mcp-server-semgrep/semgrep-rules/javascript/thenify/security/audit/multiargs-code-execution.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: multiargs-code-execution
  message: >-
    Potential arbitrary code execution, piped to eval
  metadata:
    cwe:
    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
    owasp:
    - A03:2021 - Injection
    category: security
    technology:
    - thenify
    cwe2022-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
    references:
    - https://owasp.org/Top10/A03_2021-Injection
  languages:
  - javascript
  - typescript
  severity: WARNING
  patterns:
  - pattern-either:
    - pattern: |
        $THENIFY($FN, {multiArgs: ...},...)
    - pattern: |
        $OPTS = {multiArgs: ...};
        ...
        $THENIFY($FN,$OPTS,...);
  - pattern-not: |
      $THENIFY($FN, {multiArgs: false},...)
  - pattern-not: |
      $OPTS = {multiArgs: false};
      ...
      $THENIFY($FN,$OPTS,...)
  - pattern-either:
    - pattern-inside: |
        $THENIFY = require('thenify');
        ...
    - pattern-inside: |
        import 'thenify';
        ...