UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

60 lines (59 loc) 1.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
rules: - id: avoid-sqlalchemy-text mode: taint pattern-sinks: - pattern: | sqlalchemy.text(...) pattern-sources: - patterns: - pattern: | $X + $Y - metavariable-type: metavariable: $X type: string - patterns: - pattern: | $X + $Y - metavariable-type: metavariable: $Y type: string - patterns: - pattern: | f"..." - patterns: - pattern: | $X.format(...) - metavariable-type: metavariable: $X type: string - patterns: - pattern: | $X % $Y - metavariable-type: metavariable: $X type: string message: sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as or_, and_, etc.) to construct SQL. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" category: security technology: - sqlalchemy confidence: MEDIUM references: - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW languages: - python severity: ERROR