UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

95 lines (94 loc) 3.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
rules: - id: js-open-redirect message: >- The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection. options: interfile: true metadata: interfile: true cwe: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation version: '4' category: security confidence: HIGH references: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html technology: - browser subcategory: - vuln likelihood: HIGH impact: MEDIUM languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | new URLSearchParams($WINDOW. ... .location.search).get('...') - pattern: | new URLSearchParams(location.search).get('...') - pattern: | new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...') - pattern: | new URLSearchParams(location.hash.substring(1)).get('...') - patterns: - pattern-either: - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.search) ... - pattern-inside: | $PROPS = new URLSearchParams(location.search) ... - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1)) ... - pattern-inside: | $PROPS = new URLSearchParams(location.hash.substring(1)) ... - pattern: $PROPS.get('...') - patterns: - pattern-either: - pattern-inside: | $PROPS = new URL($WINDOW. ... .location.href) ... - pattern-inside: | $PROPS = new URL(location.href) ... - pattern: $PROPS.searchParams.get('...') - patterns: - pattern-either: - pattern: | new URL($WINDOW. ... .location.href).searchParams.get('...') - pattern: | new URL(location.href).searchParams.get('...') pattern-sinks: - patterns: - pattern-either: - pattern: location.href = $SINK - pattern: $THIS. ... .location.href = $SINK - pattern: location.replace($SINK) - pattern: $THIS. ... .location.replace($SINK) - pattern: location = $SINK - pattern: $WINDOW. ... .location = $SINK - focus-metavariable: $SINK - metavariable-pattern: patterns: - pattern-not: | "..." + $VALUE - pattern-not: | `...${$VALUE}` metavariable: $SINK