mcp-server-semgrep/semgrep-rules/python/lang/security/audit/exec-detected.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: exec-detected
  patterns:
  - pattern-not: exec("...")
  - pattern: exec(...)
  message: >-
    Detected the use of exec(). exec() can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this
    may be a code injection vulnerability. Ensure evaluated content is not definable
    by external sources.
  metadata:
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b102_exec_used.html
    cwe:
    - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
    owasp:
    - A03:2021 - Injection
    asvs:
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      version: '4'
    category: security
    technology:
    - python
    references:
    - https://owasp.org/Top10/A03_2021-Injection
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  languages: [python]
  severity: WARNING