UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

46 lines (45 loc) 1.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rules: - id: var-in-script-src message: >- Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result. metadata: cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection references: - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js category: security technology: - html-templates confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM languages: - generic paths: include: - '*.mustache' - '*.hbs' - '*.html' severity: WARNING patterns: - pattern-inside: <script ...> - pattern-not-inside: src = '...' - pattern-not-inside: src = "..." - pattern-not-inside: nonce = '...' - pattern-not-inside: nonce = "..." - pattern: '{{ ... }}'