":14,"col":76,"offset":559},"abstract_content":"byte[]"},"$SOURCE":{"start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564},"abstract_content":"data"},"$IN":{"start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670},"abstract_content":"new ByteArrayInputStream(data)"}},"message":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-502: Deserialization of Untrusted Data"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"Unsafe Deserialization with Spring","functional-categories":["deserialization::sink::load-object::apache.commons","deserialization::sink::load-object::java.io","web::source::cookie::Spring","web::source::header::Spring","web::source::http-body::Spring","web::source::http-params::Spring","web::source::url-path-params::Spring"],"owasp":["A08:2017 - Insecure Deserialization","A08:2021 - Software and Data Integrity Failures"],"references":["https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"],"supersedes":["java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets"],"technology":["Spring","java"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","shortlink":"https://sg.run/n1rY","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":46836,"rule_id":"x8UbG3","rv_id":973726,"url":"https://semgrep.dev/playground/r/44TZ832/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","version_id":"44TZ832"}}},"severity":"ERROR","fingerprint":"cf7d59dc3cc6ec8769d1ad54d6b20023fdc6a24ee7ca6c8f25038ac25f17038a6b41f6fdc82c002123e671f0a1de733e48b7071ad905fe83c69c36be56df73b4_0","lines":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564}},"data"]],"intermediate_vars":[{"location":{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564}},"content":"data"}],"taint_sink":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670}},"new ByteArrayInputStream(data)"]]},"engine_kind":"OSS"}},{"check_id":"java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":20,"col":13,"offset":870},"end":{"line":20,"col":32,"offset":889},"extra":{"metavars":{"$EXCEPTION":{"start":{"line":20,"col":13,"offset":870},"end":{"line":20,"col":14,"offset":871},"abstract_content":"e"}},"message":"Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information.","metadata":{"likelihood":"LOW","impact":"LOW","confidence":"MEDIUM","category":"security","subcategory":["audit"],"cwe":["CWE-489: Active Debug Code"],"functional-categories":["debug::search::active-debug-code::java.lang"],"owasp":["A10:2004 - Insecure Configuration Management","A06:2017 - Security Misconfiguration","A05:2021 - Security Misconfiguration"],"references":["https://cwe.mitre.org/data/definitions/489.html","https://www.acunetix.com/vulnerabilities/web/stack-trace-disclosure-java/","https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces","https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-information-exposure"],"technology":["java"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","shortlink":"https://sg.run/4K8z","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":27144,"rule_id":"v8U0rZ","rv_id":947426,"url":"https://semgrep.dev/playground/r/GxTP0lB/java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","version_id":"GxTP0lB"}}},"severity":"WARNING","fingerprint":"2f2eab275674c6639e50192e695448a7c772946f53353aaee757181220ac95afd0f966ae7a8030ed35c10335559cfd3dc575ef1b0469ca831144c249ce451bd9_0","lines":" e.printStackTrace();","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/addComment.html","start":{"line":10,"col":5,"offset":425},"end":{"line":14,"col":12,"offset":705},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":57,"offset":477},"end":{"line":10,"col":61,"offset":481},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"5195968eb1be4ef8a2cfa22014b4dca0bacb3cf656e20ede1b9f6636541b678ca576e1417883fcaadd8acac0ab3296c32e9068ecb662d0b91e386e823c8d43df_0","lines":" <form action=\"#\" th:action=\"@{/addComment}\" method=\"post\">\n <label>Comment:</label><br/>\n <textarea name=\"commentText\" rows=\"4\" cols=\"50\"><script>alert('XSS Attack');</script></textarea><br/>\n <button type=\"submit\">Add Comment</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/comments.html","start":{"line":13,"col":13,"offset":452},"end":{"line":16,"col":20,"offset":693},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":13,"col":68,"offset":507},"end":{"line":13,"col":72,"offset":511},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"83efea89720688f163f6bb09d1273d2c4207b38c65d2664660a5f8fa1ebbf337f1ffd9dbcb0351abbd51e711b53269ab547017075f90c945a0ea8c648efe78cf_0","lines":" <form