UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

46 lines (45 loc) 1.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rules: - id: user-eval message: >- Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need. metadata: cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html - https://owasp.org/www-community/attacks/Code_Injection category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM patterns: - pattern-inside: | def $F(...): ... - pattern-either: - pattern: eval(..., request.$W.get(...), ...) - pattern: | $V = request.$W.get(...) ... eval(..., $V, ...) - pattern: eval(..., request.$W(...), ...) - pattern: | $V = request.$W(...) ... eval(..., $V, ...) - pattern: eval(..., request.$W[...], ...) - pattern: | $V = request.$W[...] ... eval(..., $V, ...) languages: [python] severity: WARNING