@runsec/mcp 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +578 -0
- package/package.json +43 -0
- package/src/rules/data/rule-compliance-map.json +43563 -0
- package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
- package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
- package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
- package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
- package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
- package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
- package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
- package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
- package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
- package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
- package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
- package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
- package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
- package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
- package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
- package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
- package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
- package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
- package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
- package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
- package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
- package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
- package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
- package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
- package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
- package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
- package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
- package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
- package/src/rules/data/semgrep-rules/observability.yaml +381 -0
- package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
- package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
- package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
- package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
- package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
- package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: runsec.frontend-security.fts-001
|
|
3
|
+
pattern-either:
|
|
4
|
+
- pattern: |-
|
|
5
|
+
dangerouslySetInnerHTML={{ __html: userHtml }}
|
|
6
|
+
<div v-html="content"></div>
|
|
7
|
+
el.innerHTML = payload
|
|
8
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-001\\b'
|
|
9
|
+
message: 'RunSec Detection [FTS-001]: OWASP XSS Prevention Cheat Sheet'
|
|
10
|
+
languages:
|
|
11
|
+
- generic
|
|
12
|
+
severity: WARNING
|
|
13
|
+
- id: runsec.frontend-security.fts-002
|
|
14
|
+
pattern-either:
|
|
15
|
+
- pattern: |-
|
|
16
|
+
localStorage.setItem("jwt", token)
|
|
17
|
+
sessionStorage.setItem("snils", value)
|
|
18
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-002\\b'
|
|
19
|
+
message: 'RunSec Detection [FTS-002]: OWASP ASVS Session Management'
|
|
20
|
+
languages:
|
|
21
|
+
- generic
|
|
22
|
+
severity: WARNING
|
|
23
|
+
- id: runsec.frontend-security.fts-003
|
|
24
|
+
pattern-either:
|
|
25
|
+
- pattern: |-
|
|
26
|
+
console.log("token", token)
|
|
27
|
+
console.error("user profile", profile)
|
|
28
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-003\\b'
|
|
29
|
+
message: 'RunSec Detection [FTS-003]: OWASP Logging Cheat Sheet'
|
|
30
|
+
languages:
|
|
31
|
+
- generic
|
|
32
|
+
severity: WARNING
|
|
33
|
+
- id: runsec.frontend-security.fts-004
|
|
34
|
+
pattern-either:
|
|
35
|
+
- pattern: |-
|
|
36
|
+
window.addEventListener("message", (e) => handle(e.data))
|
|
37
|
+
target.postMessage(data, "*")
|
|
38
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-004\\b'
|
|
39
|
+
message: 'RunSec Detection [FTS-004]: OWASP HTML5 Security Cheat Sheet'
|
|
40
|
+
languages:
|
|
41
|
+
- generic
|
|
42
|
+
severity: WARNING
|
|
43
|
+
- id: runsec.frontend-security.fts-005
|
|
44
|
+
pattern-either:
|
|
45
|
+
- pattern: |-
|
|
46
|
+
if (user.role === "admin") price = 0
|
|
47
|
+
if (clientAmount < limit) approve()
|
|
48
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-005\\b'
|
|
49
|
+
message: 'RunSec Detection [FTS-005]: OWASP Top 10 A04 Insecure Design'
|
|
50
|
+
languages:
|
|
51
|
+
- generic
|
|
52
|
+
severity: WARNING
|
|
53
|
+
- id: runsec.frontend-security.fts-006
|
|
54
|
+
pattern-either:
|
|
55
|
+
- pattern: |-
|
|
56
|
+
<meta http-equiv="Content-Security-Policy" content="">
|
|
57
|
+
script-src 'unsafe-inline' 'unsafe-eval'
|
|
58
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-006\\b'
|
|
59
|
+
message: 'RunSec Detection [FTS-006]: CSP Level 3 guidance'
|
|
60
|
+
languages:
|
|
61
|
+
- generic
|
|
62
|
+
severity: WARNING
|
|
63
|
+
- id: runsec.frontend-security.fts-007
|
|
64
|
+
pattern-either:
|
|
65
|
+
- pattern: |-
|
|
66
|
+
# no frame-ancestors / X-Frame-Options policy
|
|
67
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-007\\b'
|
|
68
|
+
message: 'RunSec Detection [FTS-007]: OWASP Clickjacking Defense'
|
|
69
|
+
languages:
|
|
70
|
+
- generic
|
|
71
|
+
severity: WARNING
|
|
72
|
+
- id: runsec.frontend-security.fts-008
|
|
73
|
+
pattern-either:
