UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

105 lines (104 loc) 3.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
rules: - id: tainted-system-command languages: - java severity: ERROR mode: taint pattern-propagators: - pattern: (StringBuilder $STRB).append($INPUT) from: $INPUT to: $STRB label: CONCAT requires: INPUT pattern-sources: - patterns: - pattern-either: - pattern-inside: | $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { ... } - pattern-inside: | $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { ... } - metavariable-regex: metavariable: $TYPE regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) - metavariable-regex: metavariable: $REQ regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - focus-metavariable: $SOURCE label: INPUT - patterns: - pattern-either: - pattern: $X + $SOURCE - pattern: $SOURCE + $Y - pattern: String.format("...", ..., $SOURCE, ...) - pattern: String.join("...", ..., $SOURCE, ...) - pattern: (String $STR).concat($SOURCE) - pattern: $SOURCE.concat(...) - pattern: $X += $SOURCE - pattern: $SOURCE += $X label: CONCAT requires: INPUT pattern-sinks: - patterns: - pattern-either: - pattern: | (Process $P) = new Process(...); - pattern: | (ProcessBuilder $PB).command(...); - patterns: - pattern-either: - pattern: | (Runtime $R).$EXEC(...); - pattern: | Runtime.getRuntime(...).$EXEC(...); - metavariable-regex: metavariable: $EXEC regex: (exec|loadLibrary|load) - patterns: - pattern: | (ProcessBuilder $PB).command(...).$ADD(...); - metavariable-regex: metavariable: $ADD regex: (add|addAll) - patterns: - pattern-either: - patterns: - pattern-inside: | $BUILDER = new ProcessBuilder(...); ... - pattern: $BUILDER.start(...) - pattern: | new ProcessBuilder(...). ... .start(...); requires: CONCAT message: >- Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder("ls", "-al", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands. metadata: cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" owasp: - A01:2017 - Injection - A03:2021 - Injection category: security technology: - java - spring confidence: HIGH references: - https://www.stackhawk.com/blog/command-injection-java/ - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html - https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH