@runsec/mcp 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +578 -0
- package/package.json +43 -0
- package/src/rules/data/rule-compliance-map.json +43563 -0
- package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
- package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
- package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
- package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
- package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
- package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
- package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
- package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
- package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
- package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
- package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
- package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
- package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
- package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
- package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
- package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
- package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
- package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
- package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
- package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
- package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
- package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
- package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
- package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
- package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
- package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
- package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
- package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
- package/src/rules/data/semgrep-rules/observability.yaml +381 -0
- package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
- package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
- package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
- package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
- package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
- package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
|
@@ -0,0 +1,326 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: runsec.nodejs-security.njs-001
|
|
3
|
+
pattern-either:
|
|
4
|
+
- pattern: |-
|
|
5
|
+
exec("tar -xf " + userArchive)
|
|
6
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-001\\b'
|
|
7
|
+
message: 'RunSec Detection [NJS-001]: OWASP Command Injection'
|
|
8
|
+
languages:
|
|
9
|
+
- generic
|
|
10
|
+
severity: WARNING
|
|
11
|
+
- id: runsec.nodejs-security.njs-002
|
|
12
|
+
pattern-either:
|
|
13
|
+
- pattern: |-
|
|
14
|
+
fs.readFile(baseDir + "/" + req.query.file)
|
|
15
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-002\\b'
|
|
16
|
+
message: 'RunSec Detection [NJS-002]: CWE-22 Path Traversal'
|
|
17
|
+
languages:
|
|
18
|
+
- generic
|
|
19
|
+
severity: WARNING
|
|
20
|
+
- id: runsec.nodejs-security.njs-003
|
|
21
|
+
pattern-either:
|
|
22
|
+
- pattern: |-
|
|
23
|
+
app.get("/data", (req,res) => { const x = fs.readFileSync(p) })
|
|
24
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-003\\b'
|
|
25
|
+
message: 'RunSec Detection [NJS-003]: Node.js Event Loop Safety'
|
|
26
|
+
languages:
|
|
27
|
+
- generic
|
|
28
|
+
severity: WARNING
|
|
29
|
+
- id: runsec.nodejs-security.njs-004
|
|
30
|
+
pattern-either:
|
|
31
|
+
- pattern: |-
|
|
32
|
+
const obj = serialize.unserialize(payload)
|
|
33
|
+
eval("(" + body + ")")
|
|
34
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-004\\b'
|
|
35
|
+
message: 'RunSec Detection [NJS-004]: OWASP Deserialization Security'
|
|
36
|
+
languages:
|
|
37
|
+
- generic
|
|
38
|
+
severity: WARNING
|
|
39
|
+
- id: runsec.nodejs-security.njs-005
