File

.semgrep.yml @ 12696:27a72982e331

util.jwt: Add support/tests for ES256 via improved API and using util.crypto In many cases code will be either signing or verifying. With asymmetric algorithms it's clearer and more efficient to just state that once, instead of passing keys (and possibly other parameters) with every sign/verify call. This also allows earlier validation of the key used. The previous (HS256-only) sign/verify methods continue to be exposed for backwards-compatibility.
author Matthew Wild <mwild1@gmail.com>
date Fri, 01 Jul 2022 18:51:15 +0100
parent 11289:c6965f3c321c
child 12717:898e99f49d80
line wrap: on
line source

rules:
- id: log-variable-fmtstring
  patterns:
    - pattern: log("...", $A)
    - pattern-not: log("...", "...")
  message: Variable passed as format string to logging
  languages: [lua]
  severity: ERROR
- id: module-log-variable-fmtstring
  patterns:
    - pattern: module:log("...", $A)
    - pattern-not: module:log("...", "...")
  message: Variable passed as format string to logging
  languages: [lua]
  severity: ERROR
- id: module-getopt-string-default
  patterns:
    - pattern: module:get_option_string("...", $A)
    - pattern-not: module:get_option_string("...", "...")
    - pattern-not: module:get_option_string("...", host)
    - pattern-not: module:get_option_string("...", module.host)
  message: Non-string default from :get_option_string
  severity: ERROR
  languages: [lua]