UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

39 lines (38 loc) 1.22 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rules: - id: html-magic-method message: >- The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. metadata: cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection references: - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5 category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW languages: - python severity: WARNING patterns: - pattern-inside: | class $CLASS(...): ... - pattern: | def __html__(...): ...