|
|
40
|
+
pattern-either:
|
|
41
|
+
- pattern: |-
|
|
42
|
+
# no process.on("uncaughtException")
|
|
43
|
+
# no process.on("unhandledRejection")
|
|
44
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-005\\b'
|
|
45
|
+
message: 'RunSec Detection [NJS-005]: Node.js Production Hardening'
|
|
46
|
+
languages:
|
|
47
|
+
- generic
|
|
48
|
+
severity: WARNING
|
|
49
|
+
- id: runsec.nodejs-security.njs-006
|
|
50
|
+
pattern-either:
|
|
51
|
+
- pattern: |-
|
|
52
|
+
res.redirect(req.query.next)
|
|
53
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-006\\b'
|
|
54
|
+
message: 'RunSec Detection [NJS-006]: OWASP Open Redirect'
|
|
55
|
+
languages:
|
|
56
|
+
- generic
|
|
57
|
+
severity: WARNING
|
|
58
|
+
- id: runsec.nodejs-security.njs-007
|
|
59
|
+
pattern-either:
|
|
60
|
+
- pattern: |-
|
|
61
|
+
await fetch(req.body.url)
|
|
62
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-007\\b'
|
|
63
|
+
message: 'RunSec Detection [NJS-007]: OWASP SSRF Prevention'
|
|
64
|
+
languages:
|
|
65
|
+
- generic
|
|
66
|
+
severity: WARNING
|
|
67
|
+
- id: runsec.nodejs-security.njs-008
|
|
68
|
+
pattern-either:
|
|
69
|
+
- pattern: |-
|
|
70
|
+
cors({ origin: "*", credentials: true })
|
|
71
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-008\\b'
|
|
72
|
+
message: 'RunSec Detection [NJS-008]: OWASP CORS Security'
|
|
73
|
+
languages:
|
|
74
|
+
- generic
|
|
75
|
+
severity: WARNING
|
|
76
|
+
- id: runsec.nodejs-security.njs-009
|
|
77
|
+
pattern-either:
|
|
78
|
+
- pattern: |-
|
|
79
|
+
jwt.verify(token, secret)
|
|
80
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-009\\b'
|
|
81
|
+
message: 'RunSec Detection [NJS-009]: JWT BCP'
|
|
82
|
+
languages:
|
|
83
|
+
- generic
|
|
84
|
+
severity: WARNING
|
|
85
|
+
- id: runsec.nodejs-security.njs-010
|
|
86
|
+
pattern-either:
|
|
87
|
+
- pattern: |-
|
|
88
|
+
res.status(500).json({ error: err.stack })
|
|
89
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-010\\b'
|
|
90
|
+
message: 'RunSec Detection [NJS-010]: OWASP Error Handling'
|
|
91
|
+
languages:
|
|
92
|
+
- generic
|
|
93
|
+
severity: WARNING
|
|
94
|
+
- id: runsec.nodejs-security.njs-011
|
|
95
|
+
pattern-either:
|
|
96
|
+
- pattern: |-
|
|
97
|
+
deepMerge(config, req.body)
|
|
98
|
+
querystring.parse(req.url) без фильтра ключей
|
|
99
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-011\\b'
|
|
100
|
+
message: 'RunSec Detection [NJS-011]: Prototype Pollution Server-Side'
|
|
101
|
+
languages:
|
|
102
|
+
- generic
|
|
103
|
+
severity: WARNING
|
|
104
|
+
- id: runsec.nodejs-security.njs-012
|
|
105
|
+
pattern-either:
|
|
106
|
+
- pattern: |-
|
|
107
|
+
const b = Buffer.allocUnsafe(size)
|
|
108
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-012\\b'
|
|
109
|
+
message: 'RunSec Detection [NJS-012]: Node.js Buffer Security'
|
|
110
|
+
languages:
|
|
111
|
+
- generic
|
|
112
|
+
severity: WARNING
|
|
113
|
+
- id: runsec.nodejs-security.njs-013
|
|
114
|
+
pattern-either:
|
|
115
|
+
- pattern: |-
|
|
116
|
+
const id = req.query.id
|
|
117
|
+
if (id.includes("admin")) ...
|
|
118
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-013\\b'
|
|
119
|
+
message: 'RunSec Detection [NJS-013]: OWASP Input Validation'
|
|
120
|
+
languages:
|
|
121
|
+
- generic
|
|
122
|
+
severity: WARNING
|
|
123
|
+
- id: runsec.nodejs-security.njs-014
|
|
124
|
+
pattern-either:
|
|
125
|
+
- pattern: |-
|
|
126
|
+
vm.runInNewContext(untrustedCode, sandbox)
|
|
127
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-014\\b'
|
|
128
|
+
message: 'RunSec Detection [NJS-014]: Node.js Sandbox Security'
|
|
129
|
+
languages:
|
|
130
|
+
- generic
|
|
131
|
+
severity: WARNING
|
|
132
|
+
- id: runsec.nodejs-security.njs-015
|
|
133
|
+
pattern-either:
|
|
134
|
+
- pattern: |-
|
|
135
|
+
const re = /(a+)+$/
|
|
136
|
+
if (re.test(req.body.input))
|
|
137
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-015\\b'
|
|
138
