mcp-server-semgrep/semgrep-rules/generic/nginx/security/dynamic-proxy-scheme.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: dynamic-proxy-scheme
  paths:
    include:
    - '*.conf'
    - '*.vhost'
    - sites-available/*
    - sites-enabled/*
  languages:
  - generic
  severity: WARNING
  message: >-
    The protocol scheme for this proxy is dynamically determined.
    This can be dangerous if the scheme can be injected by an
    attacker because it may forcibly alter the connection scheme.
    Consider hardcoding a scheme for this proxy.
  metadata:
    cwe:
    - 'CWE-16: CWE CATEGORY: Configuration'
    references:
    - https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
    category: security
    technology:
    - nginx
    confidence: MEDIUM
    owasp:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
  pattern: proxy_pass $$SCHEME:// ...;