action=\"#\" th:action=\"@{/deleteComment}\" method=\"post\" style=\"display:inline;\">\n <input type=\"hidden\" name=\"commentId\" th:value=\"${comment.id}\" />\n <button type=\"submit\">Delete</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/csrf_attack.html","start":{"line":9,"col":5,"offset":231},"end":{"line":11,"col":12,"offset":381},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":9,"col":64,"offset":290},"end":{"line":9,"col":68,"offset":294},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"a0bb982292e4d85d46ab7d43847c828d7cd9f14c12c773fbbe8ef38baec3a0a1e928441af3b460a47479a4e9b02cf13d7a298d0bc43ff6e93fcd5e5bd6f466e5_0","lines":" <form action=\"http://localhost:8080/deleteComment\" method=\"post\" id=\"csrfForm\">\n <input type=\"hidden\" name=\"commentId\" value=\"1\" />\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/delete.html","start":{"line":10,"col":5,"offset":366},"end":{"line":13,"col":12,"offset":562},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":53,"offset":414},"end":{"line":10,"col":57,"offset":418},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"67d4cf1e50c6d8501e12adbe719f860782fb3b95872d174bd05fc16b23a18b575bea13c5bfa1d015c18ca55d2227d050dc25c734e4a26c4ebaa21c6242e07c20_0","lines":" <form action=\"#\" th:action=\"@{/delete}\" method=\"post\">\n <label>Picture ID: <input type=\"number\" name=\"id\" value=\"1\" /></label><br/>\n <button type=\"submit\">Delete</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/editProfile.html","start":{"line":10,"col":5,"offset":374},"end":{"line":15,"col":12,"offset":751},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":58,"offset":427},"end":{"line":10,"col":62,"offset":431},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"50a333ae413c799b7d987efae64cf4bb1fd7dc290892f4dee02d5a3f60d4dcd449315a3e482a24eeca40411070879da85104760ab26a458c5c86ef7258207a34_0","lines":" <form action=\"#\" th:action=\"@{/editProfile}\" method=\"post\">\n <input type=\"hidden\" name=\"userId\" th:value=\"${user.id}\" />\n <label>Username: <input type=\"text\" name=\"username\" th:value=\"${user.username}\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" /></label><br/>\n <button type=\"submit\">Update Profile</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/login.html","start":{"line":10,"col":5,"offset":362},"end":{"line":14,"col":12,"offset":662},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":52,"offset":409},"end":{"line":10,"col":56,"offset":413},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"593d8048e3230f2f0fc122a66bf700f2fc4082170f52d319ec60abf29e3c47dcbe4341103ad3aace692bc30ca3a768fa687c5b5fb022c6b7b875bdf6aab94ccd_0","lines":" <form action=\"#\" th:action=\"@{/login}\" method=\"post\">\n <label>Username: <input type=\"text\" name=\"username\" value=\"user1\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" value=\"password123\" /></label><br/>\n <button type=\"submit\">Login</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/register.html","start":{"line":10,"col":5,"offset":383},"end":{"line":14,"col":12,"offset":689},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":55,"offset":433},"end":{"line":10,"col":59,"offset":437},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"966463a3a41588664e521d7b9641485c1573953f142a6a46199e114a0dddb3815617a2b6c2ed33569aa81d0ae57e1af6704692f376df4d5f396d9fe9ebdc041e_0","lines":" <form action=\"#\" th:action=\"@{/register}\" method=\"post\">\n <label>Username: <input type=\"text\" name=\"username\" value=\"user1\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" value=\"password123\" /></label><br/>\n <button type=\"submit\">Register</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/search.html","start":{"line":10,"col":5,"offset":392},"end":{"line":13,"col":12,"offset":592},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":53,"offset":440},"end":{"line":10,"col":57,"offset":444},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"b27e6297157b64351971325aa01d93bcbe09743a223a78cc98fad9eea9c1bdd310d078908dc9e0133d6ede7a975b687dcb74872bd980aeb587f2d07896a27f3d_0","lines":" <form action=\"#\" th:action=\"@{/search}\" method=\"post\">\n <label>Name: <input type=\"text\" name=\"name\" value=\"' OR '1'='1\" /></label><br/>\n <button type=\"submit\">Search</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-js/Dockerfile","start":{"line":18,"col":1,"offset":374},"end":{"line":18,"col":61,"offset":434},"extra":{"metavars":{"$...VARS":{"start":{"line":18,"col":5,"offset":378},"end":{"line":18,"col":61,"offset":434},"abstract_content":"[\"/bin/bash\"\"-c\"\"node init_db.js && node server.js\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"/bin/bash\", \"-c\", \"node init_db.js && node server.js\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"17bfeb542b41e1a3b365f57addec89078df51ed337059333e17baea012db6a0ba27a2c6e96c39339de27f37a1f0d11dc59afe66507952280577e0c251121aea9_0","lines":"CMD [\"/bin/bash\", \"-c\", \"node init_db.js && node server.js\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$MYSQL":{"start":{"line":14,"col":20,"offset":447},"end":{"line":14,"col":25,"offset":452},"abstract_content":"mysql"},"$FOO":{"start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558},"abstract_content":"{host'localhost'user'root'password'topsecret'database'database'}"}},"message":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).","metadata":{"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","interfile":true,"category":"security","subcategory":["vuln"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2021-top25":true,"cwe2022-top25":true,"owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"],"technology":["mysql","sql","mysql2","nodejs","secrets"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","shortlink":"https://sg.run/GJ36","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":28092,"rule_id":"6JU2k0","rv_id":947639,"url":"https://semgrep.dev/playground/r/6xTxqAx/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","version_id":"6xTxqAx"}}},"severity":"WARNING","fingerprint":"baf7218efa62e1dd69d2ce4895d7e8bfd17647550fb906065e0ca20d0c7bd716586bc35a7c75723f2638c68a856e7f72ef54ff56ad6cc4256bb604d76a2680fb_0","lines":"const connection = mysql.createConnection({\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n});","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558}},"{\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n}"]],"intermediate_vars":[],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558}},"{\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n}"]]},"engine_kind":"OSS"}},{"check_id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","path":"insecure-js/server.js","start":{"line":32,"col":16,"offset":812},"end":{"line":32,"col":20,"offset":816},"extra":{"metavars":{"$HTTP":{"start":{"line":32,"col":16,"offset":812},"end":{"line":32,"col":20,"offset":816},"abstract_content":"http","propagated_value":{"svalue_start":{"line":1,"col":14,"offset":13},"svalue_end":{"line":1,"col":29,"offset":28},"svalue_abstract_content":"require('http')"}},"$FUNC":{"start":{"line":32,"col":21,"offset":817},"end":{"line":32,"col":33,"offset":829},"abstract_content":"createServer"}},"message":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.","metadata":{"likelihood":"LOW","impact":"MEDIUM","confidence":"LOW","category":"security","cwe":"CWE-319: Cleartext Transmission of Sensitive Information","owasp":["A02:2021 - Cryptographic Failures","A03:2017 - Sensitive Data Exposure"],"references":["https://nodejs.org/api/http.html#http_class_http_agent","https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY"],"subcategory":["audit"],"technology":["node.js"],"vulnerability":"Insecure Transport","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mishandled Sensitive Information"],"source":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","shortlink":"https://sg.run/x1zL","semgrep.dev":{"rule":{"origin":"community","r_id":9430,"rule_id":"7KUQAE","rv_id":946074,"url":"https://semgrep.dev/playground/r/WrTEo9B/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","version_id":"WrTEo9B"}}},"severity":"WARNING","fingerprint":"25f273fc22088aa83a6bcdb5e495f0d9abcc81ab7bb2c8840d8caef623755dee7582a03375f2b95a717319b7e6fe70f6767b0cd32f7a35aa4b8a869a33404094_0","lines":"const server = http.createServer((req, res) => {","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","path":"insecure-js/server.js","start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$Y":{"start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320},"abstract_content":"chunk"},"$POOL":{"start":{"line":79,"col":13,"offset":2656},"end":{"line":79,"col":23,"offset":2666},"abstract_content":"connection","propagated_value":{"svalue_start":{"line":14,"col":20,"offset":447},"svalue_end":{"line":19,"col":3,"offset":559},"svalue_abstract_content":"mysql.createConnection({host'localhost'user'root'password'topsecret'database'database'})"}},"$QUERY":{"start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678},"abstract_content":"query","propagated_value":{"svalue_start":{"line":76,"col":27,"offset":2484},"svalue_end":{"line":76,"col":100,"offset":2557},"svalue_abstract_content":"`SELECT