mcp-server-semgrep/semgrep-rules/python/lang/security/audit/paramiko/paramiko-exec-command.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: paramiko-exec-command
  patterns:
  - pattern-inside: |
      $CLIENT = paramiko.client.SSHClient(...)
      ...
  - pattern: $CLIENT.exec_command(...)
  - pattern-not: $CLIENT.exec_command("...", ...)
  message: >-
    Unverified SSL context detected. This will permit insecure connections without
    verifying
    SSL certificates. Use 'ssl.create_default_context()' instead.
  metadata:
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    cwe:
    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
    references:
    - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command
    - https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
    category: security
    technology:
    - paramiko
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  severity: ERROR
  languages:
  - python