mcp-server-semgrep/semgrep-rules/javascript/bluebird/security/audit/tofastproperties-code-execution.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: tofastproperties-code-execution
  message: >-
    Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to
    eval()
  metadata:
    cwe:
    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
    owasp:
    - A03:2021 - Injection
    category: security
    technology:
    - bluebird
    references:
    - http://bluebirdjs.com/docs/getting-started.html
    cwe2022-top25: true
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  languages:
  - javascript
  - typescript
  severity: WARNING
  mode: taint
  pattern-sources:
  - patterns:
    - pattern-inside: function ... (..., $ARG,...) {...}
    - focus-metavariable: $ARG
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern: $UTIL.toFastProperties($SINK,...)
      - pattern: toFastProperties($SINK,...)
    - pattern-either:
      - pattern-inside: |
          $BB = require('bluebird');
          ...
      - pattern-inside: |
          import 'bluebird';
          ...
    - focus-metavariable: $SINK