mcp-server-semgrep
Version:
MCP Server for Semgrep Integration - static code analysis with AI
74 lines (73 loc) • 2.23 kB
YAML
rules:
- id: tainted-sql-string
message: >-
Detected user input used to manually construct a SQL string. This is
usually bad practice because manual construction could accidentally result
in a SQL injection. An attacker could use a SQL injection to steal or
modify contents of the database. Instead, use a parameterized query which
is available by default in most database engines. Alternatively, consider
using an object-relational mapper (ORM) such as Sequelize which will
protect your queries.
metadata:
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
references:
- https://owasp.org/www-community/attacks/SQL_Injection
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
languages:
- javascript
- typescript
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: function ... (...,$REQ, ...) {...}
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: >
(...,{ $REQ }: Request,...) =>
{...}
- pattern-inside: |
(...,{ $REQ }: $EXPRESS.Request,...) => {...}
- focus-metavariable: $REQ
- pattern-either:
- pattern: params
- pattern: query
- pattern: cookies
- pattern: headers
- pattern: body
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
"$SQLSTR" + $EXPR
- pattern-inside: |
"$SQLSTR".concat($EXPR)
- pattern: util.format($SQLSTR, $EXPR)
- pattern: |
`$SQLSTR${$EXPR}...`
- metavariable-regex:
metavariable: $SQLSTR
regex: .*\b(?i)(select|delete|insert|create|update\s+.+\sset|alter|drop)\b.*
- focus-metavariable: $EXPR