npm - mcp-server-semgrep - Versions diffs - 1.0.0 - Mend

mcp-server-semgrep 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4012) hide show

package/semgrep-rules/python/django/security/injection/reflected-data-httpresponsebadrequest.yaml ADDED Viewed

@@ -0,0 +1,254 @@
+rules:
+- id: reflected-data-httpresponsebadrequest
+  message: Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable
+    to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that
+    the request data is properly escaped or sanitzed.
+  metadata:
+    cwe:
+    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp:
+    - A07:2017 - Cross-Site Scripting (XSS)
+    - A03:2021 - Injection
+    references:
+    - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
+    category: security
+    technology:
+    - django
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      def $FUNC(...):
+        ...
+  - pattern-either:
+    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W.get(...), ...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W.get(...)}...", ...)
+    - pattern: django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $DATA, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = $STR.format(..., $DATA, ...)
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = $STR % $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = f"...{$DATA}..."
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = $STR + $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
+    - pattern: return django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...), ...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W(...)}...", ...)
+    - pattern: django.http.HttpResponseBadRequest(..., request.$W(...), ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $DATA, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = $STR.format(..., $DATA, ...)
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = $STR % $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = f"...{$DATA}..."
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = $STR + $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W(...), ...)
+    - pattern: return django.http.HttpResponseBadRequest(..., request.$W(...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...], ...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...)
+    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W[...]}...", ...)
+    - pattern: django.http.HttpResponseBadRequest(..., request.$W[...], ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.HttpResponseBadRequest(..., $DATA, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = $STR.format(..., $DATA, ...)
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = $STR % $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = f"...{$DATA}..."
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = $STR + $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W[...], ...)
+    - pattern: return django.http.HttpResponseBadRequest(..., request.$W[...], ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W, ...), ...)
+    - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W, ...)
+    - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W}...", ...)
+    - pattern: django.http.HttpResponseBadRequest(..., request.$W, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.HttpResponseBadRequest(..., $DATA, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = $STR.format(..., $DATA, ...)
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.HttpResponseBadRequest(..., $STR % $DATA, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = $STR % $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = f"...{$DATA}..."
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.HttpResponseBadRequest(..., $STR + $DATA, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = $STR + $DATA
+        ...
+        django.http.HttpResponseBadRequest(..., $INTERM, ...)
+    - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W, ...)
+    - pattern: return django.http.HttpResponseBadRequest(..., request.$W, ...)

package/semgrep-rules/python/django/security/injection/request-data-fileresponse.py ADDED Viewed

@@ -0,0 +1,14 @@
+from django.http import FileResponse
+def func(request):
+    # ruleid: request-data-fileresponse
+    filename = request.POST.get("filename")
+    f = open(filename, 'rb')
+    return FileResponse(f)
+def safe(request):
+    # ok: request-data-fileresponse
+    url = request.GET.get("url")
+    print(url)
+    f = open("blah.txt", 'r')
+    return FileResponse(f)

package/semgrep-rules/python/django/security/injection/request-data-fileresponse.yaml ADDED Viewed

@@ -0,0 +1,83 @@
+rules:
+- id: request-data-fileresponse
+  message: Found user-controlled request data being passed into a file open, which is them passed as an
+    argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary
+    file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted
+    filename in the request data before using it in FileResponse.
+  metadata:
+    cwe:
+    - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    owasp:
+    - A05:2017 - Broken Access Control
+    - A01:2021 - Broken Access Control
+    references:
+    - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss
+    category: security
+    technology:
+    - django
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      def $FUNC(...):
+        ...
+  - pattern-either:
+    - pattern: django.http.FileResponse(..., request.$W.get(...), ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        django.http.FileResponse(..., open($DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W.get(...)
+        ...
+        $INTERM = open($DATA, ...)
+        ...
+        django.http.FileResponse(..., $INTERM, ...)
+    - pattern: $A = django.http.FileResponse(..., request.$W.get(...), ...)
+    - pattern: return django.http.FileResponse(..., request.$W.get(...), ...)
+    - pattern: django.http.FileResponse(..., request.$W(...), ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        django.http.FileResponse(..., open($DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W(...)
+        ...
+        $INTERM = open($DATA, ...)
+        ...
+        django.http.FileResponse(..., $INTERM, ...)
+    - pattern: $A = django.http.FileResponse(..., request.$W(...), ...)
+    - pattern: return django.http.FileResponse(..., request.$W(...), ...)
+    - pattern: django.http.FileResponse(..., request.$W[...], ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        django.http.FileResponse(..., open($DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W[...]
+        ...
+        $INTERM = open($DATA, ...)
+        ...
+        django.http.FileResponse(..., $INTERM, ...)
+    - pattern: $A = django.http.FileResponse(..., request.$W[...], ...)
+    - pattern: return django.http.FileResponse(..., request.$W[...], ...)
+    - pattern: django.http.FileResponse(..., request.$W, ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        django.http.FileResponse(..., open($DATA, ...), ...)
+    - pattern: |
+        $DATA = request.$W
+        ...
+        $INTERM = open($DATA, ...)
+        ...
+        django.http.FileResponse(..., $INTERM, ...)
+    - pattern: $A = django.http.FileResponse(..., request.$W, ...)
+    - pattern: return django.http.FileResponse(..., request.$W, ...)

package/semgrep-rules/python/django/security/injection/request-data-write.py ADDED Viewed

