# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

rules:
  - id: nil-check-logical-storage
    patterns:
      - pattern-either:
          - pattern: |
              $VAR, $ERR = ($S : logical.Storage).Get(...)
              ...
              $VAR.$FOO
          - pattern: |
              $VAR, $ERR = ($S : logical.Storage).Get(...)
              ...
              $FUNC2(..., $VAR, ...)
      - pattern-not: |
          $VAR, $ERR = ($S : logical.Storage).Get(...)
          ...
          if <... $VAR == nil ...> {
              ...
          }
          ...
      - pattern-not: |
          $VAR, $ERR = ($S : logical.Storage).Get(...)
          ...
          if <... $VAR != nil ...> {
              ...
          }
          ...
    message: missed nil check 
    languages:
      - go
    severity: ERROR


# physical.Storage.Get
  - id: nil-check-physical-storage
    patterns:
      - pattern-either:
          - pattern: |
              $VAR, $ERR = ($S : physical.Storage).Get(...)
              ...
              $VAR.$FOO
          - pattern: |
              $VAR, $ERR = ($S : physical.Storage).Get(...)
              ...
              $FUNC2(..., $VAR, ...)
      - pattern-not: |
          $VAR, $ERR = ($S : physical.Storage).Get(...)
          ...
          if <... $VAR == nil ...> {
              ...
          }
          ...
      - pattern-not: |
          $VAR, $ERR = ($S : physical.Storage).Get(...)
          ...
          if <... $VAR != nil ...> {
              ...
          }
          ...
    message: missed nil check 
    languages:
      - go
    severity: ERROR

# NamespaceByID 
  - id: nil-check-physical-storage-by-nsid
    patterns:
      - pattern-either:
          - pattern: |
              $VAR, $ERR = NamespaceByID(...)
              ...
              $VAR.$FOO
          - pattern: |
              $VAR, $ERR = NamespaceByID(...)
              ...
              $FUNC2(..., $VAR, ...)
      - pattern-not: |
          $VAR, $ERR = NamespaceByID(...)
          ...
          if <... $VAR == nil ...> {
              ...
          }
          ...
      - pattern-not: |
          $VAR, $ERR = NamespaceByID(...)
          ...
          if <... $VAR != nil ...> {
              ...
          }
          ...
      # this is a special case for custom nil namespace handling logic in
      # activity log
      - pattern-not: |
          $VAR, $ERR = NamespaceByID(...)
          ...
          if a.includeInResponse(..., $VAR) {
              ...
          }
          ...
    message: missed nil check 
    languages:
      - go
    severity: ERROR

  - id: nil-check-logical-storage-regex
    paths:
      exclude:
          # This file has a valid case that I couldn't work around easily in the
          # semgrep rule. Ignore it for now
        - "vault/ui.go"
    patterns:
      - pattern-either:
          - pattern: |
              $VAR, $ERR = $STORAGE.Get(...)
              ...
              $VAR.$FOO
          - pattern: |
              $VAR, $ERR = $STORAGE.Get(...)
              ...
              $FUNC2(..., $VAR, ...)
      - pattern-not: |
          $VAR, $ERR = $STORAGE.Get(...)
          ...
          if <... $VAR == nil ...> {
              ...
          }
          ...
      - pattern-not: |
          $VAR, $ERR = $STORAGE.Get(...)
          ...
          if <... $VAR != nil ...> {
              ...
          }
          ...
      - pattern-not: |
          $VAR, $ERR = $STORAGE.Get(...)
          ...
          switch $VAR {
          case ...
          }
          ...
      - metavariable-regex:
          metavariable: $STORAGE
          regex: ((.*)Storage|(.*)\.s|(.*)\.barrier|(.*)\.view|(.*)\.barrierView|(.*)\.physical|(.*)\.underlying)
    message: missed nil check 
    languages:
      - go
    severity: ERROR