UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

43 lines (42 loc) 1.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
rules: - id: secure-set-cookie patterns: - pattern-either: - pattern-inside: | $RESP = flask.make_response(...) ... - pattern-inside: | $RESP = flask.Response(...) ... - pattern-not: $RESP.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...) - pattern-not: $RESP.set_cookie(..., **$A) - pattern: $RESP.set_cookie(...) message: >- Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite='Lax'` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite='Lax'` arguments or set these to be true in the Flask configuration. metadata: cwe: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration references: - https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie - https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options category: security technology: - python - flask subcategory: - audit likelihood: LOW impact: LOW confidence: LOW functional-categories: - web::search::cookie-config::flask languages: [python] severity: WARNING