Remove top-ellipses from various rules for performance (semgrep#1510)

Author: Grayson H

go/lang/security/audit/net/dynamic-httptrace-clienttrace.yaml

@@ -21,11 +21,11 @@ rules:
     - go
   patterns:
   - pattern-not-inside: |
+      package $PACKAGE
       ...
       &httptrace.ClientTrace { ... }
       ...
   - pattern: httptrace.WithClientTrace($ANY, $TRACE)
-
   severity: WARNING
   languages:
   - go

go/lang/security/audit/net/wip-xss-using-responsewriter-and-printf.yaml

@@ -3,13 +3,12 @@ rules:
   patterns:
   - pattern-inside: |
       func $FUNC(..., $W http.ResponseWriter, ...) {
-          ...
+        ...
+        var $TEMPLATE = "..."
+        ...
+        $W.Write([]byte(fmt.$PRINTF($TEMPLATE, ...)), ...)
+        ...
       }
-  - pattern-inside: |
-      ...
-      var $T = "..."
-      ...
-      $W.Write([]byte(fmt.$PRINTF($T, ...)), ...)
   - pattern-either:
     - pattern: |
         $PARAMS = r.URL.Query()

javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.js

@@ -1,6 +1,23 @@
+const { ok } = require('assert');
 const jwt = require('jsonwebtoken');
 
 // ruleid: jwt-decode-without-verify
 if (jwt.decode(token, true).param === true) {
   console.log('token is valid');
 }
+
+function ok(token, key) {
+  // ok: jwt-decode-without-verify
+  jwt.verify(token, key);
+  if (jwt.decode(token, true).param === true) {
+    console.log('token is valid');
+  }
+}
+
+const ok2 = (token, key) => {
+  // ok: jwt-decode-without-verify
+  jwt.verify(token, key);
+  if (jwt.decode(token, true).param === true) {
+    console.log('token is valid');
+  }
+};

javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.jsx

@@ -1,7 +1,15 @@
 const jwt = require('jsonwebtoken');
 
-const bad = () => {
-// ruleid: jwt-decode-without-verify
+const bad = (token) => {
+  // ruleid: jwt-decode-without-verify
+  if (jwt.decode(token, true).param === true) {
+    console.log('token is valid');
+  }
+};
+
+const ok = (token, key) => {
+  // ok: jwt-decode-without-verify
+  jwt.verify(token, key);
   if (jwt.decode(token, true).param === true) {
     console.log('token is valid');
   }

javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.yaml

@@ -23,12 +23,7 @@ rules:
   - pattern-inside: |
       $JWT = require('jsonwebtoken');
       ...
-  - pattern-either:
-    - pattern: |
-        $JWT.decode(...)
-    - pattern: |
-        $JWT.decode(...).$PARAM
   - pattern-not-inside: |
+      $JWT.verify($TOKEN, ...)
       ...
-      $JWT.verify(...)
-      ...
+  - pattern: $JWT.decode($TOKEN, ...)

javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.yaml

@@ -2,7 +2,6 @@ rules:
 - id: path-join-resolve-traversal
   patterns:
   - pattern-inside: |
-      ...
       $PATH = require('path');
       ...
   - pattern-either:

javascript/lang/security/audit/vm-injection.yaml

@@ -100,7 +100,6 @@ rules:
     - javascript
   patterns:
   - pattern-inside: |
-      ...
       $VM = require('vm');
       ...
   - pattern-either:
@@ -199,7 +198,6 @@ rules:
     - javascript
   patterns:
   - pattern-inside: |
-      ...
       $VM = require('vm');
       ...
   - pattern-either:

javascript/phantom/security/audit/phantom-injection.yaml

@@ -12,12 +12,8 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       $PHANTOM = require('phantom');
       ...
-  - pattern-not-inside: |
-      var $INPUT = "...";
-      ...
   - pattern-either:
     - pattern: $PAGE.open($INPUT,...)
     - pattern: $PAGE.property("content",$INPUT,...)

javascript/playwright/security/audit/playwright-addinitscript-code-injection.js

@@ -6,7 +6,7 @@ async function test4(userInput) {
   const page = await browser.newPage();
   const context = await browser.newContext();
 
-// ok
+  // ok:playwright-addinitscript-code-injection
   await context.addInitScript(x => console.log(x), 5);
 
   // ruleid:playwright-addinitscript-code-injection

javascript/playwright/security/audit/playwright-addinitscript-code-injection.yaml

@@ -12,15 +12,9 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-not-inside: |
-      ...
-      var $INPUT = "...";
-      ...
-  - pattern-not-inside: |
-      ...
       var $INPUT = function $FNAME(...){...};
       ...
   - pattern: $CONTEXT.addInitScript($INPUT,...)

javascript/playwright/security/audit/playwright-evaluate-arg-injection.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-either:

javascript/playwright/security/audit/playwright-evaluate-code-injection.js

@@ -5,7 +5,7 @@ async function test2(userInput) {
   const browser = await chromium.launch();
   const page = await browser.newPage();
 
-// ok
+  // ok:playwright-evaluate-code-injection
   await page.evaluate(x => console.log(x), 5);
 