product FROM Orders WHERE orderNumber = postData.orderNumber3;"}}},"message":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"references":["https://www.npmjs.com/package/mysql2","https://www.npmjs.com/package/mysql","https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"],"category":"security","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"confidence":"LOW","technology":["mysql","mysql2","javascript","nodejs"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","shortlink":"https://sg.run/Y0oy","semgrep.dev":{"rule":{"origin":"community","r_id":18258,"rule_id":"ZqUlWE","rv_id":945881,"url":"https://semgrep.dev/playground/r/pZTNOvL/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","version_id":"pZTNOvL"}}},"severity":"WARNING","fingerprint":"2d01e39dae8915db035e9c4d1828fa6a0e06887ddbe6074b9a234715227211951dcef04cf170f822d76fc259ccb09fa47a4a4ce646d60b44e40db931cd58951e_0","lines":" connection.query(query, (err, rows) => {","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320}},"chunk"]],"intermediate_vars":[{"location":{"path":"insecure-js/server.js","start":{"line":46,"col":7,"offset":1307},"end":{"line":46,"col":11,"offset":1311}},"content":"body"},{"location":{"path":"insecure-js/server.js","start":{"line":50,"col":13,"offset":1386},"end":{"line":50,"col":21,"offset":1394}},"content":"postData"},{"location":{"path":"insecure-js/server.js","start":{"line":76,"col":19,"offset":2476},"end":{"line":76,"col":24,"offset":2481}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678}},"query"]]},"engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","path":"insecure-js/server.js","start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$Y":{"start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320},"abstract_content":"chunk"},"$POOL":{"start":{"line":113,"col":38,"offset":4136},"end":{"line":113,"col":47,"offset":4145},"abstract_content":"sequelize"},"$QUERY":{"start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157},"abstract_content":"query","propagated_value":{"svalue_start":{"line":112,"col":31,"offset":4024},"svalue_end":{"line":112,"col":103,"offset":4096},"svalue_abstract_content":"`SELECT product FROM Orders WHERE orderNumber = postData.orderNumber;"}}},"message":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"references":["https://www.npmjs.com/package/mysql2","https://www.npmjs.com/package/mysql","https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"],"category":"security","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"confidence":"LOW","technology":["mysql","mysql2","javascript","nodejs"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","shortlink":"https://sg.run/Y0oy","semgrep.dev":{"rule":{"origin":"community","r_id":18258,"rule_id":"ZqUlWE","rv_id":945881,"url":"https://semgrep.dev/playground/r/pZTNOvL/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","version_id":"pZTNOvL"}}},"severity":"WARNING","fingerprint":"192d429b8a30292ccf16cfe9d2d1db978ed74d1715877c34ef02cf1a9e6515afa439afe693dbcdec53f2da530a69e10d400e79461386613f1dc0f24c3a92516a_0","lines":" const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT });","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320}},"chunk"]],"intermediate_vars":[{"location":{"path":"insecure-js/server.js","start":{"line":46,"col":7,"offset":1307},"end":{"line":46,"col":11,"offset":1311}},"content":"body"},{"location":{"path":"insecure-js/server.js","start":{"line":50,"col":13,"offset":1386},"end":{"line":50,"col":21,"offset":1394}},"content":"postData"},{"location":{"path":"insecure-js/server.js","start":{"line":112,"col":23,"offset":4016},"end":{"line":112,"col":28,"offset":4021}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157}},"query"]]},"engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","path":"pixee-snyk.sarif.json","start":{"line":1161,"col":34,"offset":58301},"end":{"line":1161,"col":77,"offset":58344},"extra":{"metavars":{"$1":{"start":{"line":1161,"col":44,"offset":58311},"end":{"line":1161,"col":76,"offset":58343},"abstract_content":"54efcbaed7f64673bc93b4e28ca9e8b2"},"$SECRET":{"start":{"line":1161,"col":44,"offset":58311},"end":{"line":1161,"col":76,"offset":58343},"abstract_content":"54efcbaed7f64673bc93b4e28ca9e8b2"}},"message":"Generic Secret detected","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","shortlink":"https://sg.run/l2o5","semgrep.dev":{"rule":{"origin":"community","r_id":9057,"rule_id":"r6Urqe","rv_id":945495,"url":"https://semgrep.dev/playground/r/nWTpzQ5/generic.secrets.security.detected-generic-secret.detected-generic-secret","version_id":"nWTpzQ5"}}},"severity":"ERROR","fingerprint":"f879560bcbc4258c64b234926e28b027eef209945161079c870fe723a618a7e7adacb5057b293aafcdb01589e6c8ade4145a13d98b329903cf36c0c497212537_0","lines":" \"line\": \"secret = '54efcbaed7f64673bc93b4e28ca9e8b2'\\n\",","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"workload-security-evaluator/Dockerfile","start":{"line":27,"col":1,"offset":1035},"end":{"line":27,"col":26,"offset":1060},"extra":{"metavars":{"$...VARS":{"start":{"line":27,"col":5,"offset":1039},"end":{"line":27,"col":26,"offset":1060},"abstract_content":"[\"sleep\"\"infinity\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"sleep\", \"infinity\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"555290a284929b279e6f45a6514944a53073e36328d74be327eaa29f8d1e7c3df817bf90428c50fdb8b54a5c6e6f7c71f123e56a85e517ba94255a0823c69966_0","lines":"CMD [\"sleep\", \"infinity\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","path":"workload-security-evaluator/docker-compose.yaml","start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"extra":{"metavars":{"$SERVICE":{"start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"abstract_content":"datadog"}},"message":"Service 'datadog' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["docker-compose"],"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","shortlink":"https://sg.run/0n8q","semgrep.dev":{"rule":{"origin":"community","r_id":10054,"rule_id":"qNUoWr","rv_id":947034,"url":"https://semgrep.dev/playground/r/o5TZz4P/yaml.docker-compose.security.no-new-privileges.no-new-privileges","version_id":"o5TZz4P"}}},"severity":"WARNING","fingerprint":"b47157b1d64b1a76c53cc5dd1f06b3afde2735933d6d375b13958d5f51040eb23d0a6e752940e4da63cade63e2058ab1b74a19d612ba86ca358c6e8fbb6490c4_0","lines":" datadog:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","path":"workload-security-evaluator/docker-compose.yaml","start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"extra":{"metavars":{"$SERVICE":{"start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"abstract_content":"datadog"}},"message":"Service 'datadog' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir","https://blog.atomist.com/security-of-docker-kubernetes/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only"],"category":"security","technology":["docker-compose"],"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","shortlink":"https://sg.run/e4JE","semgrep.dev":{"rule":{"origin":"community","r_id":10132,"rule_id":"v8U5vN","rv_id":947038,"url":"https://semgrep.dev/playground/r/X0TLZd0/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","version_id":"X0TLZd0"}}},"severity":"WARNING","fingerprint":"e9d9e08a46c082226f812a75426196affa743ba5a7a099525848865763a414f67eae5dedc077795dca06ad996e34491de37e3268cae1efe87a7c292e715b6d8d_0","lines":" datadog:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[{"code":2,"level":"warn","type":"Internal matching error","rule_id":"javascript.express.web.cors-default-config-express.cors-default-config-express","message":"Internal matching error when running javascript.express.web.cors-default-config-express.cors-default-config-express on insecure-js/init_db.js:\n An error occurred while invoking the Semgrep engine. Please help us fix this by creating an issue at https://github.com/returntocorp/semgrep\n\nsemgrep-internal-metavariable-name operator is only supported in the Pro engine","path":"insecure-js/init_db.js"},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"insecure-java/gradlew","start":{"line":72,"col":5,"offset":0},"end":{"line":72,"col":93,"offset":88}},{"path":"insecure-java/gradlew","start":{"line":178,"col":5,"offset":0},"end":{"line":178,"col":15,"offset":10}}]],"message":"Syntax error at line insecure-java/gradlew:72:\n `APP_HOME=${app_path%\"${app_path##*/}\"} # leaves a trailing /; empty if no leading path\n` was unexpected","path":"insecure-java/gradlew","spans":[{"file":"insecure-java/gradlew","start":{"line":72,"col":5,"offset":0},"end":{"line":72,"col":93,"offset":88}},{"file":"insecure-java/gradlew","start":{"line":178,"col":5,"offset":0},"end":{"line":178,"col":15,"offset":10}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"insecure-app/Dockerfile","start":{"line":26,"col":13,"offset":0},"end":{"line":26,"col":15,"offset":2}},{"path":"insecure-app/Dockerfile","start":{"line":26,"col":28,"offset":0},"end":{"line":26,"col":45,"offset":17}}]],"message":"Syntax error at line insecure-app/Dockerfile:26:\n `-m` was