mcp-server-semgrep

rules: - id: express-insecure-template-usage message: User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability. options: interfile: true metadata: interfile: true category: security cwe: - 'CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine' owasp: - A03:2021 - Injection - A01:2017 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html technology: - javascript - typescript - express - pug - jade - dot - ejs - nunjucks - lodash - handlbars - mustache - hogan.js - eta - squirrelly source_rule_url: - https://github.com/github/codeql/blob/2ba2642c7ab29b9eedef33bcc2b8cd1d203d0c10/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM languages: - javascript - typescript severity: WARNING mode: taint pattern-propagators: - pattern: $MODEL.$FIND($E).then((...,$S,...)=>{...}) from: $E to: $S pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $PUG = require('pug') ... - pattern-inside: | import * as $PUG from 'pug' ... - pattern-inside: | $PUG = require('jade') ... - pattern-inside: | import * as $PUG from 'jade' ... - pattern-either: - pattern: $PUG.compile(...) - pattern: $PUG.compileClient(...) - pattern: $PUG.compileClientWithDependenciesTracked(...) - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('dot') ... - pattern-inside: | import * as $PUG from 'dot' ... - pattern-either: - pattern: $PUG.template(...) - pattern: $PUG.compile(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('ejs') ... - pattern-inside: | import * as $PUG from 'ejs' ... - pattern-either: - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('nunjucks') ... - pattern-inside: | import * as $PUG from 'nunjucks' ... - pattern-either: - pattern: $PUG.renderString(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('lodash') ... - pattern-inside: | import * as $PUG from 'lodash' ... - pattern-either: - pattern: $PUG.template(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('mustache') ... - pattern-inside: | import * as $PUG from 'mustache' ... - pattern-inside: | $PUG = require('eta') ... - pattern-inside: | import * as $PUG from 'eta' ... - pattern-inside: | $PUG = require('squirrelly') ... - pattern-inside: | import * as $PUG from 'squirrelly' ... - pattern-either: - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('hogan.js') ... - pattern-inside: | import * as $PUG from 'hogan.js' ... - pattern-inside: | $PUG = require('handlebars') ... - pattern-inside: | import * as $PUG from 'handlebars' ... - pattern-either: - pattern: $PUG.compile(...)