@runsec/mcp 1.0.1

package/src/rules/data/semgrep-rules/python-backend-pro.yaml

@@ -0,0 +1,30 @@
+rules:
+  - id: runsec.python-backend-pro.py-100
+    pattern-either:
+      - pattern: |-
+          if token == os.getenv("CHAT_TOKEN"):
+              return True
+      - pattern-regex: 'Vulnerable:\\s*PY\\-100\\b'
+    message: 'RunSec Detection [PY-100]: Enterprise backend security baseline'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-backend-pro.py-105
+    pattern-either:
+      - pattern: |-
+          def get_queryset(self):
+              return Message.objects.all()
+      - pattern-regex: 'Vulnerable:\\s*PY\\-105\\b'
+    message: 'RunSec Detection [PY-105]: Enterprise backend security baseline'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-backend-pro.py-110
+    pattern-either:
+      - pattern: |-
+          file_full_path = path.join(settings.MEDIA_ROOT, file_path)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-110\\b'
+    message: 'RunSec Detection [PY-110]: Enterprise backend security baseline'
+    languages:
+      - python
+    severity: WARNING

package/src/rules/data/semgrep-rules/python-django.yaml

@@ -0,0 +1,181 @@
+rules:
+  - id: runsec.python-django.dja-001
+    pattern-either:
+      - pattern: |-
+          @csrf_exempt
+          def update_profile(request):
+              ...
+              return JsonResponse({"ok": True})
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-001\\b'
+    message: 'RunSec Detection [DJA-001]: CWE-352'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-002
+    pattern-either:
+      - pattern: |-
+          q = "SELECT * FROM users WHERE email = '" + email + "'"
+          ...
+          User.objects.raw(q)
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-002\\b'
+    message: 'RunSec Detection [DJA-002]: CWE-89'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-003
+    pattern-either:
+      - pattern: |-
+          DEBUG = True
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-003\\b'
+    message: 'RunSec Detection [DJA-003]: CWE-489'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-004
+    pattern-either:
+      - pattern: |-
+          class UserForm(forms.ModelForm):
+              class Meta:
+                  model = User
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-004\\b'
+    message: 'RunSec Detection [DJA-004]: CWE-915'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-005
+    pattern-either:
+      - pattern: |-
+          ALLOWED_HOSTS = ["*"]
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-005\\b'
+    message: 'RunSec Detection [DJA-005]: CWE-346'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-006
+    pattern-either:
+      - pattern: |-
+          return redirect(request.GET.get("next"))
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-006\\b'
+    message: 'RunSec Detection [DJA-006]: CWE-601'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-007
+    pattern-either:
+      - pattern: |-
+          SESSION_COOKIE_SECURE = False
+          CSRF_COOKIE_SECURE = False
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-007\\b'
+    message: 'RunSec Detection [DJA-007]: CWE-614'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-008
+    pattern-either:
+      - pattern: |-
+          SECRET_KEY = "django-insecure-hardcoded-secret"
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-008\\b'
+    message: 'RunSec Detection [DJA-008]: CWE-798'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-009
+    pattern-either:
+      - pattern: |-
+          path = os.path.join("/data/uploads", upload.name)
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-009\\b'
+    message: 'RunSec Detection [DJA-009]: CWE-22'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-010
+    pattern-either:
+      - pattern: |-
+          try:
+              ...
+          except Exception as e:
+              return JsonResponse({"error": str(e)}, status=500)
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-010\\b'
+    message: 'RunSec Detection [DJA-010]: CWE-209'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-011
+    pattern-either:
+      - pattern: |-
+          html = mark_safe(user_input)
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-011\\b'
+    message: 'RunSec Detection [DJA-011]: CWE-79'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-012
+    pattern-either:
+      - pattern: |-
+          SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-012\\b'
+    message: 'RunSec Detection [DJA-012]: CWE-502'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-013
+    pattern-either:
+      - pattern: |-
+          qs = User.objects.extra(where=["id=%s" % user_id])
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-013\\b'
+    message: 'RunSec Detection [DJA-013]: CWE-89'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-014
+    pattern-either:
+      - pattern: |-
+          PASSWORD_HASHERS = ["django.contrib.auth.hashers.MD5PasswordHasher"]
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-014\\b'
+    message: 'RunSec Detection [DJA-014]: CWE-330'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-015
+    pattern-either:
+      - pattern: |-
+          LOGOUT_REDIRECT_URL = request.GET.get("next")
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-015\\b'
+    message: 'RunSec Detection [DJA-015]: CWE-601'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-016
+    pattern-either:
+      - pattern: |-
+          urlpatterns = [
+              re_path(r"^(a+)+$", view),
+          ]
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-016\\b'
+    message: 'RunSec Detection [DJA-016]: CWE-400'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-017
+    pattern-either:
+      - pattern: |-
+          class AdminForm(forms.ModelForm):
+              class Meta:
+                  model = User
+                  exclude = []
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-017\\b'
+    message: 'RunSec Detection [DJA-017]: CWE-915'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-django.dja-018
+    pattern-either:
+      - pattern: |-
+          class PaymentsView(View):
+              def dispatch(self, request, *args, **kwargs):
+                  ...
+      - pattern-regex: 'Vulnerable:\\s*DJA\\-018\\b'
+    message: 'RunSec Detection [DJA-018]: CWE-20'
+    languages:
+      - python
+    severity: WARNING

