Rule: OpenAI isConsequential flag set to false for state changing operation in OpenAPI spec

[aabashkin]

New Rule

Language: YAML
Technology: OpenAPI Spec (OAS), OpenAI
Description: OpenAI isConsequential flag set to false for state changing operation in OpenAPI spec

[0xDC0DE]

Hi @aabashkin, thanks for your contribution, this rule looks fine! if CI passes, we can merge this PR.

[aabashkin]

Thanks, one unit test is failing, let me fix that and then we are good to go

[aabashkin]

@0xDC0DE please review and approve thanks

[0xDC0DE]

This rule is great as-is, and you can merge it if you want. But allow me to also suggest an improvement if you still feel up for it and want to improve your rule-writing skills 💪

Right now your rule marks a large block of code. You could narrow the marking to the specific line. You can always test this in the playground. (I wanted to add links, but it seems like there's a bug in the playground that messes up the yaml formatting when I save the rule, I've reported it to our engineers.)

Use pattern additionally with pattern-inside:

patterns:
  - pattern-either:
      - pattern-inside: |
          post:
            ...
      - pattern-inside: |
          put:
            ...
      - pattern-inside: |
          patch:
            ...
      - pattern-inside: |
          delete:
            ...
  - pattern: |
        x-openai-isConsequential: false

This means you'll need to update the test syntax, because we are now marking the exact line of the x-openai-isConsequential: false and not the start of the post, put etc block. For example:

    delete:
      operationId: deleteEmailById
      # ruleid: openai-consequential-action-false
      x-openai-isConsequential: false
      summary: Delete Email
      description: Delete a specific email.

Even better would be narrowing your marking to the false. This can be achieved with a focus-metavariable operator. You don't have a metavariable yet to focus on, so we have to introduce one and make a silly regex that only allows "false". But this results in a very narrow and specific marking. This also allows you to write a very trivial autofix pattern!

      - pattern: |
          x-openai-isConsequential: $FALSE
      - metavariable-regex:
          metavariable: $FALSE
          regex: (false)
      - focus-metavariable: $FALSE
    fix: |
      true

Now that I've introduced metavariable-regex to you, you might see how we can simplify the pattern-insides with it as well. Final result:

    patterns:
      - pattern-inside: |
          $HTTP_METHOD:
            ...
      - metavariable-regex:
          metavariable: $HTTP_METHOD
          regex: (post|put|patch|delete)
      - pattern: |
          x-openai-isConsequential: $FALSE
      - metavariable-regex:
          metavariable: $FALSE
          regex: (false)
      - focus-metavariable: $FALSE
    fix: |
      true

If you'v read till here, you've mastered some advanced Semgrep rule-writing techniques! 🎈

[0xDC0DE]

@aabashkin Do you want to update the rule, or should I merge the PR as is?

[aabashkin]

@0xDC0DE sure I could update it. Do you think it would generate a performance benefit?

[aabashkin]

@0xDC0DE I'm on vacation for the next 2 weeks, I will revisit this once I return

[0xDC0DE]

@aabashkin I hope you had a great vacation! Let me know if you're still up to improve this rule, or I should merge it as is!

[aabashkin]

@0xDC0DE thanks for the bump. I still plan to improve it. Standby 🙂

[0xDC0DE]

@aabashkin I am merging this and closing the PR. If you still want to make changes, feel free to open a new PR in the future.