Ensure paths.include patterns are as intended ahead of semgrep fixes (#3630)

We're aligning paths.include/exclude behavior with Semgrepignore v2
which follows the Gitignore spec. The trick is that a glob pattern that
contains a slash between two segments is now left-anchored i.e. it's the
same as if it were starting with a slash as per the Gitignore spec. In
these cases, the leading slash is optional but I'm adding it to make the
intention clearer to readers. Examples of affected patterns include `a/b`
and `a/*` but not `a/**`.
I identified three kinds of rules that had such patterns in this repo:
- Wordpress: wp-content/plugins -> **/wp-content/plugins
- Nginx: sites-available/* -> **/sites-available/*
- GitHub Actions: .github/workflows -> /.github/workflows
I'm confident that the GitHub Actions folder is only at the Git project
root. I'm not sure about Wordpress or Nginx projects, so
I'm erring on the side of caution by prepending `**/`.

Co-authored-by: Kurt Boberg <[email protected]>

Author: mjambon

generic/nginx/security/alias-path-traversal.yaml

@@ -14,8 +14,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   fix-regex:
     regex: location\s+([A-Za-z0-9/-_\.]+)
     replacement: location \1/

generic/nginx/security/dynamic-proxy-host.yaml

@@ -4,8 +4,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/dynamic-proxy-scheme.yaml

@@ -4,8 +4,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/header-injection.yaml

@@ -10,8 +10,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: ERROR

generic/nginx/security/header-redefinition.yaml

@@ -18,8 +18,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/insecure-redirect.yaml

@@ -11,8 +11,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   message: >-
     Detected an insecure redirect in this nginx configuration.
     If no scheme is specified, nginx will forward the request with the

generic/nginx/security/insecure-ssl-version.yaml

@@ -10,8 +10,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/missing-internal.yaml

@@ -23,8 +23,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/missing-ssl-version.yaml

@@ -7,8 +7,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   languages:
   - generic
   severity: WARNING

generic/nginx/security/possible-h2c-smuggling.yaml

@@ -41,8 +41,8 @@ rules:
     include:
     - '*.conf'
     - '*.vhost'
-    - sites-available/*
-    - sites-enabled/*
+    - '**/sites-available/*'
+    - '**/sites-enabled/*'
   metadata:
     cwe:
     - "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"