Semgrep rule to add warning to use MType (#2965)

prebid · Jul 31, 2023 · 02ff192 · 02ff192
1 parent 2c3ec84
commit 02ff192
Show file tree

Hide file tree

Showing 7 changed files with 187 additions and 0 deletions.
diff --git a/.semgrep/README.md b/.semgrep/README.md
@@ -0,0 +1,17 @@
+# Semgrep Test
+
+Running semgrep unit tests:
+```bash
+semgrep --test
+```
+
+
+Running single semgrep rules against adapter code:
+```bash
+semgrep --config=./adapter/{rule}.yml ../adapters/
+```
+
+Running all semgrep rules simultaneously:
+```bash
+semgrep --config=./adapter ../adapters/
+```
diff --git a/.semgrep/adapter/bid-type-if-check.go b/.semgrep/adapter/bid-type-if-check.go
@@ -0,0 +1,55 @@
+/*
+	bid-type-if-check tests
+	https://semgrep.dev/docs/writing-rules/testing-rules
+	"ruleid" prefix in comment indicates patterns that should be flagged by semgrep
+	"ok" prefix in comment indidcates  patterns that should not be flagged by the semgrep
+*/
+
+func getMediaTypeForImp(impID string, imps []openrtb2.Imp) openrtb_ext.BidType {
+	for _, imp := range imps {
+		if imp.ID == impID {
+			// ruleid: bid-type-if-check
+			if imp.Banner != nil {
+				return openrtb_ext.BidTypeBanner, nil
+				// ruleid: bid-type-if-check
+			} else if imp.Video != nil {
+				return openrtb_ext.BidTypeVideo, nil
+				// ruleid: bid-type-if-check
+			} else if imp.Native != nil {
+				return openrtb_ext.BidTypeNative, nil
+				// ruleid: bid-type-if-check
+			} else if imp.Audio != nil {
+				return openrtb_ext.BidTypeAudio, nil
+			}
+		}
+	}
+	return openrtb_ext.BidTypeBanner
+}
+
+func getMediaTypeForImp(impID string, imps []openrtb2.Imp) (openrtb_ext.BidType, error) {
+	for _, imp := range imps {
+		if imp.ID == impID {
+			// ruleid: bid-type-if-check
+			if imp.Banner != nil {
+				return openrtb_ext.BidTypeBanner, nil
+			}
+		}
+	}
+	return "", &errortypes.BadInput{
+		Message: fmt.Sprintf("Failed to find native/banner/video impression \"%s\" ", impID),
+	}
+}
+
+func getMediaTypeForImp(impID string, imps []openrtb2.Imp) (openrtb_ext.BidType, error) {
+	for _, imp := range imps {
+		if imp.ID == impID {
+			// ruleid: bid-type-if-check
+			if imp.Banner != nil {
+				return openrtb_ext.BidTypeBanner
+			}
+		}
+	}
+	return "", &errortypes.BadInput{
+		Message: fmt.Sprintf("Failed to find native/banner/video impression \"%s\" ", impID),
+	}
+}
diff --git a/.semgrep/adapter/bid-type-if-check.yml b/.semgrep/adapter/bid-type-if-check.yml
@@ -0,0 +1,19 @@
+rules:
+  - id: bid-type-if-check
+    message: The current implementation follows an anti-pattern, assumes that if there is a multi-format request, the media type defaults to $ORTBTYPE. Prebid server expects the media type to be explicitly set in the adapter response. Therefore, we strongly recommend implementing a pattern where the adapter server sets the [MType](https://github.com/prebid/openrtb/blob/main/openrtb2/bid.go#L334) field in the response to accurately determine the media type for the impression.
+    languages:
+      - go
+    severity: WARNING
+    patterns:
+      - pattern-inside: |
+          if $CONDITION != nil {
+            return $ORTBTYPE
+          }
+      - metavariable-pattern:
+          metavariable: $ORTBTYPE
+          patterns:
+            - pattern-either:
+                - pattern: openrtb_ext.$BIDTYPE
+            - metavariable-regex:
+                metavariable: $BIDTYPE
+                regex: BidType*
diff --git a/.semgrep/adapter/bid-type-switch-check.go b/.semgrep/adapter/bid-type-switch-check.go
@@ -0,0 +1,36 @@
+/*
+	bid-type-switch-check tests
+	https://semgrep.dev/docs/writing-rules/testing-rules
+	"ruleid" prefix in comment indicates patterns that should be flagged by semgrep
+	"ok" prefix in comment indidcates  patterns that should not be flagged by the semgrep
