mcp-server-semgrep/semgrep-rules/python/lang/security/audit/python-reverse-shell.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: python-reverse-shell
  patterns:
  - pattern-either:
    - pattern: pty.spawn("$BINPATH",...)
    - pattern: subprocess.call(["$BINPATH",...],...)
  - metavariable-regex:
      metavariable: $BINPATH
      regex: /bin/.*?sh\b
  - pattern-inside: |
      import socket
      ...
      $S = socket.socket(...)
      ...
      $S.connect(($IP,$PORT),...)
      ...
  message: Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT
  metadata:
    cwe:
    - 'CWE-553: Command Shell in Externally Accessible Directory'
    category: security
    technology: [python]
    references:
    - https://cwe.mitre.org/data/definitions/553.html
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  languages:
  - python
  severity: WARNING