File

.semgrep.yml @ 12480:7e9ebdc75ce4

net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 27 Apr 2022 17:44:14 +0200
parent 11289:c6965f3c321c
child 12717:898e99f49d80
line wrap: on
line source

rules:
- id: log-variable-fmtstring
  patterns:
    - pattern: log("...", $A)
    - pattern-not: log("...", "...")
  message: Variable passed as format string to logging
  languages: [lua]
  severity: ERROR
- id: module-log-variable-fmtstring
  patterns:
    - pattern: module:log("...", $A)
    - pattern-not: module:log("...", "...")
  message: Variable passed as format string to logging
  languages: [lua]
  severity: ERROR
- id: module-getopt-string-default
  patterns:
    - pattern: module:get_option_string("...", $A)
    - pattern-not: module:get_option_string("...", "...")
    - pattern-not: module:get_option_string("...", host)
    - pattern-not: module:get_option_string("...", module.host)
  message: Non-string default from :get_option_string
  severity: ERROR
  languages: [lua]