unexpected","path":"insecure-app/Dockerfile","spans":[{"file":"insecure-app/Dockerfile","start":{"line":26,"col":13,"offset":0},"end":{"line":26,"col":15,"offset":2}},{"file":"insecure-app/Dockerfile","start":{"line":26,"col":28,"offset":0},"end":{"line":26,"col":45,"offset":17}}]},{"code":2,"level":"warn","type":"Other syntax error","message":"Other syntax error at line insecure-chart/templates/insecure-java.yaml:40:\n (approximate error location; error nearby after) error calling parser: did not find expected key character 0 position 0 returned: 0","path":"insecure-chart/templates/insecure-java.yaml"},{"code":2,"level":"warn","type":"Other syntax error","message":"Other syntax error at line insecure-chart/templates/insecure-app-js.yaml:40:\n (approximate error location; error nearby after) error calling parser: did not find expected key character 0 position 0 returned: 0","path":"insecure-chart/templates/insecure-app-js.yaml"},{"code":2,"level":"warn","type":"Internal matching error","rule_id":"javascript.express.web.cors-default-config-express.cors-default-config-express","message":"Internal matching error when running javascript.express.web.cors-default-config-express.cors-default-config-express on insecure-js/server.js:\n An error occurred while invoking the Semgrep engine. Please help us fix this by creating an issue at https://github.com/returntocorp/semgrep\n\nsemgrep-internal-metavariable-name operator is only supported in the Pro engine","path":"insecure-js/server.js"}],"paths":{"scanned":[".dryrunsecurity.yaml",".env",".github/workflows/amplify.yml",".github/workflows/backslash.yml",".github/workflows/pixee.yml",".github/workflows/publish-insecure.yml",".gitignore",".gitmodules","CODEOWNERS","README.md","insecure-api/Dockerfile","insecure-api/README","insecure-api/database.py","insecure-api/main.py","insecure-api/models.py","insecure-api/requirements.txt","insecure-api/stackhawk.yml","insecure-api/videogames.db","insecure-app/Dockerfile","insecure-app/app.py","insecure-app/bom.json","insecure-app/init_db.py","insecure-app/ransomware.py","insecure-app/requirements.txt","insecure-app/tutorial.db","insecure-chart/.helmignore","insecure-chart/Chart.yaml","insecure-chart/templates/busybox.yaml","insecure-chart/templates/insecure-app-js.yaml","insecure-chart/templates/insecure-app.yaml","insecure-chart/templates/insecure-java.yaml","insecure-chart/templates/workload-security-evaluator.yaml","insecure-chart/terraform.tfstate","insecure-chart/values.yaml","insecure-java/.gitignore","insecure-java/Dockerfile","insecure-java/Exploit.java","insecure-java/README.md","insecure-java/build.gradle","insecure-java/gradle/wrapper/gradle-wrapper.jar","insecure-java/gradle/wrapper/gradle-wrapper.properties","insecure-java/gradlew","insecure-java/gradlew.bat","insecure-java/settings.gradle","insecure-java/snyk_insecure-java.json","insecure-java/src/main/java/com/example/catapp/CatAppApplication.java","insecure-java/src/main/java/com/example/catapp/CatApplication.java","insecure-java/src/main/java/com/example/catapp/config/GlobalExceptionHandler.java","insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","insecure-java/src/main/java/com/example/catapp/controllers/CommentController.java","insecure-java/src/main/java/com/example/catapp/controllers/HomeController.java","insecure-java/src/main/java/com/example/catapp/controllers/UserController.java","insecure-java/src/main/java/com/example/catapp/models/CatPicture.java","insecure-java/src/main/java/com/example/catapp/models/Comment.java","insecure-java/src/main/java/com/example/catapp/models/User.java","insecure-java/src/main/java/com/example/catapp/repositories/CatPictureRepository.java","insecure-java/src/main/java/com/example/catapp/repositories/CommentRepository.java","insecure-java/src/main/java/com/example/catapp/repositories/UserRepository.java","insecure-java/src/main/java/com/example/insecurejava/InsecureJavaApplication.java","insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","insecure-java/src/main/resources/application.properties","insecure-java/src/main/resources/templates/addComment.html","insecure-java/src/main/resources/templates/addCommentResult.html","insecure-java/src/main/resources/templates/comments.html","insecure-java/src/main/resources/templates/csrf_attack.html","insecure-java/src/main/resources/templates/delete.html","insecure-java/src/main/resources/templates/deleteResult.html","insecure-java/src/main/resources/templates/editProfile.html","insecure-java/src/main/resources/templates/home.html","insecure-java/src/main/resources/templates/layout.html","insecure-java/src/main/resources/templates/login.html