UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

62 lines (61 loc) 1.57 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
rules: - id: dangerous-template-string message: >- Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks. metadata: cwe: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection references: - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html - https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti category: security technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW languages: [python] severity: ERROR pattern-either: - pattern: | $V = "...".format(...) ... flask.render_template_string($V, ...) - pattern: | $V = "...".format(...) ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = "..." % $S ... flask.render_template_string($V, ...) - pattern: | $V = "..." % $S ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = "..." ... $V += $O ... flask.render_template_string($V, ...) - pattern: | $V = "..." ... $V += $O ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = f"...{$X}..." ... flask.render_template_string($V, ...) - pattern: | $V = f"...{$X}..." ... return flask.render_template_string($V, ...), $CODE