UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

58 lines (57 loc) 1.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
rules: - id: raw-html-format languages: - python severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead. metadata: cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection category: security technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render - https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM mode: taint pattern-sanitizers: - pattern: django.utils.html.escape(...) pattern-sources: - patterns: - pattern: request.$ANYTHING - pattern-not: request.build_absolute_uri pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: '"$HTMLSTR" % ...' - pattern: '"$HTMLSTR".format(...)' - pattern: '"$HTMLSTR" + ...' - pattern: f"$HTMLSTR{...}..." - patterns: - pattern-inside: | $HTML = "$HTMLSTR" ... - pattern-either: - pattern: $HTML % ... - pattern: $HTML.format(...) - pattern: $HTML + ... - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ...