|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
return await branching.createBranch(project_id, { name });
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
"text": "{"swagger":"2.0","info":{"description":"","title":"standard public schema","version":"12.2....
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
await project.db.exec('create table test.test_2 (id serial primary key);');
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
description: `Deploys an Edge Function to a Supabase project. If the function already exists, this w...
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
// Use query() method with parameters if provided, otherwise use exec()
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
const [results] = await db.exec(query);
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
http.delete<{ branchId: string }>(
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
this.#db!.exec(`
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
const [results] = await this.db.exec(migration.query);
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
console.log(`Updated server.json version to ${version}`);
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
const query = 'select 1+1 as sum';
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
SQL string concatenation detected
|
D
SQL Injection
|
—
|
—
|
Description
SQL string concatenation detected
Code Snippet
const query = 'select 1+1 as sum';
Remediation
Use parameterized queries with placeholders
Confidence
high
Rule ID
MCP-D002
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
await project.db.exec(
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
critical
|
—
|
Dangerous function used (eval, exec, compile)
|
A
RCE
|
—
|
—
|
Description
Dangerous function used (eval, exec, compile)
Code Snippet
await project.db.exec(`
Remediation
Avoid eval/exec; use safer alternatives like ast.literal_eval
Confidence
high
Rule ID
MCP-A004
|
|
high
|
—
|
Hardcoded secret detected
|
E
Secrets/Tokens
|
—
|
—
|
Description
Hardcoded secret detected
Code Snippet
api_key: 'sb_publishable_dummy_key_1',
Remediation
Use environment variables or secret management system
Confidence
medium
Rule ID
MCP-E001
|
|
high
|
—
|
Outbound connection to dynamically constructed URL
|
M
Hidden Network
|
—
|
—
|
Description
Outbound connection to dynamically constructed URL
Code Snippet
const response = await fetch(ensureTrailingSlash(apiUrl), {
Remediation
Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction
Confidence
medium
Rule ID
MCP-M003
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{ accessToken = ACCESS_TOKEN, projectId, readOnly }
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{
values: { apiUrl, apiKey, schema },
}
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{ accessToken = ACCESS_TOKEN, projectId, readOnly, features }
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{ accessToken, apiUrl }
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{ accessToken = ACCESS_TOKEN, projectId, readOnly, features }
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
{
values: {
['access-token']: cliAccessToken,
['project-ref']: projectId,
['read-only']: readOnly,
['api-url']: apiUrl,
['version']: showVersion,
['features']: cliFeatures,
},
}
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|
|
medium
|
—
|
Potential secret in variable name
|
E
Secrets/Tokens
|
—
|
—
|
Description
Potential secret in variable name
Code Snippet
authResponse
Remediation
Avoid storing secrets in plaintext variables
Confidence
low
Rule ID
MCP-E002
|