wagtail/.semgrep.yml at main · khanshekhufarhan/wagtail · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
rules:
  - id: translation-no-new-style-formatting
    patterns:
      - pattern: $FUNC("$STRING_ID", ...)
      - metavariable-regex:
          metavariable: $FUNC
          regex: '_|gettext|gettext_lazy|ngettext|ngettext_lazy'
      - metavariable-regex:
          metavariable: $STRING_ID
          regex: ".*({(\\d*|[\\w_]*)}).*"
    message: |
      Do not use str.format style formatting for translations.
      Use printf style formatting with named placeholders instead.
      For example, do `_("Hello %(name)s") % {"name": "Wagtail"}`
      instead of `_("Hello {name}").format(name="Wagtail")`.
      See https://docs.wagtail.org/en/latest/contributing/translations.html#marking-strings-for-translation for more information.
    languages: [python, javascript, typescript]
    severity: ERROR
  - id: translation-no-f-strings
    patterns:
      - pattern: $FUNC(f"...", ...)
      - metavariable-regex:
          metavariable: $FUNC
          regex: '_|gettext|gettext_lazy|ngettext|ngettext_lazy'
    message: >
      Do not use formatted string literals for translations.
      Use printf style formatting with named placeholders instead.
      For example, do `_("Hello %(name)s") % {"name": "Wagtail"}`
      instead of `_(f"Hello {name}")`.
      See https://docs.wagtail.org/en/latest/contributing/translations.html#marking-strings-for-translation for more information.
    languages: [python]
    severity: ERROR
  - id: translation-no-anonymous-arguments
    patterns:
      - pattern: $FUNC("$STRING_ID", ...)
      - metavariable-regex:
          metavariable: $FUNC
          regex: '_|gettext|gettext_lazy|ngettext|ngettext_lazy'
      - metavariable-regex:
          metavariable: $STRING_ID
          regex: ".*%\\w.*"
    paths:
      exclude:
        - '/wagtail/test/numberformat.py'
    message: >
      Do not use anonymous placeholders for translations.
      Use printf style formatting with named placeholders instead.
      For example, do `_("Hello %(name)s") % {"name": "Wagtail"}`
      instead of `_("Hello %s") % "Wagtail"`.
      See https://docs.wagtail.org/en/latest/contributing/translations.html#marking-strings-for-translation for more information.
    languages: [python, javascript, typescript]
    severity: ERROR
  - id: translation-no-format-within-gettext-python
    patterns:
      - pattern: $FUNC("..." % ..., ...)
      - metavariable-regex:
          metavariable: $FUNC
          regex: '_|gettext|gettext_lazy|ngettext|ngettext_lazy'
    message: >
      Do not format string before translations
      or the interpolated value will be part of the key.
      Instead, interpolate after the call to gettext.
      For example, do `_("Hello %(name)s") % {"name": "Wagtail"}`
      instead of `_("Hello %(name)s" % {"name": "Wagtail"} )`.
      See https://docs.wagtail.org/en/latest/contributing/translations.html#marking-strings-for-translation for more information.
    languages: [python]
    severity: ERROR
  - id: translation-no-format-within-gettext-javascript
    patterns:
      - pattern: $FUNC("...".replace(...), ...)
      - metavariable-regex:
          metavariable: $FUNC
          regex: '_|gettext|gettext_lazy|ngettext|ngettext_lazy'
    message: >
      Do not format string before translations
      or the interpolated value will be part of the key.
      Instead, interpolate after the call to gettext.
      For example, do `_("Hello %(name)s") % {"name": "Wagtail"}`
      instead of `_("Hello %(name)s" % {"name": "Wagtail"} )`.
      See https://docs.wagtail.org/en/latest/contributing/translations.html#marking-strings-for-translation for more information.
    languages: [javascript, typescript]
    severity: ERROR
  - id: no-setattribute-style
    message: |
      Avoid setting inline styles using `element.setAttribute('style', ...)`.
      This approach triggers Content Security Policy (CSP) violations with strict
      policies. Modify CSS classes (e.g. `element.classList.add/remove()`) or
      change each style property directly (e.g. `element.style.width = '200px'`).
    languages: [javascript, typescript]
    severity: ERROR
    patterns:
      - pattern: $ELEMENT.setAttribute('style', $STYLE_STRING)
    paths:
      exclude:
        # External JS files that are not part of Wagtail
        - '/wagtail/contrib/table_block/static/table_block/js/vendor/*.js'
  - id: no-inline-or-internal-styles
    message: |
      Do not use inline (`style=...`) or internal (`<style>`) styles in HTML.
      Use CSS classes or data attributes with external CSS files instead for
      better Content Security Policy (CSP) compatibility.
    languages: [html]
    severity: ERROR
    pattern-either:
      - pattern: <$TAG ... style="$STYLE_CONTENT" ...>
      - pattern: <style ...>$CONTENT</style>
    paths:
      exclude:
        # Inline styles are necessary for email templates
        - '/wagtail/admin/templates/wagtailadmin/notifications/base.html'
        # See https://github.com/wagtail/wagtail/issues/12938
        - '/wagtail/embeds/templates/wagtailembeds/embed_frontend.html'
        # Only for testing purposes
        - '/wagtail/test/testapp/templates/tests/misc/calendar.html'
  - id: no-script-elements
    message: |
      Do not use inline <script> elements in HTML.
      Use external JS files instead for better Content Security Policy (CSP)
      compatibility.
    languages: [html]
    severity: ERROR
    patterns:
      - pattern: <script>$CONTENT</script>
      - pattern-not: <script src="$SRC" ...>$CONTENT</script>
    paths:
      exclude:
        # See https://github.com/wagtail/wagtail/issues/7915
        - '/wagtail/admin/templates/wagtailadmin/panels/inline_panel.html'
        - '/wagtail/admin/templates/wagtailadmin/panels/multiple_chooser_panel.html'
        - '/wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/add.html'
        - '/wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/edit.html'
        # See https://github.com/wagtail/wagtail/issues/8056
        - '/wagtail/admin/templates/wagtailadmin/widgets/date_input.html'
        - '/wagtail/admin/templates/wagtailadmin/widgets/datetime_input.html'
        - '/wagtail/admin/templates/wagtailadmin/widgets/time_input.html'