| | @@ -0,0 +1,31 @@ |
| + | rules: |
| + | - id: flask-debug-true |
| + | languages: [python] |
| + | severity: ERROR |
| + | message: Running Flask with debug=True exposes the Werkzeug debugger and allows remote code execution. |
| + | patterns: |
| + | - pattern: $APP.run(..., debug=True, ...) |
| + | |
| + | - id: hardcoded-bind-all-interfaces |
| + | languages: [python] |
| + | severity: WARNING |
| + | message: Binding to 0.0.0.0 exposes the service on all interfaces; confirm this is intended. |
| + | patterns: |
| + | - pattern: $APP.run(..., host="0.0.0.0", ...) |
| + | |
| + | - id: subprocess-shell-true |
| + | languages: [python] |
| + | severity: ERROR |
| + | message: subprocess call with shell=True and a non-literal argument is a command injection risk. |
| + | patterns: |
| + | - pattern: subprocess.$FN(..., shell=True, ...) |
| + | - pattern-not: subprocess.$FN("...", shell=True, ...) |
| + | |
| + | - id: jwt-decode-without-verification |
| + | languages: [python] |
| + | severity: ERROR |
| + | message: jwt.decode with verify=False or options disabling signature verification accepts forged tokens. |
| + | patterns: |
| + | - pattern-either: |
| + | - pattern: 'jwt.decode(..., verify=False, ...)' |
| + | - pattern: 'jwt.decode(..., options={..., "verify_signature": False, ...}, ...)' |