mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

47 lines (46 loc) • 1.48 kB

YAML

rules: - id: response-contains-unsanitized-input message: >- Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/). metadata: cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection references: - https://flask.palletsprojects.com/en/1.0.x/security/ - https://owasp.org/www-community/attacks/xss/ category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW languages: [python] severity: WARNING pattern-either: - pattern: | $X = flask.request.args.get(...) ... flask.make_response("...".format($X)) - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"...{$X}...") - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"...{$X}") - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"{$X}...")