semgrep.config.yaml

rules:
- id: nan-injection
  message: Found user input going directly into typecast for bool(), float(), or complex(). This allows an
    attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior,
    particularly when doing comparisons. Either cast to a different type, or add a guard checking for
    all capitalizations of the string 'nan'.
  languages:
  - python
  severity: ERROR
  mode: taint
  pattern-sources:
  - pattern-either:
    - pattern: flask.request.$SOMETHING.get(...)
    - pattern: flask.request.$SOMETHING[...]
    - patterns:
      - pattern-inside: |
          @$APP.route(...)
          def $FUNC(..., $ROUTEVAR, ...):
            ...
      - pattern: $ROUTEVAR
  pattern-sinks:
  - pattern-either:
    - pattern: float(...)
    - pattern: bool(...)
    - pattern: complex(...)
  pattern-sanitizers:
  - not_conflicting: true
    pattern: $ANYTHING(...)
  metadata:
    references:
    - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868
    - https://blog.bitdiscovery.com/2021/12/python-nan-injection/
    category: security
    cwe:
    - 'CWE-704: Incorrect Type Conversion or Cast'
    technology:
    - flask
    subcategory:
    - vuln
    impact: MEDIUM
    likelihood: MEDIUM
    confidence: MEDIUM