+*/
+
+// ruleid: bid-type-switch-check
+switch bidExt.AdCodeType {
+case "banner":
+	return openrtb_ext.BidTypeBanner, nil
+case "native":
+	return openrtb_ext.BidTypeNative, nil
+case "video":
+	return openrtb_ext.BidTypeVideo, nil
+}
+
+// ruleid: bid-type-switch-check
+switch impExt.Adot.MediaType {
+case string(openrtb_ext.BidTypeBanner):
+	return openrtb_ext.BidTypeBanner, nil
+case string(openrtb_ext.BidTypeVideo):
+	return openrtb_ext.BidTypeVideo, nil
+case string(openrtb_ext.BidTypeNative):
+	return openrtb_ext.BidTypeNative, nil
+}
+
+// ok: bid-type-switch-check
+switch bid.MType {
+case "banner":
+	return openrtb_ext.BidTypeBanner, nil
+case "native":
+	return openrtb_ext.BidTypeNative, nil
+case "video":
+	return openrtb_ext.BidTypeVideo, nil
+}
diff --git a/.semgrep/adapter/bid-type-switch-check.yml b/.semgrep/adapter/bid-type-switch-check.yml
@@ -0,0 +1,23 @@
+rules:
+  - id: bid-type-switch-check
+    message: The current implementation follows an anti-pattern, assumes that if there is a multi-format request, the media type defaults to $ORTBTYPE. Prebid server expects the media type to be explicitly set in the adapter response. Therefore, we strongly recommend implementing a pattern where the adapter server sets the [MType](https://github.com/prebid/openrtb/blob/main/openrtb2/bid.go#L334) field in the response to accurately determine the media type for the impression.
+    languages:
+      - go
+    severity: WARNING
+    patterns:
+      - pattern-inside: |
+          switch $BIDTYPE {
+          case ...:
+            return $ORTBTYPE, nil
+          }
+      - metavariable-regex:
+          metavariable: $BIDTYPE
+          regex: ^(?!bid\.MType$).*$
+      - metavariable-pattern:
+          metavariable: $ORTBTYPE
+          patterns:
+            - pattern-either:
+                - pattern: openrtb_ext.$W
+            - metavariable-regex:
+                metavariable: $W
+                regex: BidType*
diff --git a/.semgrep/adapter/parse-bid-type-check.go b/.semgrep/adapter/parse-bid-type-check.go
@@ -0,0 +1,29 @@
+/*
+	parse-bid-type-check tests
+	https://semgrep.dev/docs/writing-rules/testing-rules
+	"ruleid" prefix in comment indicates patterns that should be flagged by semgrep
+	"ok" prefix in comment indidcates  patterns that should not be flagged by the semgrep
+*/
+
+func getMediaTypeForBid(bid openrtb2.Bid) (openrtb_ext.BidType, error) {
+	if bid.Ext != nil {
+		var bidExt openrtb_ext.ExtBid
+		err := json.Unmarshal(bid.Ext, &bidExt)
+		if err == nil && bidExt.Prebid != nil {
+			// ruleid: parse-bid-type-check
+			return openrtb_ext.ParseBidType(string(bidExt.Prebid.Type))
+		}
+	}
+
+	return "", &errortypes.BadServerResponse{
+		Message: fmt.Sprintf("Failed to parse impression \"%s\" mediatype", bid.ImpID),
+	}
+}
+
+func getMediaTypeForBid(bid openrtb2.Bid) (openrtb_ext.BidType, error) {
+	var bidExt bidExt
+	// ruleid: parse-bid-type-check
+	bidType, err := openrtb_ext.ParseBidType(bidExt.Prebid.Type)
+
+	return bidType, err
+}
diff --git a/.semgrep/adapter/parse-bid-type-check.yml b/.semgrep/adapter/parse-bid-type-check.yml
@@ -0,0 +1,8 @@
+rules:
+  - id: parse-bid-type-check
+    message: The current implementation follows an anti-pattern, assumes that if there is a multi-format request, the media type defaults to $ORTBTYPE. Prebid server expects the media type to be explicitly set in the adapter response. Therefore, we strongly recommend implementing a pattern where the adapter server sets the [MType](https://github.com/prebid/openrtb/blob/main/openrtb2/bid.go#L334) field in the response to accurately determine the media type for the impression.
+    languages:
+      - go
+    severity: WARNING
+    patterns:
+      - pattern: openrtb_ext.ParseBidType(...)