|
|
74
|
+
- pattern: |-
|
|
75
|
+
GENERATE_SOURCEMAP=true
|
|
76
|
+
app.js.map published publicly
|
|
77
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-008\\b'
|
|
78
|
+
message: 'RunSec Detection [FTS-008]: Frontend supply-chain hardening'
|
|
79
|
+
languages:
|
|
80
|
+
- generic
|
|
81
|
+
severity: WARNING
|
|
82
|
+
- id: runsec.frontend-security.fts-009
|
|
83
|
+
pattern-either:
|
|
84
|
+
- pattern: |-
|
|
85
|
+
<script src="https://cdn.example.com/lib.js"></script>
|
|
86
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-009\\b'
|
|
87
|
+
message: 'RunSec Detection [FTS-009]: Subresource Integrity (SRI)'
|
|
88
|
+
languages:
|
|
89
|
+
- generic
|
|
90
|
+
severity: WARNING
|
|
91
|
+
- id: runsec.frontend-security.fts-010
|
|
92
|
+
pattern-either:
|
|
93
|
+
- pattern: |-
|
|
94
|
+
self.addEventListener("fetch", (event) => event.respondWith(caches.match(req)))
|
|
95
|
+
# no cache key validation / stale cache fallback
|
|
96
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-010\\b'
|
|
97
|
+
message: 'RunSec Detection [FTS-010]: PWA security guidance'
|
|
98
|
+
languages:
|
|
99
|
+
- generic
|
|
100
|
+
severity: WARNING
|
|
101
|
+
- id: runsec.frontend-security.fts-011
|
|
102
|
+
pattern-either:
|
|
103
|
+
- pattern: |-
|
|
104
|
+
eval(userInput)
|
|
105
|
+
new Function(code)
|
|
106
|
+
setTimeout("run()", 100)
|
|
107
|
+
setInterval("tick()", 1000)
|
|
108
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-011\\b'
|
|
109
|
+
message: 'RunSec Detection [FTS-011]: OWASP JavaScript Security Guidelines'
|
|
110
|
+
languages:
|
|
111
|
+
- generic
|
|
112
|
+
severity: WARNING
|
|
113
|
+
- id: runsec.frontend-security.fts-012
|
|
114
|
+
pattern-either:
|
|
115
|
+
- pattern: |-
|
|
116
|
+
deepMerge(target, payload)
|
|
117
|
+
obj[key] = value (без фильтра __proto__/constructor/prototype)
|
|
118
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-012\\b'
|
|
119
|
+
message: 'RunSec Detection [FTS-012]: Prototype Pollution Prevention'
|
|
120
|
+
languages:
|
|
121
|
+
- generic
|
|
122
|
+
severity: WARNING
|
|
123
|
+
- id: runsec.frontend-security.fts-013
|
|
124
|
+
pattern-either:
|
|
125
|
+
- pattern: |-
|
|
126
|
+
leakedVar = 1
|
|
127
|
+
Array.prototype.custom = fn
|
|
128
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-013\\b'
|
|
129
|
+
message: 'RunSec Detection [FTS-013]: JavaScript Secure Coding'
|
|
130
|
+
languages:
|
|
131
|
+
- generic
|
|
132
|
+
severity: WARNING
|
|
133
|
+
- id: runsec.frontend-security.fts-014
|
|
134
|
+
pattern-either:
|
|
135
|
+
- pattern: |-
|
|
136
|
+
const token = Math.random().toString(36)
|
|
137
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-014\\b'
|
|
138
|
+
message: 'RunSec Detection [FTS-014]: Web Crypto API Guidance'
|
|
139
|
+
languages:
|
|
140
|
+
- generic
|
|
141
|
+
severity: WARNING
|
|
142
|
+
- id: runsec.frontend-security.fts-015
|
|
143
|
+
pattern-either:
|
|
144
|
+
- pattern: |-
|
|
145
|
+
const re = /(a+)+$/
|
|
146
|
+
re.test(input)
|
|
147
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-015\\b'
|
|
148
|
+
message: 'RunSec Detection [FTS-015]: OWASP ReDoS'
|
|
149
|
+
languages:
|
|
150
|
+
- generic
|
|
151
|
+
severity: WARNING
|
|
152
|
+
- id: runsec.frontend-security.fts-016
|
|
153
|
+
pattern-either:
|
|
154
|
+
- pattern: |-
|
|
155
|
+
for (const id of ids) { await fetchUser(id) }
|
|
156
|
+
items.map(async (i) => await apiCall(i))
|
|
157
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-016\\b'
|
|
158
|
+
message: 'RunSec Detection [FTS-016]: JS Async Performance/Safety'
|
|
159
|
+
languages:
|
|
160
|
+
- generic
|
|
161
|
+
severity: WARNING
|
|
162
|
+
- id: runsec.frontend-security.fts-017
|
|
163
|
+
pattern-either:
|
|
164
|
+
- pattern: |-
|
|
165
|
+
window.addEventListener("message", (e) => JSON.parse(e.data))
|
|
166
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-017\\b'
|
|
167
|
+
message: 'RunSec Detection [FTS-017]: OWASP HTML5 Messaging Security'
|
|
168
|
+
languages:
|
|
169
|
+
- generic
|
|
170
|
+
severity: WARNING
|
|
171
|
+
- id: runsec.frontend-security.fts-018
|
|
172
|
+
pattern-either:
|
|
173
|
+
- pattern: |-
|
|
174
|
+
button.style.display = "none"
|
|
175
|
+
if (!isAdmin) panel.classList.add("hidden")
|
|
176
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-018\\b'
|
|
177
|
+
message: 'RunSec Detection [FTS-018]: OWASP Authorization Best Practices'
|
|
178
|
+
languages:
|
|
179
|
+
- generic
|
|
180
|
+
severity: WARNING
|
|
181
|
+
- id: runsec.frontend-security.fts-019
|
|
182
|
+
pattern-either:
|
|
183
|
+
- pattern: |-
|
|
184
|
+
if (role == "admin") allow()
|
|
185
|
+
if (isOwner != false) execute()
|
|
186
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-019\\b'
|
|
187
|
+
message: 'RunSec Detection [FTS-019]: JavaScript Equality Safety'
|
|
188
|
+
languages:
|
|
189
|
+
- generic
|
|
190
|
+
severity: WARNING
|
|
191
|
+
- id: runsec.frontend-security.fts-020
|
|
192
|
+
pattern-either:
|
|
193
|
+
- pattern: |-
|
|
194
|
+
doCritical().then(saveAudit)
|
|
195
|
+
async function run(){ await step(); } (без try/catch)
|
|
196
|
+
- pattern-regex: 'Vulnerable:\\s*FTS\\-020\\b'
|
|
197
|
+
message: 'RunSec Detection [FTS-020]: Async Error Handling Best Practices'
|
|
198
|
+
languages:
|
|
199
|
+
- generic
|
|
200
|
+
severity: WARNING
|