mcp-server-semgrep/semgrep-rules/javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: unsafe-serialize-javascript
  message: >-
    `serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.
  metadata:
    owasp:
    - A03:2021 - Injection
    cwe:
    - 'CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)'
    category: security
    technology:
    - serialize-javascript
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
    references:
    - https://owasp.org/Top10/A03_2021-Injection
  languages:
  - javascript
  - typescript
  severity: WARNING
  patterns:
  - pattern-inside: |
      $S = require('serialize-javascript');
      ...
  - pattern-not-inside: escape(...)
  - pattern-not-inside: encodeURI(...)
  - pattern: |
      $S(..., {unsafe: true});