mcp-server-semgrep/semgrep-rules/python/lang/security/audit/eval-detected.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: eval-detected
  patterns:
  - pattern-not: eval(f"")
  - pattern-not: eval("...")
  - pattern: eval(...)
  message: >-
    Detected the use of eval(). eval() can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this
    may be a code injection vulnerability. Ensure evaluated content is not definable
    by external sources.
  metadata:
    source-rule-url: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval
    cwe:
    - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
    owasp:
    - A03:2021 - Injection
    asvs:
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      version: '4'
    category: security
    technology:
    - python
    references:
    - https://owasp.org/Top10/A03_2021-Injection
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  languages: [python]
  severity: WARNING