mcp-server-semgrep/semgrep-rules/php/lang/security/exec-use.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: exec-use
  patterns:
  - pattern: $FUNC(...);
  - pattern-not: $FUNC('...', ...);
  - metavariable-regex:
      metavariable: $FUNC
      regex: exec|passthru|proc_open|popen|shell_exec|system|pcntl_exec
  message: >-
    Executing non-constant commands. This can lead to command injection.
  metadata:
    cwe:
    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
    references:
    - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php
    category: security
    technology:
    - php
    owasp:
    - A03:2021 - Injection
    cwe2022-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  languages: [php]
  severity: ERROR