package/src/rules/data/semgrep-rules/python-security.yaml

@@ -0,0 +1,284 @@
+rules:
+  - id: runsec.python-security.py-001
+    pattern-either:
+      - pattern: |-
+          app = FastAPI(debug=True)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-001\\b'
+    message: 'RunSec Detection [PY-001]: FastAPI deployment hardening'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-002
+    pattern-either:
+      - pattern: |-
+          try:
+              ...
+          except Exception as e:
+              return dict(error=str(e))
+      - pattern-regex: 'Vulnerable:\\s*PY\\-002\\b'
+    message: 'RunSec Detection [PY-002]: OWASP Error Handling'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-003
+    pattern-either:
+      - pattern: |-
+          pickle.loads(data)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-003\\b'
+    message: 'RunSec Detection [PY-003]: CWE-502'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-004
+    pattern-either:
+      - pattern: |-
+          subprocess.run(cmd, shell=True)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-004\\b'
+    message: 'RunSec Detection [PY-004]: CWE-78'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-005
+    pattern-either:
+      - pattern: |-
+          yaml.load(data, Loader=yaml.Loader)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-005\\b'
+    message: 'RunSec Detection [PY-005]: PyYAML security'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-006
+    pattern-either:
+      - pattern: |-
+          tempfile.mktemp()
+      - pattern-regex: 'Vulnerable:\\s*PY\\-006\\b'
+    message: 'RunSec Detection [PY-006]: CWE-377'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-007
+    pattern-either:
+      - pattern: |-
+          requests.get(user_url)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-007\\b'
+    message: 'RunSec Detection [PY-007]: OWASP SSRF'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-008
+    pattern-either:
+      - pattern: |-
+          requests.get(url)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-008\\b'
+    message: 'RunSec Detection [PY-008]: Reliability/security baseline'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-009
+    pattern-either:
+      - pattern: |-
+          SECRET_KEY = "dev-secret"
+      - pattern-regex: 'Vulnerable:\\s*PY\\-009\\b'
+    message: 'RunSec Detection [PY-009]: CWE-798'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-010
+    pattern-either:
+      - pattern: |-
+          token = str(random.random())
+      - pattern-regex: 'Vulnerable:\\s*PY\\-010\\b'
+    message: 'RunSec Detection [PY-010]: Python secrets guidance'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-011
+    pattern-either:
+      - pattern: |-
+          jwt.decode(token, key, options={"verify_signature": True})
+      - pattern-regex: 'Vulnerable:\\s*PY\\-011\\b'
+    message: 'RunSec Detection [PY-011]: JWT BCP'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-012
+    pattern-either:
+      - pattern: |-
+          session.execute(f"SELECT * FROM t WHERE id={id}")
+      - pattern-regex: 'Vulnerable:\\s*PY\\-012\\b'
+    message: 'RunSec Detection [PY-012]: CWE-89'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-013
+    pattern-either:
+      - pattern: |-
+          Model(**request.json())
+      - pattern-regex: 'Vulnerable:\\s*PY\\-013\\b'
+    message: 'RunSec Detection [PY-013]: OWASP Mass Assignment'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-014
+    pattern-either:
+      - pattern: |-
+          open(base + "/" + filename)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-014\\b'
+    message: 'RunSec Detection [PY-014]: CWE-22'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-015
+    pattern-either:
+      - pattern: |-
+          eval(user_expr)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-015\\b'
+    message: 'RunSec Detection [PY-015]: CWE-95'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-016
+    pattern-either:
+      - pattern: |-
+          allow_origins=["*"], allow_credentials=True
