Merge Develop into Release (#3696)

r2c-argo[bot] · kurt-r2c · mjambon · web-flow · commit a8c6de70b337 · 2025-11-24T18:15:04.000Z
* fix(rules): CODE-9032 (#3683) * fix for CODE-9032 * add test * Improve OCaml rule protecting against stray Not_founds (#3702) ## Link to an issue, if relevant (internal Slack thread) ### ~~Adding a new~~ Revising a rule? Look over this PR checklist - The issue or PR has links, references, or examples. - The rule has **true positive** and **true negative** test cases in a file that matches the rule name. > If the rule is `my-rule`, the test file name should be `my-rule.js`. > > True positives are marked by comments with `ruleid: <my-rule>` and true negatives are marked by comments with `ok: <my-rule>`. - The rule has a good message. A good message includes: > 1. A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls). > 1. A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice). > 1. An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag). * Update aws-cloudfront-insecure-tls rule (#3705) This updates aws-cloudfront-insecure-tls rule to account for the addition of aws cloudfront support for TLSv1.2_2025 and TLSv1.3_2025 * Add rule to detect backdoor github action placed by Sha1-Hulud (#3714) Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain> * Fixed message in shai hulud backdoor rule (#3715) Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain> --------- Co-authored-by: Kurt Boberg <98792107+kurt-r2c@users.noreply.github.com> Co-authored-by: Martin Jambon <martin@mjambon.com> Co-authored-by: Greg M <greg.myers@semgrep.com> Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev> Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain>
diff --git a/java/lang/security/audit/formatted-sql-string.java b/java/lang/security/audit/formatted-sql-string.java
@@ -152,4 +152,23 @@ public void get(HttpServletRequest req) {
         // ruleid: formatted-sql-string
         ResultSet rs = statement.executeQuery();
     }
+}
+
+public class SqlExampleNonStringBuilderConstructor{
+
+    public Retry<ResultSet> getRetry(final String mainQuery, final Connection connection) {
+        // not a StringBuilder
+        return new Retry<>(
+            // also not a StringBuilder
+            new Callable<ResultSet>() {
+                public ResultSet call() throws SQLException {
+                    PreparedStatement statement = connection.prepareStatement(
+                        mainQuery, ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_READ_ONLY);
+                    statement.setFetchSize(Integer.MIN_VALUE);
+                    // ok: formatted-sql-string
+                    return statement.executeQuery ();
+                }
+            },
+            Retry.RETRY_FOREVER);
+    }
 }
diff --git a/java/lang/security/audit/formatted-sql-string.yaml b/java/lang/security/audit/formatted-sql-string.yaml
@@ -52,12 +52,17 @@ rules:
     - pattern-either:
       - pattern: $X + $INPUT
       - pattern: $X += $INPUT
-      - pattern: $STRB.append($INPUT)
       - pattern: String.format(..., $INPUT, ...)
       - pattern: String.join(..., $INPUT, ...)
       - pattern: (String $STR).concat($INPUT)
       - pattern: $INPUT.concat(...)
-      - pattern: new $STRB(..., $INPUT, ...)
+      - patterns:
+        - pattern-either:
+          - pattern: $STRB.append($INPUT)
+          - pattern: new $STRB(..., $INPUT, ...)
+        - metavariable-type:
+            metavariable: $STRB
+            type: StringBuilder
     label: CONCAT
     requires: INPUT
   pattern-propagators:
diff --git a/ocaml/lang/best-practice/hashtbl.ml b/ocaml/lang/best-practice/hashtbl.ml
@@ -5,16 +5,36 @@ let test1 xs =
   else 2
 
 let test2 xs =
- (* ok *)
- try
-   if Hashtbl.find h 1
-   then 1
-   else 2
- with Not_found -> 3
+  (* ok *)
+  try Hashtbl.find h 1
+  with Not_found -> 3
+
+let test2 xs =
+  (* ok *)
+  try
+    if Hashtbl.find h 1
+    then 1
+    else 2
+  with Not_found -> 3
 
 let test3 xs =
- (* ok *)
- match Hashtbl.find h 1 with
- | true -> 1
- | false -> 2
- | exception Not_found -> 3
+  try
+    (* ruleid:hashtbl-find-outside-try *)
+    if Hashtbl.find h 1
+    then failwith "error"
+    else 2
+  with Failure _ -> 3
+
+let test4 xs =
+  (* ruleid:hashtbl-find-outside-try *)
+  match Hashtbl.find h 1 with
+  | true -> 1
+  | false -> 2
+
+let test5 xs =
+  (* false positive, needs fixing. See notes in the rule. *)
+  (* ruleid:hashtbl-find-outside-try *)
+  match Hashtbl.find h 1 with
+  | true -> 1
+  | false -> 2
+  | exception Not_found -> 3
diff --git a/ocaml/lang/best-practice/hashtbl.yaml b/ocaml/lang/best-practice/hashtbl.yaml
@@ -4,16 +4,22 @@ rules:
       - pattern: |
           Hashtbl.find ...
       - pattern-not-inside: |
-          try ... with ... -> ...
-      # TODO:
-      # We should restrict this to match-with plus exception pattern:
-      #
-      #     match ... with | exception ... -> ... | ... -> ...
-      #
-      # But first we need to switch to tree-sitter-ocaml for parsing patterns.
-      - pattern-not-inside: |
-          match ... with | ... -> ...
-    message: You should not use Hashtbl.find outside of a try, or you should use Hashtbl.find_opt
+          try ... with Not_found -> ...
+      # TODO: add support for the syntax match ... with | exception ... -> ...
+      # First, we'd need to switch to tree-sitter-ocaml for parsing
+      # patterns.
+      # - pattern-not-inside: |
+      #    match Hashtbl.find ... with exception Not_found -> ...
+    message: >-
+      'Hashtbl.find' raises the 'Not_found' exception.
+      Handle the exception or use 'Hashtbl.find_opt' instead.
+      If you have proof that the key exists in the table,
+      use 'assert false' as the exception handler to demonstrate awareness
+      of the issue.
+      If your code uses the syntax 'match Hashtbl.find ... with
+      exception Not_found -> ...', it's fine and we apologize for not
+      detecting it. Consider using 'Hashtbl.find_opt' to please
+      Semgrep and stay safe.
     languages: [ocaml]
     severity: WARNING
     metadata:
diff --git a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml
@@ -39,11 +39,31 @@ rules:
         }
         ...
       }
+  - pattern-not-inside: |
+      resource "aws_cloudfront_distribution" $ANYTHING {
+        ...
+        viewer_certificate {
+          ...
+          minimum_protocol_version = "TLSv1.2_2025"
+          ...
+        }
+        ...
+      }
+  - pattern-not-inside: |
+      resource "aws_cloudfront_distribution" $ANYTHING {
+        ...
+        viewer_certificate {
+          ...
+          minimum_protocol_version = "TLSv1.3_2025"
+          ...
+        }
+        ...
+      }
   message: >-
     Detected an AWS CloudFront Distribution with an insecure TLS version.
     TLS versions less than 1.2 are considered insecure because they
     can be broken. To fix this, set your `minimum_protocol_version` to
-    `"TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"`.
+    `"TLSv1.2_2018", "TLSv1.2_2019", "TLSv1.2_2021", "TLSv1.2_2025" or "TLSv1.3_2025"`.
   metadata:
     category: security
     technology:
diff --git a/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml b/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml
@@ -0,0 +1,66 @@
+rules:
+  - id: detect-shai-hulud-backdoor
+    languages:
+      - yaml
+    message: The Shai-hulud backdoor creates a purposefully vulnerable github action
+      with the name `discussion.yaml`. 
+    paths:
+      include:
+        - "**/.github/workflows/discussion.yaml"
+    metadata:
+      category: security
+      cwe:
+        - "CWE-509: Replicating Malicious Code (Virus or Worm)"
+      owasp:
+        - A01:2017 - Injection
+        - A03:2021 - Injection
+      technology:
+        - github-actions
+      cwe2022-top25: true
+      cwe2021-top25: true
+      subcategory:
+        - vuln
+      likelihood: HIGH
+      impact: HIGH
+      confidence: HIGH
+      license: Semgrep Rules License v1.0. For more details, visit
+        semgrep.dev/legal/rules-license
+      vulnerability_class:
+        - Command Injection
+      source_rule_url: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
+      references:
+        - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
+    patterns:
+      - pattern-inside: "steps: [...]"
+      - pattern-inside: |
+          - run: ...
+            ...
+      - pattern: "run: $SHELL"
+      - metavariable-pattern:
+          language: generic
+          metavariable: $SHELL
+          patterns:
+            - pattern-either:
+                - pattern: ${{ github.event.issue.title }}
+                - pattern: ${{ github.event.issue.body }}
+                - pattern: ${{ github.event.pull_request.title }}
+                - pattern: ${{ github.event.pull_request.body }}
+                - pattern: ${{ github.event.comment.body }}
+                - pattern: ${{ github.event.review.body }}
+                - pattern: ${{ github.event.review_comment.body }}
+                - pattern: ${{ github.event.pages. ... .page_name}}
+                - pattern: ${{ github.event.head_commit.message }}
+                - pattern: ${{ github.event.head_commit.author.email }}
+                - pattern: ${{ github.event.head_commit.author.name }}
+                - pattern: ${{ github.event.commits ... .author.email }}
+                - pattern: ${{ github.event.commits ... .author.name }}
+                - pattern: ${{ github.event.pull_request.head.ref }}
+                - pattern: ${{ github.event.pull_request.head.label }}
+                - pattern: ${{ github.event.pull_request.head.repo.default_branch }}
+                - pattern: ${{ github.head_ref }}
+                - pattern: ${{ github.event.inputs ... }}
+                - pattern: ${{ github.event.discussion.title }}
+                - pattern: ${{ github.event.discussion.body }}
+                - pattern: ${{ inputs ... }}
+    severity: ERROR
+
