UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

59 lines (58 loc) 2.33 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
rules: - id: dangerous-asyncio-create-exec mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: asyncio.create_subprocess_exec($PROG, $CMD, ...) - pattern: asyncio.create_subprocess_exec($PROG, [$CMD, ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, $CMD, ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, [$CMD, ...], ...) - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], ...) message: >- Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec - https://docs.python.org/3/library/shlex.html category: security technology: - python cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM languages: - python severity: ERROR