11 Semgrep Rules for Go Web Projects
- 16 minutes read - 3305 wordsI’ve mentioned semgrep a few times in recent articles, and I thought it would be good to introduce this new(ish) tool and demonstrate a few rules that you can use to find problems in your Go web apps.
At the end of this article you will:
- understand what semgrep is and what it can do
- have some idea of the limits of semgrep’s power
- have some rules that you can immediately apply to your own projects
Fair warning: I am not a semgrep expert by any stretch of the imagination. If you are, and you think these rules can be improved, please drop a note to brian at universalglue.dev.
Semgrep isn’t named for semaphore flags… but it does offer a pretty good signal.
What is semgrep anyway?
Semgrep is a static analysis tool that allows users to write custom rules that match against patterns found in source code. The tool comes with rules to detect errors – especially security errors – in multiple languages. It has support for a bunch of programming languages including Go.
There is an interactive tutorial that I highly recommend. It only takes a few minutes to go through it.
For this article, I’m just going to show rules and sample code that exercises the rules. Installation is simple. It has a python cli, and can be installed into a python virtual environment in your local directory (this “just worked” for me on debian and ubuntu systems):
$ python3 -m venv ./venv
$ . .venv/bin/activate
(.venv) $ pip install semgrep
(.venv) $ semgrep --version
We’ll put all of our rules and sample code in a rules/ directory:
(.venv) $ mkdir rules
Rule 1: AbortWithStatus Should Immediately be Followed by return
Last week I mentioned that calling c.AbortWithStatus without calling return is an easy error to make when writing a gin handler. Let’s see how we can catch that error with a simple semgrep rule.
At the top level of this rule is patterns, which means that all the chid
elements must match.
The first child is pattern-either, which will match if any of its
children match. Its children are simple patterns that match any of the
AbortWithXXX function calls we want to make sure are followed by a
return.
The next three children are pattern-not-inside. If any of these patterns
are present in the code, the child will fail to match, and the toplevel
will not match.
The overall effect of this rule is to say “if any of these match BUT not if any of these other things match”, then log a warning.
Here is rules/abortwithstatus-followed-by-return.yaml:
---
rules:
- id: abortwithstatus-followed-by-return
languages: [go]
message: c.AbortWithError, AbortWithStatus, and AbortWithStatusJSON should always be followed by return
severity: WARNING
patterns:
- pattern-either:
- pattern: $C.AbortWithError(...)
- pattern: $C.AbortWithStatus(...)
- pattern: $C.AbortWithStatusJSON(...)
- pattern-not-inside: |
$C.AbortWithError(...)
return
- pattern-not-inside: |
$C.AbortWithStatus(...)
return
- pattern-not-inside: |
$C.AbortWithStatusJSON(...)
return
We can test rules by putting some code in a file of the same name but with
the target extension. In comments in the file we identify each line that
should trigger with ruleid: and the name of the rule. On lines that
should not trigger, use ok: and the name of the rule. The test runner
will ensure that lines preceded by the former comments trigger reports, and
none of lines with the latter comments trigger reports.
Run tests like this:
(.venv) $ semgrep -q --test rules
✓ All tests passed!
(Yes, it’s almost too meta that there are tests for what are almost like tests. But it’s a handy way to make sure the rule works, especially while learning how to use the tool.)
Here is rules/abortwithstatus-followed-by-return.go:
package main
import (
"log"
"net/http"
"github.com/gin-gonic/gin"
)
func test1(c *gin.Context) {
// ok: abortwithstatus-followed-by-return
c.AbortWithError(http.StatusInternalServerError)
return
}
func test2(c *gin.Context) {
// ruleid: abortwithstatus-followed-by-return
c.AbortWithError(http.StatusInternalServerError)
log.Printf("asdf")
}
func test3(c *gin.Context) {
if true {
// ok: abortwithstatus-followed-by-return
c.AbortWithStatus(http.StatusBadRequest)
return
}
}
func test4(c *gin.Context) {
if false {
// ruleid: abortwithstatus-followed-by-return
c.AbortWithStatus(http.StatusInternalServerError)
log.Printf("asdf")
}
}
func test5(c *gin.Context) {
// ok: abortwithstatus-followed-by-return
c.AbortWithStatusJSON(http.StatusInternalServerError)
return
}
func test6(c *gin.Context) {
// ruleid: abortwithstatus-followed-by-return
c.AbortWithStatusJSON(http.StatusInternalServerError)
log.Printf("asdf")
}
func test7(c *gin.Context) {
// ruleid: abortwithstatus-followed-by-return
c.AbortWithStatusJSON(http.StatusInternalServerError)
log.Printf("other stuff in between is not allowed")
return
}
Rule 2: Handler Naming Scheme Enforcement
If I don’t have a strong naming scheme, my function names tend to end up a jumbled mix. This rule shows how to enforce a naming scheme.
The first pattern matches a Gin handler function. Note the use of a
metavariable $FUNC to match the function name.
The second pattern applies to that regex. It uses pattern-not-regex to
match (triggering a warning) whenever the function name does not match
the given pattern.
Even if you hate my naming scheme, hopefully this is clear enough that you can implement a rule for whatever you prefer.
This goes in rules/handler-naming.yaml, with tests in
rules/handler-naming.go:
---
rules:
- id: handler-naming
languages: [go]
message: Naming of handlers should be <thing><CrudAction><Method>
severity: WARNING
patterns:
- pattern: |
func $FUNC($C *gin.Context) {
...
}
- metavariable-pattern:
metavariable: $FUNC
patterns:
# Regex alternatives avoid having a name like thingDeleteDelete...
- pattern-not-regex: "^[a-z]+((Index|Show|New|Edit)(Get|Post|Patch)|Delete)$"
package main
import (
"github.com/gin-gonic/gin"
)
// missing http method
// ruleid: handler-naming
func fooIndex(c *gin.Context) {}
// missing crudAction
// ruleid: handler-naming
func bookGet(c *gin.Context) {}
// useless repetition
// ruleid: handler-naming
func thingDeleteDelete(c *gin.Context) {}
// XXX consider allowing exported handlers
// ruleid: handler-naming
func ThingIndexGet(c *gin.Context) {}
// ok: handler-naming
func thingIndexGet(c *gin.Context) {}
// ok: handler-naming
func thingShowGet(c *gin.Context) {}
// ok: handler-naming
func thingNewPost(c *gin.Context) {}
// ok: handler-naming
func thingEditPatch(c *gin.Context) {}
// ok: handler-naming
func thingDelete(c *gin.Context) {}
// ok: handler-naming
func AnythingGoes() {}
Rule 3: r.GET/r.POST use correct handler
Email subscribers know that using snippets can greatly reduce copy-paste errors, but if you’re someone who hasn’t jumped on the snippet bandwagon yet, you might still occasionally make a copy-paste error.
One area I’ve made this mistake is when adding a new route. It’s easy, just copy-paste an existing route, change a couple of things, and you’re done… unless you forget to change the handler name, and you connect a new POST route to an existing GET handler.
This is very likely to be caught in tests, but it might be convenient to have a rule to warn you before you have to catch it in a test.
The first child says that this should only match inside a handler function.
Note that it uses the metavariable $R to match the router variable. This
is used below.
The second child says that either of its children can match. And then each
of those children is also a list of subpatterns that all must match. The
first subpattern matches on a call to the router’s ($R) GET method,
capturing the $HANDLER function name in a metavariable. And then there’s
a metavariable subpattern that will match (triggering a warning) if that
handler does not match a regex, in this case ending with “Get”, which the
previous rule requires that all GET handlers match.
A similar pair of rules handles POST handlers. Adding rules and tests for the other methods you have in your app is left as a fun exercise for the reader.
This goes in rules/route-handlers.yaml and rules/route-handlers.go:
---
rules:
- id: route-handlers
languages: [go]
message: Make sure route handler functions match the method
severity: WARNING
patterns:
- pattern-inside: |
func $FUNC($R *gin.Engine) {
...
}
- pattern-either:
- patterns:
- pattern: $R.GET(..., $HANDLER)
- metavariable-pattern:
metavariable: $HANDLER
patterns:
- pattern-not-regex: "Get$"
- patterns:
- pattern: $R.POST(..., $HANDLER)
- metavariable-pattern:
metavariable: $HANDLER
patterns:
- pattern-not-regex: "Post$"
package main
import "gin-gonic/gin"
func setupRoutes(r *gin.Engine) {
// ruleid: route-handlers
r.POST("/blah", blahIndexGet)
// ruleid: route-handlers
r.GET("/blah", blahIndexPost)
// ruleid: route-handlers
r.GET("/blah", blahIndexHandler)
// ok: route-handlers
r.POST("/blah", blahIndexPost)
// ok: route-handlers
r.GET("/blah", blahIndexGet)
}
Rule 4: Templates Match Naming Scheme
Just like with handler functions, it’s easy to end up with templates that have apparently random naming conventions.
It’s also pretty easy to enforce a convention. Note that this rule uses the
generic language – which is still an experimental part of semgrep.
This rule enforces a two-level template naming scheme.
The first pattern-inside only allows matches inside a template. Note that
this only matches on a two-level template. If you have one- or three-level
templates then it won’t match. It also won’t match if you have a “.html”
suffix in the template name. Adjust as needed for your codebase.
The metavariable-regex uses a negative lookahead assertion – it won’t
match if this template is in the base directory. This is where I keep
templates that build the foundation of other templates. If you have other
directories like this, or “special” directories, you could add them to this
regex so they don’t trigger the rule.
The last pattern uses another negative lookahead to avoid matching when the page conforms to the allowed list of template types.
This rule is pretty rigid – a real-world app would need to be more flexible. But this gives a demonstration of how such a rule can work.
Put this in rules/template-naming.yaml and rules/template-naming.html:
---
rules:
- id: template-naming
languages: [generic]
paths:
include:
- "*.html"
message: html template does not conform to naming scheme
severity: WARNING
patterns:
- pattern-inside: |
{{ define "$DIR/$PAGE" }}
...
{{ end }}
- metavariable-regex:
metavariable: $DIR
regex: (?!base)
- metavariable-regex:
metavariable: $PAGE
regex: '(?!^(delete|edit|new|list|show)$)'
// ok: template-naming
{{ define "base/blah" }} anything {{ end }}
// ruleid: template-naming
{{ define "thing/blah" }} anything {{ end }}
// ok: template-naming
{{ define "stuff/new" }} anything {{ end }}
Rule 5: Templates Contain Header/Footer
Except for templates in base/, we want all templates to include the
header and footer. If we have a reliable semgrep rule for this, we don’t
have to add tests that look for a fragment from the header and footer in
all the pages.
As with the previous rule, this also uses the generic language.
The first pattern matches inside a (two level) template and the second
pattern avoids matching in the base directory.
The third pattern-not-inside avoids matching (and thus avoids triggering
a warning) if the template incudes both a header at the top and a footer at
the bottom. If we wanted to be slightly more flexible with the placement
(eg. allowing other content above the header or below the footer) we could
add ellipses above the header or below the footer.
It’s also worth noting that semgrep’s generic language will only match
ten lines with an ellipsis. I’ve got five in this rule, so this will work
with templates up to 50 lines long. This works for me but you may need to
adjust if you have very long templates.
This goes in rules/template-header-footer.yaml and
rules/template-header-footer.html:
rules:
- id: template-header-footer
languages: [generic]
paths:
include:
- "*.html"
message: html templates include header+footer
severity: WARNING
patterns:
- pattern-inside: |
{{ define "$DIR/$PAGE" }}
...
{{ end }}
- metavariable-regex:
metavariable: $DIR
regex: (?!base)
- pattern-not-inside: |
{{ define "$DIR/$PAGE" }}
{{ template "base/header" . }}
... ... ... ... ...
{{ template "base/footer" . }}
{{ end }}
// ok: template-header-footer
{{ define "base/blah" }}
anything
{{ end }}
// ruleid: template-header-footer
{{ define "thing/blah" }}
anything
{{ end }}
// ok: template-header-footer
{{ define "stuff/new" }}
{{ template "base/header" . }}
anything
{{ template "base/footer" . }}
{{ end }}
// ruleid: template-header-footer
{{ define "stuff/new" }}
anything
{{ template "base/footer" . }}
{{ end }}
// ruleid: template-header-footer
{{ define "stuff/new" }}
{{ template "base/header" . }}
anything
{{ end }}
Rule 6: Templates Post to Self
In the article on handling forms in Gin, I showed a form that is loaded from /books/new and is posted to
/books/new. That pattern is something we’ll see show up in multiple
places.
This is another place where copy-paste errors can show up: if you copy a
template from, say, /books/new into /authors/new and forget to change
the action= attribute in the form, then your app will have a bug. You can
catch this with a test, but you have to explicitly remember to add a
fragment looking for the correct action= in every form.
Here’s a rule that uses patterns similar to what I’ve shown in previous rules to enforce a convention that all forms must post to the route that matches the template in which they are contained.
Put this in rules/template-posts-to-self.yaml and
rules/template-posts-to-self.html:
---
rules:
- id: template-posts-to-self
languages: [generic]
paths:
include:
- "*.html"
message: html template form should post to itself
severity: WARNING
patterns:
- pattern-inside: |
{{ define "$DIR/$TEMPLATE" }}
...
