From d8070822d7b73d23cad6fde571291602f95ad496 Mon Sep 17 00:00:00 2001 From: Nikolay Eskov Date: Sat, 8 Mar 2025 03:37:15 +0300 Subject: [PATCH] Add semgrep rule 'if-inplace-func-incorrect-nil-err-return'. --- ...inplace-func-incorrect-nil-err-return.yaml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .semgrep/rules/if-inplace-func-incorrect-nil-err-return.yaml diff --git a/.semgrep/rules/if-inplace-func-incorrect-nil-err-return.yaml b/.semgrep/rules/if-inplace-func-incorrect-nil-err-return.yaml new file mode 100644 index 000000000..7df04b4c0 --- /dev/null +++ b/.semgrep/rules/if-inplace-func-incorrect-nil-err-return.yaml @@ -0,0 +1,47 @@ +rules: + - id: if-inplace-func-incorrect-nil-err-return + languages: [go] + severity: WARNING + message: | + WARNING: A local variable '$ERR' is checked for nil, but a different variable is returned. + Ensure that the returned variable is the one that was checked or properly wrapped! + patterns: + - metavariable-regex: + metavariable: $ERR + regex: .*(?i)err # using .* to allow prefixes, because regex matching is left anchored. + + - pattern: | + if $ERR := $FUNC(...); $ERR != nil { + ... + return ..., $OTHERERR + } + + - pattern-not: | + if $ERR := $FUNC(...); $ERR != nil { + ... + return ..., $ERR + } + - pattern-not: | + if $ERR := $FUNC(...); $ERR != nil { + ... + return ..., $ANYFUNC(..., $ERR, ...) + } + - pattern-not: | + if $ERR := $FUNC(...); $ERR != nil { + ... + return ..., $ANYFUNC(..., $ANYFUNC1(..., $ERR, ...), ...) + } + - pattern-not: | + if $ERR := $FUNC(...); $ERR != nil { + ... + $NEWERR := $ANYFUNC(..., $ERR, ...) + ... + return nil, $NEWERR + } + - pattern-not: | + if $ERR := $FUNC(...); $ERR != nil { + ... + $NEWERR := $ANYFUNC(..., $ERR, ...) + ... + return ..., $ANYFUNC1(..., $NEWERR, ...) + }