+      - pattern-regex: 'Vulnerable:\\s*PY\\-016\\b'
+    message: 'RunSec Detection [PY-016]: CORS hardening'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-017
+    pattern-either:
+      - pattern: |-
+          @app.post("/login")
+          async def login():
+              ...
+      - pattern-regex: 'Vulnerable:\\s*PY\\-017\\b'
+    message: 'RunSec Detection [PY-017]: OWASP API4'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-018
+    pattern-either:
+      - pattern: |-
+          async def $F():
+              ...
+              requests.get(...)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-018\\b'
+    message: 'RunSec Detection [PY-018]: Async runtime safety'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-019
+    pattern-either:
+      - pattern: |-
+          browser = p.chromium.launch(args=["--no-sandbox"])
+      - pattern-regex: 'Vulnerable:\\s*PY\\-019\\b'
+    message: 'RunSec Detection [PY-019]: Browser automation hardening'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-020
+    pattern-either:
+      - pattern: |-
+          @app.get("/users/{id}")
+          async def get_user(id: int):
+              return db_user
+      - pattern-regex: 'Vulnerable:\\s*PY\\-020\\b'
+    message: 'RunSec Detection [PY-020]: FastAPI response_model safety'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-021
+    pattern-either:
+      - pattern: |-
+          text(f"SELECT * FROM users WHERE name='{name}'")
+      - pattern-regex: 'Vulnerable:\\s*PY\\-021\\b'
+    message: 'RunSec Detection [PY-021]: SQLAlchemy text injection'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-022
+    pattern-either:
+      - pattern: |-
+          UserModel.model_construct(**payload)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-022\\b'
+    message: 'RunSec Detection [PY-022]: Pydantic security'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-023
+    pattern-either:
+      - pattern: |-
+          SHARED_PAGE = browser.new_page()
+      - pattern-regex: 'Vulnerable:\\s*PY\\-023\\b'
+    message: 'RunSec Detection [PY-023]: Playwright isolation'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-024
+    pattern-either:
+      - pattern: |-
+          httpx.Client(verify=False)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-024\\b'
+    message: 'RunSec Detection [PY-024]: TLS hardening'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-025
+    pattern-either:
+      - pattern: |-
+          def handle_hook(body: bytes):
+              data = json.loads(body)
+              return data
+      - pattern-regex: 'Vulnerable:\\s*PY\\-025\\b'
+    message: 'RunSec Detection [PY-025]: Webhook security'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-026
+    pattern-either:
+      - pattern: |-
+          logger.info("token=%s", token)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-026\\b'
+    message: 'RunSec Detection [PY-026]: OWASP Logging'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-027
+    pattern-either:
+      - pattern: |-
+          limit = int(request.args["limit"])
+      - pattern-regex: 'Vulnerable:\\s*PY\\-027\\b'
+    message: 'RunSec Detection [PY-027]: Resource abuse prevention'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-028
+    pattern-either:
+      - pattern: |-
+          @app.post("/account/delete")
+          async def delete_account():
+              ...
+      - pattern-regex: 'Vulnerable:\\s*PY\\-028\\b'
+    message: 'RunSec Detection [PY-028]: OWASP CSRF'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-029
+    pattern-either:
+      - pattern: |-
+          CELERY_TASK_SERIALIZER = "pickle"
+      - pattern-regex: 'Vulnerable:\\s*PY\\-029\\b'
+    message: 'RunSec Detection [PY-029]: Celery security'
+    languages:
+      - python
+    severity: WARNING
+  - id: runsec.python-security.py-030
+    pattern-either:
+      - pattern: |-
+          return RedirectResponse(next_url)
+      - pattern-regex: 'Vulnerable:\\s*PY\\-030\\b'
+    message: 'RunSec Detection [PY-030]: OWASP Open Redirect'
+    languages:
+      - python
+    severity: WARNING