r2c blog

Fast static analysis for the DevSecOps workflow

r2c is startup passionate about improving software security and reliability. We make tools for security engineers, researchers, and hackers that simplify program analysis and make it accessible in the development workflow.

Type-awareness in semantic grep

by Emma Jin

How we’re making Sempgrep patterns more precise with type support

How to prevent HTML email injection in Python web apps

by Grayson Hardaway

Avoid accidental HTML injection when sending emails from an application

Hardcoded secrets, unverified tokens, and other common JWT mistakes

by Vasilii Ermilov

Examining 2,000+ npm modules for common mistakes when using JWT

Be careful what you request for

by Grayson Hardaway

Injection using the HTTP verb in Django

Bay Area OWASP Meetup presentation

by Pablo Estrada

Video from the Bay Area OWASP Meetup on May 21

Semgrep: Stop grepping code

by Isaac Evans

Semgrep is an open-source tool that is like a code-aware grep

Pain-free Custom Linting: Why I moved from ESLint and Bandit to Semgrep

by Ulziibayar Otgonbaatar

An inside look at writing program analysis using Semgrep

Preventing SQL injection: a Django author's perspective

by Jacob Kaplan-Moss and Grayson Hardaway

The creator of Django on preventing SQL injection

Semgrep at Hella Secure HellaConf 2020

by Pablo Estrada

Video from Hella Secure’s virtual AppSec conference, HellaConf

Silicon Valley Cyber Security: Detect complex code patterns using semantic grep

by Pablo Estrada

Video from the Silicon Valley Cyber Security Meetup on April 9

Improving ReDoS detection and finding more bugs using Dlint and r2c

by Matt Schwager

Improving regular expression denial-of-service detection

SF Python: Writing robust Flask apps

by Pablo Estrada

Material from the presentation at the SF Python Virtual Meetup

Bento check: Detecting authentication credentials leaked over HTTP

by Grayson Hardaway

A check for the Requests library to detect credentials sent over HTTP

Bento 0.9: Checks for a high-severity Python vulnerability and Jinja templates

by Pablo Estrada

Catch a high-severity Python vuln and new checks for Jinja templates

Bento check: Catch catastrophic backtracking ReDoS bugs

by Matt Schwager

Find severe regular expression denial-of-service bugs in Python using Bento

Bento 0.8: Updated workflows and new specialty checks

by Luke O'Malley

Changes to Bento’s default behavior integrate it more smoothly into your workflow

Using Bento individually and on team projects

by Pablo Estrada

Our learnings from user feedback and how to use Bento individually and on teams

Bento check: Securing your Flask routes with JWT decorators

by Sharon Lin

Check for missing authorization decorators in apps using JWTs

Bento check: Flask template files that aren’t autoescaped by default

by Grayson Hardaway

Detect possible XSS in unescaped Jinja templates used in Flask

Bento check: Use jsonify() instead of json.dumps() in Flask

by Grayson Hardaway

Find use of json.dumps() in Flask where jsonify() should be used instead

Bento check: Keeping your cookies safe in Flask

by Grayson Hardaway

Ensure cookie settings are set securely in Flask

Flask check: send_file() with a file handle

by Grayson Hardaway

Bento check to detect if send_file() will throw an exception

Our quest to make world-class security and bugfinding available to all developers, for free

by Isaac Evans

Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase

Three things your linter shouldn’t tell you

by Grayson Hardaway

How we’ve curated our code checks in Bento

DEF CON 27 workshop on finding vulnerabilities at scale

by Pablo Estrada

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale

Surprising subtleties of Docker permissions

by Ash Zahlen

Our unique infrastructure leads to unique challenges related to how Docker interacts with filesystem permissions