@@ -0,0 +1,25 @@
+import time
+from django.contrib.auth.models import User
+from django.http import HttpResponse
+from . import settings as USettings
+def save_scrawl_file(request, filename):
+    import base64
+    try:
+        # ruleid: request-data-write
+        content = request.POST.get(USettings.UEditorUploadSettings.get("scrawlFieldName", "upfile"))
+        f = open(filename, 'wb')
+        f.write(base64.decodestring(content))
+        f.close()
+        state = "SUCCESS"
+    except Exception as e:
+        state = u"写入图片文件错误:%s" % e
+    return state
+def save_file(request):
+    # ok: request-data-write
+    user = User.objects.get(username=request.session.get('user'))
+    content = "user logged in at {}".format(time.time())
+    f = open("{}-{}".format(user, time.time()), 'wb')
+    f.write(content)
+    f.close()

package/semgrep-rules/python/django/security/injection/request-data-write.yaml ADDED Viewed

@@ -0,0 +1,198 @@
+rules:
+- id: request-data-write
+  message: >-
+    Found user-controlled request data passed into '.write(...)'. This could be dangerous
+    if a malicious actor is able to control data into sensitive files. For example,
+    a malicious actor could force rolling of critical log files, or cause a denial-of-service
+    by using up available disk space. Instead, ensure that request data is properly
+    escaped or sanitized.
+  metadata:
+    cwe:
+    - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
+    owasp:
+    - A03:2021 - Injection
+    category: security
+    technology:
+    - django
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING
+  pattern-either:
+  - pattern: $F.write(..., request.$W.get(...), ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $F.write(..., $DATA, ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $INTERM = $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $F.write(..., $B.$C(..., $DATA, ...), ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $INTERM = $B.$C(..., $DATA, ...)
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $F.write(..., $STR % $DATA, ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $INTERM = $STR % $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $F.write(..., f"...{$DATA}...", ...)
+  - pattern: |
+      $DATA = request.$W.get(...)
+      ...
+      $INTERM = f"...{$DATA}..."
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: $A = $F.write(..., request.$W.get(...), ...)
+  - pattern: return $F.write(..., request.$W.get(...), ...)
+  - pattern: $F.write(..., request.$W(...), ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $F.write(..., $DATA, ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $INTERM = $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $F.write(..., $B.$C(..., $DATA, ...), ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $INTERM = $B.$C(..., $DATA, ...)
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $F.write(..., $STR % $DATA, ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $INTERM = $STR % $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $F.write(..., f"...{$DATA}...", ...)
+  - pattern: |
+      $DATA = request.$W(...)
+      ...
+      $INTERM = f"...{$DATA}..."
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: $A = $F.write(..., request.$W(...), ...)
+  - pattern: return $F.write(..., request.$W(...), ...)
+  - pattern: $F.write(..., request.$W[...], ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $F.write(..., $DATA, ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $INTERM = $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $F.write(..., $B.$C(..., $DATA, ...), ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $INTERM = $B.$C(..., $DATA, ...)
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $F.write(..., $STR % $DATA, ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $INTERM = $STR % $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $F.write(..., f"...{$DATA}...", ...)
+  - pattern: |
+      $DATA = request.$W[...]
+      ...
+      $INTERM = f"...{$DATA}..."
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: $A = $F.write(..., request.$W[...], ...)
+  - pattern: return $F.write(..., request.$W[...], ...)
+  - pattern: $F.write(..., request.$W, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $F.write(..., $DATA, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $INTERM = $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $F.write(..., $B.$C(..., $DATA, ...), ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $INTERM = $B.$C(..., $DATA, ...)
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $F.write(..., $STR % $DATA, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $INTERM = $STR % $DATA
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $F.write(..., f"...{$DATA}...", ...)
+  - pattern: |
+      $DATA = request.$W
+      ...
+      $INTERM = f"...{$DATA}..."
+      ...
+      $F.write(..., $INTERM, ...)
+  - pattern: $A = $F.write(..., request.$W, ...)
+  - pattern: return $F.write(..., request.$W, ...)

package/semgrep-rules/python/django/security/injection/sql/sql-injection-extra.py ADDED Viewed

@@ -0,0 +1,44 @@
+from django.http import HttpResponse
+class Person(models.Model):
+    first_name = models.CharField(...)
+    last_name = models.CharField(...)
+    birth_date = models.DateField(...)
+##### extra() True Positives #########
+def get_user_age(request):
+  # ruleid: sql-injection-using-extra-where
+  user_name = request.data.get('user_name')
+  user_age = Person.objects.extra(where=["name = %s" % user_name])
+  html = "<html><body>User Age %s.</body></html>" % user_age
+  return HttpResponse(html)
+def get_user_age(request):
+  # ruleid: sql-injection-using-extra-where
+  user_name = request.data.get('user_name')
+  user_age = Person.objects.extra(where=["name = %s" % user_name, "id not NULL"])
+  html = "<html><body>User Age %s.</body></html>" % user_age
+  return HttpResponse(html)
+def get_user_age(request):
+  # ruleid: sql-injection-using-extra-where
+  path = request.path
+  user_age = Person.objects.extra(where=["path = %s" % path])
+  html = "<html><body>User Age %s.</body></html>" % user_age
+  return HttpResponse(html)
+def get_user_age(request):
+  # ruleid: sql-injection-using-extra-where
+  path = request.path
+  user_age = Person.objects.extra(where=[f"path ={path}"])
+  html = "<html><body>User Age %s.</body></html>" % user_age
+  return HttpResponse(html)
+##### extra() True Negative #########
+def get_user_age(request):
+  # no dataflow
+  user_name = request.data.get('user_name')
+  user_age = Person.objects.extra(where=["name = 'user_name'"])
+  html = "<html><body>User Age %s.</body></html>" % user_age
+  return HttpResponse(html)