@offgridsec/kira-lite-mcp 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/PRIVACY.md +9 -1
- package/README.md +1 -1
- package/dist/config.d.ts +5 -0
- package/dist/config.js +1 -1
- package/dist/core/engines/kira-core.js +1 -1
- package/dist/core/engines/osv.js +485 -1
- package/dist/core/engines/runner.js +30 -1
- package/dist/core/scanner.js +101 -1
- package/dist/core/types.js +1 -1
- package/dist/core/utils.js +70 -1
- package/dist/index.js +477 -1
- package/dist/rules/c-cpp.js +202 -1
- package/dist/rules/cicd.js +144 -1
- package/dist/rules/csharp.js +207 -1
- package/dist/rules/docker.js +143 -1
- package/dist/rules/go.js +184 -1
- package/dist/rules/index.js +147 -1
- package/dist/rules/java.js +1 -1
- package/dist/rules/javascript-extended.js +1 -1
- package/dist/rules/javascript.js +1 -1
- package/dist/rules/kubernetes.js +1 -1
- package/dist/rules/php.js +1 -1
- package/dist/rules/python-extended.js +1 -1
- package/dist/rules/python.js +1 -1
- package/dist/rules/ruby.js +1 -1
- package/dist/rules/secrets-extended.js +1 -1
- package/dist/rules/secrets.js +1 -1
- package/dist/rules/shell.js +1 -1
- package/dist/rules/terraform.js +1 -1
- package/dist/telemetry.d.ts +1 -0
- package/dist/telemetry.js +1 -1
- package/dist/tools/fix-vulnerability.js +1 -1
- package/dist/tools/scan-code.js +1 -1
- package/dist/tools/scan-dependencies.js +1 -1
- package/dist/tools/scan-diff.js +1 -1
- package/dist/tools/scan-file.js +1 -1
- package/package.json +1 -1
package/dist/rules/c-cpp.js
CHANGED
|
@@ -1 +1,202 @@
|
|
|
1
|
-
(function(_0x48d0cc,_0x68ad6a){const _0x3845ba={_0x4a45d5:0x4b1,_0x1c941b:0xf1,_0xb4fcbc:0xcf,_0xed73a3:0xd7,_0x1d55c0:0x93,_0x4698f6:0x133,_0x56571a:0x6fc,_0x20cc47:0x51c,_0x1e8bc1:0x52d,_0x405056:0x7a},_0x1e2659={_0x4c0393:0x388},_0x3fb1f9={_0x3f1339:0x1a9};function _0x1c2159(_0x384146,_0x184768){return _0x1f23(_0x184768- -_0x3fb1f9._0x3f1339,_0x384146);}function _0x2ca202(_0x4adc91,_0xd950f8){return _0x1f23(_0xd950f8-_0x1e2659._0x4c0393,_0x4adc91);}const _0x104dff=_0x48d0cc();while(!![]){try{const _0x508a92=parseInt(_0x2ca202(0x40c,_0x3845ba._0x4a45d5))/(0x1*-0x25be+-0x126f+-0x1c17*-0x2)*(-parseInt(_0x1c2159(0xb2,_0x3845ba._0x1c941b))/(0x1090+-0x16af*-0x1+-0xf5*0x29))+-parseInt(_0x2ca202(0x3f7,0x50a))/(-0x66*0x43+-0x2149+0x3bfe)+parseInt(_0x1c2159(0xe9,-0x20))/(0x1b6+0x1*0x1503+-0x16b5)*(-parseInt(_0x1c2159(_0x3845ba._0xb4fcbc,0x17))/(0x493*0x1+-0x1*-0x12aa+-0x1738))+parseInt(_0x1c2159(-_0x3845ba._0xed73a3,-0x3c))/(-0x1*-0x115e+0xc*0x117+-0x3*0xa24)*(-parseInt(_0x1c2159(_0x3845ba._0x1d55c0,_0x3845ba._0x4698f6))/(-0x8e*0x1f+0x187*0x17+-0x11e8))+-parseInt(_0x2ca202(_0x3845ba._0x56571a,0x673))/(0x61*0x65+0x1716+0x1471*-0x3)*(-parseInt(_0x2ca202(0x4c2,0x480))/(-0x502*0x3+0x1b7e+-0xc6f))+parseInt(_0x2ca202(_0x3845ba._0x20cc47,_0x3845ba._0x1e8bc1))/(0x1*0x10d5+-0x21a*0x3+0x1*-0xa7d)+parseInt(_0x1c2159(_0x3845ba._0x405056,-0x1f))/(-0x3*0x85f+0x16cd*0x1+0x25b);if(_0x508a92===_0x68ad6a)break;else _0x104dff['push'](_0x104dff['shift']());}catch(_0x4e4da2){_0x104dff['push'](_0x104dff['shift']());}}}(_0xf3dc,-0x10964+0xd188+0x212e4));const _0x4d5cb7={};_0x4d5cb7['id']=_0x2921c6(0x2ef,0x320)+_0x4a6c51(0x330,0x21a),_0x4d5cb7[_0x2921c6(0x249,0x2da)]=_0x2921c6(0x216,0x2d1)+'20',_0x4d5cb7[_0x4a6c51(0x22e,0x292)+_0x4a6c51(0x2b6,0x289)]=_0x4a6c51(0x1a3,0x1c9)+_0x4a6c51(0x2cd,0x399),_0x4d5cb7[_0x2921c6(0x2ec,0x28d)]=_0x4a6c51(0x219,0x13d)+_0x2921c6(0x2bb,0x2b0)+_0x4a6c51(0x2d8,0x233)+_0x2921c6(0x33a,0x2cc)+_0x2921c6(0x4fb,0x40c)+'usage',_0x4d5cb7[_0x4a6c51(0x2ea,0x2fb)+_0x4a6c51(0x30c,0x226)+'n']=_0x2921c6(0x418,0x381)+')\x20rea'+'ds\x20in'+'put\x20w'+'ithou'+'t\x20bou'+'nds\x20c'+'hecki'+'ng\x20an'+'d\x20is\x20'+_0x2921c6(0x3ed,0x3d4)+_0x4a6c51(0x1f4,0x211)+_0x4a6c51(0x28e,0x1fa)+_0x4a6c51(0x2c3,0x1ff)+'\x20func'+'tion.'+_0x4a6c51(0x1ba,0x261)+'ved\x20i'+_0x2921c6(0x206,0x293)+'.',_0x4d5cb7[_0x4a6c51(0x175,0x81)+_0x4a6c51(0x2d4,0x2da)]=['c',_0x4a6c51(0x25f,0x1cd)],_0x4d5cb7['patte'+'rn']=/\bgets\s*\(/g,_0x4d5cb7['fix']=_0x2921c6(0x3dd,0x3b8)+_0x2921c6(0x358,0x381)+'buf,\x20'+_0x2921c6(0x1c6,0x2a4)+'f(buf'+_0x4a6c51(0x2c7,0x1b4)+_0x2921c6(0x26a,0x2b6)+_0x4a6c51(0x281,0x2ab)+_0x4a6c51(0x1a8,0x291)+'\x20gets'+_0x4a6c51(0x363,0x2fa);const _0x38f602={};function _0x1f23(_0x4ca639,_0x474a2a){_0x4ca639=_0x4ca639-(0x18e1+-0x1ed5+0x5*0x15d);const _0x1e4665=_0xf3dc();let _0x2fcf69=_0x1e4665[_0x4ca639];if(_0x1f23['WqSmPn']===undefined){var _0x4e3a99=function(_0x44a66e){const _0x47f676='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x338a95='',_0x1bee05='';for(let _0x4efb18=-0x161c+0x3b5+0x1*0x1267,_0x59edda,_0x482d6e,_0x5185bb=-0x2004+-0x2094+-0x1588*-0x3;_0x482d6e=_0x44a66e['charAt'](_0x5185bb++);~_0x482d6e&&(_0x59edda=_0x4efb18%(0x242d+-0x2c2*0x2+-0x1ea5*0x1)?