{{ end }}
- pattern: <form action="...">...</form>
- pattern-not: <form action="/$DIR/$TEMPLATE">...</form>
{{ define "abc/xyz" }}
<!-- ok: template-posts-to-self -->
<form action="/abc/xyz"></form>
<!-- ruleid: template-posts-to-self -->
<form action="/mno/xyz"></form>
<!-- ruleid: template-posts-to-self -->
<form action="abc/xyz"></form>
<!-- ruleid: template-posts-to-self -->
<form action="xyz"></form>
{{ end }}
Rule 7: Label Must Have Matching Input
Another convention is that every <label> must have an <input> with a
matching name and id. Enforcing this in a test requires fragments for
every label and name, and requires the html to conform to rigid matching,
which makes them more fragile. (Or for the tests to use regex matching
against the fragments, which makes them more complex.)
Note in the tests that the label and input are allowed to have other
attributes before the for=, name=, and id=. This makes the rule less
prone to false-positives. The extra pattern-not with the attributes in
reversed order allows them to appear in the template in either order.
These go in rules/template-label-has-input.yaml and
rules/template-label-has-input.html:
---
rules:
- id: template-label-has-input
languages: [generic]
paths:
include:
- "*.html"
message: html template label must have corresponding input
severity: WARNING
patterns:
- pattern-inside: |
<label ... for="$NAME" ...>...</label>
...
- pattern: <input ...>
- pattern-not: <input ... name="$NAME" ... id="$NAME" ...>
- pattern-not: <input ... id="$NAME" ... name="$NAME" ...>
{{ define "abc" }}
<form action="/mno/xyz">
<label for="aaa">Aaa</label>
<!-- ok: template-label-has-input -->
<input type="text" name="aaa" id="aaa">
<label class="my-label" for="aaa">Aaa</label>
<!-- ok: template-label-has-input -->
<input name="aaa" type="text" class="xyz" id="aaa">
<label class="my-label" for="aaa">Aaa</label>
<!-- ok: template-label-has-input -->
<input id="aaa" name="aaa" type="text" class="xyz">
<label for="aaa">Aaa</label>
<!-- ruleid: template-label-has-input -->
<input type="text" name="bbb" id="aaa">
<label for="aaa">Aaa</label>
<!-- ruleid: template-label-has-input -->
<input type="text" name="aaa" id="bbb">
<label for="aaa">Aaa</label>
<!-- ruleid: template-label-has-input -->
<input type="text" name="aaa">
<label for="aaa">Aaa</label>
<!-- ruleid: template-label-has-input -->
<input type="text" id="aaa">
</form>
{{ end }}
Rule 8: Tests Use t.Parallel
The final three rules enforce some conventions in test code.
The first convention is that all tests call t.Parallel. The rule does
this by matching on any test function, where “test function” is defined as
a function taking a single *testing.T argument.
Two pattern-not are use to exclude code that properly calls t.Parallel
as the first statement in the function, and to exclude helper functions
that call t.Helper.
Put these in rules/tests-are-parallel.yaml and
rules/tests-are-parallel.go:
---
rules:
- id: tests-are-parallel
languages: [go]
message: test cases must call t.Parallel
severity: WARNING
patterns:
- pattern: |
func $F($T *testing.T) {
...
}
- pattern-not: |
func $F($T *testing.T) {
$T.Parallel()
...
}
- pattern-not: |
func $F($T *testing.T) {
$T.Helper()
...
}
package main
import (
"log"
"testing"
)
// ruleid: tests-are-parallel
func test1(t *testing.T) {
// Note: parallel must be called.
}
// ruleid: tests-are-parallel
func test2(t *testing.T) {
// Note: parallel has to be called first.
log.Print("abc")
t.Parallel()
}
// ok: tests-are-parallel
func test3(t *testing.T) {
// Note: parallel is called first. This is ok.
t.Parallel()
log.Print("abc")
}
// ruleid: tests-are-parallel
func testHelper1(t *testing.T) {
// Note: helper has to be called first.
log.Print("abc")
t.Helper()
}
// ok: tests-are-parallel
func testHelper2(t *testing.T) {
// Note: helper is called first. This is ok.
t.Helper()
log.Print("abc")
}
Rule 9: Helper Functions Never Return Error
Another convention for tests is that helper functions should not return errors.
This can be enforced with a rule that matches any function that has
*testing.T in the argument list, calls t.Helper, and returns error.
The ellipses (..., $T *testing.T, ...) in the argument list will match if
the *testing.T is anywhere in the argument list. In theory this should
also work in the return list, but when I was building this rule I found
what appears to be a semgrep
bug – in the second
pattern shown it doesn’t match error anywhere in the return list, it only
matches in that specific position. If the linked bug is fixed, this rule
would match more flexibly and it should only need the second pattern.
