mcp-server-semgrep/semgrep-rules/python/django/security/passwords/password-empty-string.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: password-empty-string
  message: >-
    '$VAR' is the empty string and is being used to set the password on '$MODEL'.
    If you meant to set an unusable password, set the password to None or call
    'set_unusable_password()'.
  metadata:
    cwe:
    - 'CWE-521: Weak Password Requirements'
    owasp:
    - A07:2021 - Identification and Authentication Failures
    references:
    - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password
    category: security
    technology:
    - django
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: MEDIUM
  patterns:
  - pattern-either:
    - pattern: |
        $MODEL.set_password($EMPTY)
        ...
        $MODEL.save()
    - pattern: |
        $VAR = $EMPTY
        ...
        $MODEL.set_password($VAR)
        ...
        $MODEL.save()
  - metavariable-regex:
      metavariable: $EMPTY
      regex: (\'\'|\"\")
  languages: [python]
  severity: ERROR