mcp-server-semgrep/semgrep-rules/php/lang/security/deserialization.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: extract-user-data
  mode: taint
  pattern-sources:
  - pattern-either:
    - pattern: $_GET[...]
    - pattern: $_FILES[...]
    - pattern: $_POST[...]
  pattern-sinks:
  - pattern: extract(...)
  pattern-sanitizers:
  - pattern: extract($VAR, EXTR_SKIP,...)
  message: Do not call 'extract()' on user-controllable data. If you must, then you must also provide
    the EXTR_SKIP flag to prevent overwriting existing variables.
  languages:
  - php
  metadata:
    category: security
    cwe:
    - 'CWE-502: Deserialization of Untrusted Data'
    owasp:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures
    technology:
    - php
    references:
    - https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: MEDIUM
    impact: MEDIUM
    confidence: MEDIUM
  severity: ERROR