Here are rules/test-helpers-dont-return-error.yaml and
rules/test-helpers-dont-return-error.go:
---
rules:
- id: test-helpers-dont-return-error
languages: [go]
message: test helpers must not return error
severity: WARNING
pattern-either:
- pattern: |
func $F(..., $T *testing.T, ...) error {
$T.Helper()
...
}
# XXX The pattern below doesn't work the way it should. See
# https://github.com/returntocorp/semgrep/issues/4896
- pattern: |
func $F(..., $T *testing.T, ...) (..., error, ...) {
$T.Helper()
...
}
package main
import (
"testing"
)
// ruleid: test-helpers-dont-return-error
func testHelper1(t *testing.T) error {
t.Helper()
return nil
}
// ok: test-helpers-dont-return-error
func testHelper2(t *testing.T) int {
t.Helper()
return 0
}
// ok: test-helpers-dont-return-error
func testHelper2(t *testing.T) {
t.Helper()
}
Rule 10: t.Error + t.FailNow should be t.Fatal
This rule enforces a maintenance nit: instead of calling t.Error
followed by t.FailNow, instead just call t.Fatal. It uses
pattern-either to enforce this against four different flavors of the same
code construct.
Put these in rules/error-failnow-fatal.yaml and
rules/error-failnow-fatal.go:
---
rules:
- id: error-failnow-fatal
languages: [go]
message: t.Error or t.Log followed by t.FailNow should just call t.Fatal
severity: WARNING
pattern-either:
- pattern: |
$T.Error(...)
$T.FailNow()
- pattern: |
$T.Errorf(...)
$T.FailNow()
- pattern: |
$T.Log(...)
$T.FailNow()
- pattern: |
$T.Logf(...)
$T.FailNow()
package main
import "testing"
func test1(t *testing.T) {
// ruleid: error-failnow-fatal
t.Error("abc")
t.FailNow()
}
func test2(t *testing.T) {
// ruleid: error-failnow-fatal
t.Errorf("%s", "abc")
t.FailNow()
}
func test3(t *testing.T) {
// ruleid: error-failnow-fatal
t.Log("abc")
t.FailNow()
}
func test4(t *testing.T) {
// ruleid: error-failnow-fatal
t.Logf("%s", "abc")
t.FailNow()
}
Rule 11: Naming Conventions for Handler Tests
This is just another naming convention. Let’s assume that any test that
calls postHasStatus or getHasStatus is a handler-testing function. We
can enforce that handler test names use a parallel construction to the
handler functions.
The rule works by matching on test functions, where a $HELPER is called,
and that helper matches a regex. If we add other similar helper functions
we can add them to this regex.
The final regex match against $FUNC is similar to the regex in rule 2
above. Note that it is not anchored at the end, so that if multiple
functions are needed to test a given handler they can be given unique
suffixes.
Here are rules/test-handler-naming.yaml and
rules/test-handler-naming.go:
---
rules:
- id: test-handler-naming
languages: [go]
message: Naming of tests for handlers should be test<Thing><CrudAction><Method><Any>
severity: WARNING
patterns:
- pattern-inside: |
func $FUNC($T *testing.T) {
...
$HELPER($T, ...)
...
}
- metavariable-regex:
metavariable: $HELPER
regex: "(post|get)HasStatus"
- metavariable-regex:
metavariable: $FUNC
regex: "^test(?!([A-Z][a-zA-Z]*)(Index|Show|New|Edit)(Delete|Get|Patch|Post))"
package main
import "testing"
// Doesn't match because it doesn't use getHasStatus/postHasStatus.
// ok: test-handler-naming
func testFoo(t *testing.T) {}
// Has all the parts.
// ok: test-handler-naming
func testThingIndexGet(t *testing.T) {
getHasStatus(t)
}
// Has all the parts, plus extra.
// ok: test-handler-naming
func testThingIndexGetStuff(t *testing.T) {
getHasStatus(t)
}
// Has Thing, but missing crud+method.
// ruleid: test-handler-naming
func testFoo(t *testing.T) {
getHasStatus(t)
}
// Missing "Thing"
// ruleid: test-handler-naming
func testIndexGet(t *testing.T) {
getHasStatus(t)
}
// Missing method
// ruleid: test-handler-naming
func testThingIndex(t *testing.T) {
getHasStatus(t)
}
// Wrong order for crud+method
// ruleid: test-handler-naming
func testThingGetIndex(t *testing.T) {
getHasStatus(t)
}
Coming Up
On Friday we will integrate the tool and these rules into our book tracking project. (Including fixing up some code that conform to the conventions.)
Next week will look at Gin validation and error reporting.