UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

46 lines (45 loc) 1.54 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rules: - id: host-header-injection-python message: >- The `flask.request.host` is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets. patterns: - pattern-either: - pattern: | $X = <... "=~/.*http[s]*:///" + flask.request.host ...>; - pattern: | $X = <... "=~/.*http[s]*:///" + flask.request["host"] ...>; - pattern: | $Z = flask.request.host; ... $X = <... "=~/.*http[s]*:///" + $Z ...>; - pattern: | $Z = flask.request["host"]; ... $X = <... "=~/.*http[s]*:///" + $Z ...>; - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(): ... languages: - python severity: INFO metadata: cwe: - 'CWE-20: Improper Input Validation' category: security references: - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW