| 1 | rules: |
| 2 | - id: flask-debug-true |
| 3 | languages: [python] |
| 4 | severity: ERROR |
| 5 | message: Running Flask with debug=True exposes the Werkzeug debugger and allows remote code execution. |
| 6 | patterns: |
| 7 | - pattern: $APP.run(..., debug=True, ...) |
| 8 | |
| 9 | - id: hardcoded-bind-all-interfaces |
| 10 | languages: [python] |
| 11 | severity: WARNING |
| 12 | message: Binding to 0.0.0.0 exposes the service on all interfaces; confirm this is intended. |
| 13 | patterns: |
| 14 | - pattern: $APP.run(..., host="0.0.0.0", ...) |
| 15 | |
| 16 | - id: subprocess-shell-true |
| 17 | languages: [python] |
| 18 | severity: ERROR |
| 19 | message: subprocess call with shell=True and a non-literal argument is a command injection risk. |
| 20 | patterns: |
| 21 | - pattern: subprocess.$FN(..., shell=True, ...) |
| 22 | - pattern-not: subprocess.$FN("...", shell=True, ...) |
| 23 | |
| 24 | - id: jwt-decode-without-verification |
| 25 | languages: [python] |
| 26 | severity: ERROR |
| 27 | message: jwt.decode with verify=False or options disabling signature verification accepts forged tokens. |
| 28 | patterns: |
| 29 | - pattern-either: |
| 30 | - pattern: 'jwt.decode(..., verify=False, ...)' |
| 31 | - pattern: 'jwt.decode(..., options={..., "verify_signature": False, ...}, ...)' |