UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

50 lines (49 loc) 1.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
rules: - id: avoid-pyyaml-load metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation - https://nvd.nist.gov/vuln/detail/CVE-2017-18342 category: security technology: - pyyaml cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: MEDIUM languages: - python message: >- Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead. fix-regex: regex: unsafe_load replacement: safe_load count: 1 severity: ERROR patterns: - pattern-inside: | import yaml ... - pattern-not-inside: | $YAML = ruamel.yaml.YAML(...) ... - pattern-either: - pattern: yaml.unsafe_load(...) - pattern: yaml.load(..., Loader=yaml.Loader, ...) - pattern: yaml.load(..., Loader=yaml.UnsafeLoader, ...) - pattern: yaml.load(..., Loader=yaml.CLoader, ...) - pattern: yaml.load_all(..., Loader=yaml.Loader, ...) - pattern: yaml.load_all(..., Loader=yaml.UnsafeLoader, ...) - pattern: yaml.load_all(..., Loader=yaml.CLoader, ...)