named match group in metavariable-regex causes duplication of matches

Question

named match group in metavariable-regex causes duplication of matches

jagprog5 opened this issue 5 months ago · 0 comments

Using a metavariable-regex with a named match group erroneously duplicates reported matches.

semgrep v1.70.0 via playground.

Rule:

rules:
  - id: id-here
    languages:
      - csharp
    severity: WARNING
    message: CipherMode $MODE detected
    patterns:
      - metavariable-regex:
          metavariable: $METHOD
          regex: \A(?:Encrypt|Try(?:Encrypt|Decrypt))(?P<MODE>.+)\Z
      - pattern: (System.Security.Cryptography.SymmetricAlgorithm $OBJ).$METHOD(...)

Test code:

using System.Security.Cryptography;

class Program {
    static void Main() {
        SymmetricAlgorithm sym = Aes.Create();
        ReadOnlySpan<byte> read_only_span = new ReadOnlySpan<byte>();
        sym.EncryptCbc(read_only_span, read_only_span);
    }
}

Output:

Line 7: CipherMode $MODE detected
Line 7: CipherMode Cbc detected

Expected Output:

Line 7: CipherMode Cbc detected

What is the priority of the bug to you?

P0: blocking your adoption of Semgrep or workflow
P1: important to fix or quite annoying
P2: regular bug that should get fixed