","insecure-java/src/main/resources/templates/loginResult.html","insecure-java/src/main/resources/templates/profile.html","insecure-java/src/main/resources/templates/register.html","insecure-java/src/main/resources/templates/registerResult.html","insecure-java/src/main/resources/templates/search.html","insecure-java/src/main/resources/templates/searchResults.html","insecure-js/Dockerfile","insecure-js/data.db","insecure-js/init_db.js","insecure-js/package-lock.json","insecure-js/package.json","insecure-js/server.js","insecure-js/snyk.sarif","insecure-js/styles.css","llm-testing/llm-testing.py","llm-testing/openai-test.py","pixee-snyk.sarif.json","terraform/main.tf","terraform/outputs.tf","terraform/terraform.tf","terraform/variables.tf","workload-security-evaluator/Dockerfile","workload-security-evaluator/LICENSE","workload-security-evaluator/LICENSE-3rdparty.csv","workload-security-evaluator/NOTICE","workload-security-evaluator/README.md","workload-security-evaluator/docker-compose.yaml","workload-security-evaluator/notrelevant.md","workload-security-evaluator/notrelevant_layer.json"]},"interfile_languages_used":[],"skipped_rules":[]} | |||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Generic Secret detected
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-generic-secret.
You can view more details about this finding in the Semgrep AppSec Platform.
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L78 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 78] request.form['url']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L78 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 78] url</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L80 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 80] url</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-flask-http-request-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] "SELECT password FROM users WHERE username = '{}'".format(username)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-sql-string.
You can view more details about this finding in the Semgrep AppSec Platform.
| (async () => { | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] chunk</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v4["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] postData</a>"]
v5["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L112 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 112] query</a>"]
end
v2 --> v3
v3 --> v4
v4 --> v5
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L118 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 118] sql_query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L119 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 119] cursor.execute(sql_query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by fastapi-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+14
to
+19
| const connection = mysql.createConnection({ | ||
| host: 'localhost', | ||
| user: 'root', | ||
| password: 'topsecret', | ||
| database: 'database' | ||
| }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] {<br> host: 'localhost',<br> user: 'root',<br> password: 'topsecret',<br> database: 'database'<br>}</a>"]
end
%% Intermediate
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] {<br> host: 'localhost',<br> user: 'root',<br> password: 'topsecret',<br> database: 'database'<br>}</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
File0:::invis
%% Connections
Source --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-hardcoded-secret.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected user input entering a subprocess call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] request.form['command']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] cmd</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by subprocess-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L118 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 118] sql_query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-api/main-2.py#L119 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 119] cursor.execute(sql_query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute(sql_query) | |
| sql_query = "SELECT * FROM video_games WHERE title = ?" | |
| cursor.execute(sql_query, (query,)) |
View step-by-step instructions
- Change the SQL query to use parameterized queries to prevent SQL injection. Replace the format string with a parameterized query:
sql_query = "SELECT * FROM video_games WHERE title = ?". - Pass the
queryparameter as a tuple to theexecutemethod:cursor.execute(sql_query, (query,)).