|
+
message: 'RunSec Detection [NJS-015]: OWASP ReDoS (Server Side)'
|
|
139
|
+
languages:
|
|
140
|
+
- generic
|
|
141
|
+
severity: WARNING
|
|
142
|
+
- id: runsec.nodejs-security.njs-016
|
|
143
|
+
pattern-either:
|
|
144
|
+
- pattern: |-
|
|
145
|
+
const order = await repo.findById(req.params.id)
|
|
146
|
+
return res.json(order)
|
|
147
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-016\\b'
|
|
148
|
+
message: 'RunSec Detection [NJS-016]: OWASP API1 BOLA/IDOR'
|
|
149
|
+
languages:
|
|
150
|
+
- generic
|
|
151
|
+
severity: WARNING
|
|
152
|
+
- id: runsec.nodejs-security.njs-017
|
|
153
|
+
pattern-either:
|
|
154
|
+
- pattern: |-
|
|
155
|
+
"lib-x": "git+https://github.com/org/lib-x.git" (без commit hash)
|
|
156
|
+
# no package-lock.json/npm-shrinkwrap.json
|
|
157
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-017\\b'
|
|
158
|
+
message: 'RunSec Detection [NJS-017]: Supply Chain Security'
|
|
159
|
+
languages:
|
|
160
|
+
- generic
|
|
161
|
+
severity: WARNING
|
|
162
|
+
- id: runsec.nodejs-security.njs-018
|
|
163
|
+
pattern-either:
|
|
164
|
+
- pattern: |-
|
|
165
|
+
app.disable("x-powered-by") отсутствует
|
|
166
|
+
helmet() не подключен
|
|
167
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-018\\b'
|
|
168
|
+
message: 'RunSec Detection [NJS-018]: HTTP Header Hardening'
|
|
169
|
+
languages:
|
|
170
|
+
- generic
|
|
171
|
+
severity: WARNING
|
|
172
|
+
- id: runsec.nodejs-security.njs-019
|
|
173
|
+
pattern-either:
|
|
174
|
+
- pattern: |-
|
|
175
|
+
if (process.env.VIP_MODE === "1") approveTransfer()
|
|
176
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-019\\b'
|
|
177
|
+
message: 'RunSec Detection [NJS-019]: Twelve-Factor + Secure Config'
|
|
178
|
+
languages:
|
|
179
|
+
- generic
|
|
180
|
+
severity: WARNING
|
|
181
|
+
- id: runsec.nodejs-security.njs-020
|
|
182
|
+
pattern-either:
|
|
183
|
+
- pattern: |-
|
|
184
|
+
fs.unlink(req.body.filePath, cb)
|
|
185
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-020\\b'
|
|
186
|
+
message: 'RunSec Detection [NJS-020]: CWE-73 / File Path Control'
|
|
187
|
+
languages:
|
|
188
|
+
- generic
|
|
189
|
+
severity: WARNING
|
|
190
|
+
- id: runsec.nodejs-security.njs-021
|
|
191
|
+
pattern-either:
|
|
192
|
+
- pattern: |-
|
|
193
|
+
app.use(express.json()) (без limit)
|
|
194
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-021\\b'
|
|
195
|
+
message: 'RunSec Detection [NJS-021]: OWASP API4 Resource Consumption'
|
|
196
|
+
languages:
|
|
197
|
+
- generic
|
|
198
|
+
severity: WARNING
|
|
199
|
+
- id: runsec.nodejs-security.njs-022
|
|
200
|
+
pattern-either:
|
|
201
|
+
- pattern: |-
|
|
202
|
+
bcrypt.hash(password, 4)
|
|
203
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-022\\b'
|
|
204
|
+
message: 'RunSec Detection [NJS-022]: OWASP Password Storage'
|
|
205
|
+
languages:
|
|
206
|
+
- generic
|
|
207
|
+
severity: WARNING
|
|
208
|
+
- id: runsec.nodejs-security.njs-023
|
|
209
|
+
pattern-either:
|
|
210
|
+
- pattern: |-
|
|
211
|
+
User.find({ email: req.body.email }) (без schema/type guard)
|
|
212
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-023\\b'
|
|
213
|
+
message: 'RunSec Detection [NJS-023]: OWASP NoSQL Injection'
|
|
214
|
+
languages:
|
|
215
|
+
- generic
|
|
216
|
+
severity: WARNING
|
|
217
|
+
- id: runsec.nodejs-security.njs-024
|
|
218
|
+
pattern-either:
|
|
219
|
+
- pattern: |-
|
|
220
|
+
res.cookie("sid", sid)
|
|
221
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-024\\b'
|
|
222
|
+
message: 'RunSec Detection [NJS-024]: OWASP Session Management'
|
|
223
|
+
languages:
|
|
224
|
+
- generic
|
|
225
|
+
severity: WARNING
|
|
226
|
+
- id: runsec.nodejs-security.njs-025
|
|
227
|
+
pattern-either:
|
|
228
|
+
- pattern: |-
|
|
229
|
+
cors({ methods: "*", allowedHeaders: "*" })
|
|
230
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-025\\b'
|
|
231
|
+
message: 'RunSec Detection [NJS-025]: CORS Hardening Best Practices'
