mcp-server-semgrep

rules: - id: command-injection-process-builder pattern-either: - patterns: - pattern: | new ProcessBuilder($CMD,...) - pattern-not-inside: | $CMD = "..."; ... - pattern-not-inside: | $CMD = Arrays.asList("...",...); ... - pattern-not-inside: | $CMD = new String[]{"...",...}; ... - pattern-not: | new ProcessBuilder("...",...) - pattern-not: | new ProcessBuilder(new String[]{"...",...},...) - pattern-not: | new ProcessBuilder(Arrays.asList("...",...),...) - patterns: - pattern: | $PB.command($CMD,...) - pattern-inside: | $TYPE $PB = new ProcessBuilder(...); ... - pattern-not-inside: | $CMD = "..."; ... - pattern-not-inside: | $CMD = Arrays.asList("...",...); ... - pattern-not-inside: | $CMD = new String[]{"...",...}; ... - pattern-not: | $PB.command("...",...) - pattern-not: | $PB.command(new String[]{"...",...},...) - pattern-not: | $PB.command(Arrays.asList("...",...),...) - patterns: - pattern-either: - pattern: | new ProcessBuilder("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) - pattern: | new ProcessBuilder("cmd","/c",$ARG,...) - pattern: | new ProcessBuilder(Arrays.asList("cmd","/c",$ARG,...),...) - pattern: | new ProcessBuilder(new String[]{"cmd","/c",$ARG,...},...) - patterns: - pattern-either: - pattern: | new ProcessBuilder($CMD,"/c",$ARG,...) - pattern: | new ProcessBuilder(Arrays.asList($CMD,"/c",$ARG,...),...) - pattern: | new ProcessBuilder(new String[]{$CMD,"/c",$ARG,...},...) - pattern-inside: | $CMD = "cmd"; ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | new ProcessBuilder("...","...","...",...) - pattern-not: | new ProcessBuilder(new String[]{"...","...","...",...},...) - pattern-not: | new ProcessBuilder(Arrays.asList("...","...","...",...),...) - patterns: - pattern-either: - pattern: | $PB.command("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) - pattern: | $PB.command("cmd","/c",$ARG,...) - pattern: | $PB.command(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) - pattern: | $PB.command(Arrays.asList("cmd","/c",$ARG,...),...) - pattern: | $PB.command(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) - pattern: | $PB.command(new String[]{"cmd","/c",$ARG,...},...) - patterns: - pattern-either: - pattern: | $PB.command($CMD,"-c",$ARG,...) - pattern: | $PB.command(Arrays.asList($CMD,"-c",$ARG,...),...) - pattern: | $PB.command(new String[]{$CMD,"-c",$ARG,...},...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; ... - patterns: - pattern-either: - pattern: | $PB.command($CMD,"/c",$ARG,...) - pattern: | $PB.command(Arrays.asList($CMD,"/c",$ARG,...),...) - pattern: | $PB.command(new String[]{$CMD,"/c",$ARG,...},...) - pattern-inside: | $CMD = "cmd"; ... - pattern-inside: | $TYPE $PB = new ProcessBuilder(...); ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | $PB.command("...","...","...",...) - pattern-not: | $PB.command(new String[]{"...","...","...",...},...) - pattern-not: | $PB.command(Arrays.asList("...","...","...",...),...) message: >- A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. metadata: cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" owasp: - A01:2017 - Injection - A03:2021 - Injection category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW severity: ERROR languages: - java