   // ruleid:playwright-evaluate-code-injection

javascript/playwright/security/audit/playwright-evaluate-code-injection.yaml

@@ -12,15 +12,9 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-not-inside: |
-      ...
-      var $INPUT = "...";
-      ...
-  - pattern-not-inside: |
-      ...
       var $INPUT = function $FNAME(...){...};
       ...
   - pattern-either:

javascript/playwright/security/audit/playwright-exposed-chrome-devtools.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-either:

javascript/playwright/security/audit/playwright-goto-injection.yaml

@@ -12,12 +12,13 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-not-inside: |
+      require('playwright');
       ...
       var $INPUT = "...";
       ...
+      $PAGE.goto($INPUT,...)
   - pattern: $PAGE.goto($INPUT,...)
   - pattern-not: $PAGE.goto("...",...)

javascript/playwright/security/audit/playwright-setcontent-injection.yaml

@@ -12,12 +12,13 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('playwright');
       ...
   - pattern-not-inside: |
+      require('playwright');
       ...
       var $INPUT = "...";
       ...
+      $PAGE.setContent($INPUT,...)
   - pattern: $PAGE.setContent($INPUT,...)
   - pattern-not: $PAGE.setContent("...",...)

javascript/puppeteer/security/audit/puppeteer-evaluate-arg-injection.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('puppeteer');
       ...
   - pattern-either:

javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.js

@@ -5,7 +5,7 @@ async function test2(userInput) {
   const browser = await puppeteer.launch();
   const page = await browser.newPage();
 
-// ok
+  // ok:puppeteer-evaluate-code-injection
   await page.evaluate(x => console.log(x), 5);
 
   // ruleid:puppeteer-evaluate-code-injection

javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.yaml

@@ -12,15 +12,9 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('puppeteer');
       ...
   - pattern-not-inside: |
-      ...
-      var $INPUT = "...";
-      ...
-  - pattern-not-inside: |
-      ...
       var $INPUT = function $FNAME(...){...};
       ...
   - pattern-either:

javascript/puppeteer/security/audit/puppeteer-exposed-chrome-devtools.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('puppeteer');
       ...
   - pattern-either:

javascript/puppeteer/security/audit/puppeteer-goto-injection.yaml

@@ -12,12 +12,13 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('puppeteer');
       ...
   - pattern-not-inside: |
+      require('puppeteer');
       ...
       var $INPUT = "...";
       ...
+      $PAGE.goto($INPUT,...)
   - pattern: $PAGE.goto($INPUT,...)
   - pattern-not: $PAGE.goto("...",...)

javascript/puppeteer/security/audit/puppeteer-setcontent-injection.yaml

@@ -12,10 +12,10 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('puppeteer');
       ...
   - pattern-not-inside: |
+      require('puppeteer');
       ...
       var $INPUT = "...";
       ...

javascript/sandbox/security/audit/sandbox-code-injection.yaml

@@ -12,7 +12,6 @@ rules:
     - sandbox
   patterns:
   - pattern-inside: |
-      ...
       $SANDBOX = require('sandbox');
       ...
   - pattern-not-inside: |

javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml

@@ -12,7 +12,6 @@ rules:
     - serialize-javascript
   patterns:
   - pattern-inside: |
-      ...
       $S = require('serialize-javascript');
       ...
   - pattern-not-inside: escape(...)

javascript/shelljs/security/shelljs-exec-injection.yaml

@@ -12,10 +12,10 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       require('shelljs');
       ...
   - pattern-not-inside: |
+      require('shelljs');
       ...
       var $INPUT = "...";
       ...

javascript/vm2/security/audit/vm2-code-injection.yaml

@@ -12,13 +12,13 @@ rules:
     - vm2
   patterns:
   - pattern-inside: |
-      ...
       require('vm2');
       ...
   - pattern-not-inside: |
       $CODE = "...";
       ...
   - pattern-not-inside: |
+      require('vm2');
       ...
       $CODE = new VMScript(...);
       ...

javascript/vm2/security/audit/vm2-context-injection.yaml

@@ -12,7 +12,6 @@ rules:
     - vm2
   patterns:
   - pattern-inside: |
-      ...
       $VM = require('vm2');
       ...
   - pattern-either:

javascript/wkhtmltoimage/security/audit/wkhtmltoimage-injection.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       $WK = require('wkhtmltoimage');
       ...
   - pattern-not-inside: |

javascript/wkhtmltopdf/security/audit/wkhtmltopdf-injection.yaml

@@ -12,7 +12,6 @@ rules:
   languages: [javascript, typescript]
   patterns:
   - pattern-inside: |
-      ...
       $WK = require('wkhtmltopdf');
       ...
   - pattern-not-inside: |

python/django/best-practice/upsell_django_environ.yaml

@@ -1,8 +1,7 @@
 rules:
 - id: use-django-environ
   patterns:
-  - pattern-not: |
-      ...
+  - pattern-not-inside: |
       import environ
       ...
   - pattern-either:

python/django/security/injection/path-traversal/path-traversal-file-name.yaml

@@ -16,14 +16,16 @@ rules:
   - pattern-inside: |
       def $F(...):
         ...
-  - pattern-not: |
-      ...
-      os.path.realpath(...)
-      ...
-  - pattern-not: |
-      ...
-      os.path.abspath(...)
-      ...
+  - pattern-not-inside: |
+      def $F(...):
+        ...
+        os.path.realpath(...)
+        ...
+  - pattern-not-inside: |
+      def $F(...):
+        ...
+        os.path.abspath(...)
+        ...
   - pattern-either:
         # match % use cases
     - pattern: |