|
|
232
|
+
languages:
|
|
233
|
+
- generic
|
|
234
|
+
severity: WARNING
|
|
235
|
+
- id: runsec.nodejs-security.njs-026
|
|
236
|
+
pattern-either:
|
|
237
|
+
- pattern: |-
|
|
238
|
+
await User.create(req.body)
|
|
239
|
+
await User.update(req.body, { where: ... })
|
|
240
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-026\\b'
|
|
241
|
+
message: 'RunSec Detection [NJS-026]: OWASP Mass Assignment'
|
|
242
|
+
languages:
|
|
243
|
+
- generic
|
|
244
|
+
severity: WARNING
|
|
245
|
+
- id: runsec.nodejs-security.njs-027
|
|
246
|
+
pattern-either:
|
|
247
|
+
- pattern: |-
|
|
248
|
+
const buf = Buffer.from(input)
|
|
249
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-027\\b'
|
|
250
|
+
message: 'RunSec Detection [NJS-027]: Node.js Buffer Safety'
|
|
251
|
+
languages:
|
|
252
|
+
- generic
|
|
253
|
+
severity: WARNING
|
|
254
|
+
- id: runsec.nodejs-security.njs-028
|
|
255
|
+
pattern-either:
|
|
256
|
+
- pattern: |-
|
|
257
|
+
"scripts": { "build": "tsc", "test": "jest" } (без npm audit/snyk/socket)
|
|
258
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-028\\b'
|
|
259
|
+
message: 'RunSec Detection [NJS-028]: Supply Chain SCA Controls'
|
|
260
|
+
languages:
|
|
261
|
+
- generic
|
|
262
|
+
severity: WARNING
|
|
263
|
+
- id: runsec.nodejs-security.njs-029
|
|
264
|
+
pattern-either:
|
|
265
|
+
- pattern: |-
|
|
266
|
+
<%- userContent %> (EJS)
|
|
267
|
+
!= userContent (Pug)
|
|
268
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-029\\b'
|
|
269
|
+
message: 'RunSec Detection [NJS-029]: SSTI/XSS Template Security'
|
|
270
|
+
languages:
|
|
271
|
+
- generic
|
|
272
|
+
severity: WARNING
|
|
273
|
+
- id: runsec.nodejs-security.njs-030
|
|
274
|
+
pattern-either:
|
|
275
|
+
- pattern: |-
|
|
276
|
+
app.use(bodyParser.json()) без limit и depth checks
|
|
277
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-030\\b'
|
|
278
|
+
message: 'RunSec Detection [NJS-030]: API Resource Consumption Defense'
|
|
279
|
+
languages:
|
|
280
|
+
- generic
|
|
281
|
+
severity: WARNING
|
|
282
|
+
- id: runsec.nodejs-security.njs-031
|
|
283
|
+
pattern-either:
|
|
284
|
+
- pattern: |-
|
|
285
|
+
const merged = { ...defaults, ...req.body }
|
|
286
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-031\\b'
|
|
287
|
+
message: 'RunSec Detection [NJS-031]: Prototype Pollution (Object Spread)'
|
|
288
|
+
languages:
|
|
289
|
+
- generic
|
|
290
|
+
severity: WARNING
|
|
291
|
+
- id: runsec.nodejs-security.njs-032
|
|
292
|
+
pattern-either:
|
|
293
|
+
- pattern: |-
|
|
294
|
+
const secret = process.env.JWT_SECRET
|
|
295
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-032\\b'
|
|
296
|
+
message: 'RunSec Detection [NJS-032]: JWT Secret Management'
|
|
297
|
+
languages:
|
|
298
|
+
- generic
|
|
299
|
+
severity: WARNING
|
|
300
|
+
- id: runsec.nodejs-security.njs-033
|
|
301
|
+
pattern-either:
|
|
302
|
+
- pattern: |-
|
|
303
|
+
https.request({ rejectUnauthorized: false })
|
|
304
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-033\\b'
|
|
305
|
+
message: 'RunSec Detection [NJS-033]: TLS/mTLS Hardening'
|
|
306
|
+
languages:
|
|
307
|
+
- generic
|
|
308
|
+
severity: WARNING
|
|
309
|
+
- id: runsec.nodejs-security.njs-034
|
|
310
|
+
pattern-either:
|
|
311
|
+
- pattern: |-
|
|
312
|
+
readable.pipe(writable) (без .on("error"))
|
|
313
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-034\\b'
|
|
314
|
+
message: 'RunSec Detection [NJS-034]: Node.js Streams Security'
|
|
315
|
+
languages:
|
|
316
|
+
- generic
|
|
317
|
+
severity: WARNING
|
|
318
|
+
- id: runsec.nodejs-security.njs-035
|
|
319
|
+
pattern-either:
|
|
320
|
+
- pattern: |-
|
|
321
|
+
let passwordPlain = req.body.password (долгоживущая переменная)
|
|
322
|
+
- pattern-regex: 'Vulnerable:\\s*NJS\\-035\\b'
|
|
323
|
+
message: 'RunSec Detection [NJS-035]: Sensitive Data Memory Hygiene'
|
|
324
|
+
languages:
|
|
325
|
+
- generic
|
|
326
|
+
severity: WARNING
|