| Ankush Menat | 67e6472 | 2021-04-16 21:44:49 +0530 | [diff] [blame] | 1 | rules: |
| 2 | - id: frappe-codeinjection-eval |
| 3 | patterns: |
| 4 | - pattern-not: eval("...") |
| 5 | - pattern: eval(...) |
| 6 | message: | |
| 7 | Detected the use of eval(). eval() can be dangerous if used to evaluate |
| 8 | dynamic content. Avoid it or use safe_eval(). |
| 9 | languages: [python] |
| 10 | severity: ERROR |
| 11 | |
| 12 | - id: frappe-sqli-format-strings |
| 13 | patterns: |
| 14 | - pattern-inside: | |
| 15 | @frappe.whitelist() |
| 16 | def $FUNC(...): |
| 17 | ... |
| 18 | - pattern-either: |
| 19 | - pattern: frappe.db.sql("..." % ...) |
| 20 | - pattern: frappe.db.sql(f"...", ...) |
| 21 | - pattern: frappe.db.sql("...".format(...), ...) |
| 22 | message: | |
| 23 | Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines |
| 24 | languages: [python] |
| 25 | severity: WARNING |