This change separates SQL commands from user data, preventing malicious SQL code from being executed.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by fastapi-without-url-path-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form['username']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L91 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 91] cursor.execute(query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute(query) | |
| # Secure SQL query using parameterized query | |
| query = "SELECT password FROM users WHERE username = %s" | |
| cursor.execute(query, (username,)) |
View step-by-step instructions
- Replace the vulnerable SQL query with a parameterized query to prevent SQL injection. Use placeholders for user input.
- Modify the query to use a parameterized format:
query = "SELECT password FROM users WHERE username = %s". - Pass the
usernameas a parameter to theexecutemethod:cursor.execute(query, (username,)).
Using parameterized queries ensures that user input is treated as data and not executable code, effectively preventing SQL injection attacks.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by flask-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| sql = request.form['sql'] | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] request.form['sql']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] sql</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L49 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 49] sql</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by generic-sql-flask.
You can view more details about this finding in the Semgrep AppSec Platform.
| def fetch_url_content(url: str): | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| @PostMapping("/unsafeDeserialize") | ||
| public ResponseEntity<String> unsafeDeserialization(@RequestBody byte[] data) { | ||
| try { | ||
| ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: Deserialization prevention We do not recommend deserializing untrusted data with the ObjectInputStream. If you must, you can try overriding the ObjectInputStream#resolveClass() method or using a safe replacement for the generic readObject() method.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] data</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] data</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] new ByteArrayInputStream(data)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by objectinputstream-deserialization-spring.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+78
to
+83
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) | ||
| output = f"SSRF Response: {response.text[:200]}" | ||
| except Exception as e: | ||
| output = f"SSRF Error: {e}" |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-injection-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form['username']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L91 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 91] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by generic-sql-flask.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form['username']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-app/app2.py#L91 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 91] cursor.execute(query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute(query) | |
| # Secure SQL query using parameterized query | |
| query = "SELECT password FROM users WHERE username = %s" | |
| cursor.execute(query, (username,)) |
View step-by-step instructions
- Replace the vulnerable SQL query with a parameterized query to prevent SQL injection.
- Use the
executemethod with placeholders for parameters. Change the query to:query = "SELECT password FROM users WHERE username = %s". - Pass the
usernameas a parameter in a tuple to theexecutemethod:cursor.execute(query, (username,)).
This approach separates SQL commands from user data, preventing malicious input from altering the query structure.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by flask-without-url-path-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| (async () => { | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L32 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 32] req</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L32 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 32] req</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L45 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 45] chunk</a>"]
v4["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v5["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L45 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 45] chunk</a>"]
v6["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v7["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v8["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] postData</a>"]
v9["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L112 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 112] query</a>"]
end
v2 --> v3
v3 --> v4
v4 --> v5
v5 --> v6
v6 --> v7
v7 --> v8
v8 --> v9
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/a53589ae67e1029cd632a301ec9c8900283faded/insecure-js/server2.js#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sequelize-http.
You can view more details about this finding in the Semgrep AppSec Platform.
DryRun Security SummaryThis pull request introduces multiple intentional security vulnerabilities across Python, Java, JavaScript, and Kubernetes configurations, including SQL injection, hardcoded credentials, remote code execution, unsafe deserialization, broken access control, and exposed sensitive information. Expand for full summaryThis pull request introduces multiple changes across various files in an intentionally vulnerable application demonstrating security risks. The changes span multiple programming languages and frameworks, including Python, Java, JavaScript, and Kubernetes configurations. Security Vulnerabilities:
Code AnalysisWe ran
Overall Riskiness🔴 Risk threshold exceeded. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.