_0x59edda*(-0x5c6+-0x103d+0x1643)+_0x482d6e:_0x482d6e,_0x4efb18++%(-0x1fd7+-0x166f+0x2*0x1b25))?_0x338a95+=String['fromCharCode'](0x4ef+0x1*0x3dd+0x7cd*-0x1&_0x59edda>>(-(0x1a5e+-0xc90+0x4*-0x373)*_0x4efb18&-0xce2+-0x20fd+-0x17b*-0x1f)):-0x1092+-0x1f0+0x2e*0x67){_0x482d6e=_0x47f676['indexOf'](_0x482d6e);}for(let _0x39eed9=0xba8+0x2ad+-0xe55,_0x4b3c21=_0x338a95['length'];_0x39eed9<_0x4b3c21;_0x39eed9++){_0x1bee05+='%'+('00'+_0x338a95['charCodeAt'](_0x39eed9)['toString'](-0x2584+0x508*0x1+-0x1*-0x208c))['slice'](-(-0x11f*0xa+0x1*-0x22bf+0x2df7));}return decodeURIComponent(_0x1bee05);};_0x1f23['vOPcCZ']=_0x4e3a99,_0x1f23['IoFZdd']={},_0x1f23['WqSmPn']=!![];}const _0x1b7fd4=_0x1e4665[-0x22bf+0x19fc+0x8c3],_0x3bb8ca=_0x4ca639+_0x1b7fd4,_0x5f1869=_0x1f23['IoFZdd'][_0x3bb8ca];return!_0x5f1869?(_0x2fcf69=_0x1f23['vOPcCZ'](_0x2fcf69),_0x1f23['IoFZdd'][_0x3bb8ca]=_0x2fcf69):_0x2fcf69=_0x5f1869,_0x2fcf69;}_0x38f602['id']=_0x4a6c51(0x211,0x1b5)+_0x2921c6(0x3e9,0x444),_0x38f602['cwe']=_0x4a6c51(0x1c2,0x250)+'20',_0x38f602['sever'+_0x4a6c51(0x2b6,0x29a)]=_0x4a6c51(0x1a3,0x1f4)+_0x4a6c51(0x2cd,0x271),_0x38f602[_0x4a6c51(0x17e,0xfe)]=_0x4a6c51(0x219,0x13c)+_0x2921c6(0x19a,0x2b0)+_0x2921c6(0x4f5,0x3e7)+_0x2921c6(0x326,0x3d7)+'rcpy\x20'+_0x4a6c51(0x333,0x433)+_0x4a6c51(0x1ac,0x177)+_0x2921c6(0x328,0x436),_0x38f602[_0x4a6c51(0x2ea,0x23e)+_0x2921c6(0x4e6,0x41b)+'n']='strcp'+_0x4a6c51(0x30f,0x2cc)+_0x2921c6(0x4cf,0x3ba)+_0x4a6c51(0x22b,0x2de)+_0x4a6c51(0x226,0x2f8)+_0x4a6c51(0x228,0x235)+_0x4a6c51(0x251,0x1ee)+_0x2921c6(0x216,0x2f3)+_0x2921c6(0x367,0x2ce)+_0x2921c6(0x396,0x366)+_0x2921c6(0x466,0x368)+_0x2921c6(0x38f,0x315)+_0x2921c6(0x484,0x3ca)+_0x4a6c51(0x20a,0x2dc)+_0x2921c6(0x39c,0x33e)+_0x2921c6(0x369,0x3cd)+_0x2921c6(0x51d,0x461)+_0x2921c6(0x3f5,0x40e)+_0x2921c6(0x3ab,0x3fa),_0x38f602[_0x2921c6(0x1cf,0x284)+_0x4a6c51(0x2d4,0x2ac)]=['c',_0x2921c6(0x3d6,0x36e)],_0x38f602['patte'+'rn']=/\bstrcpy\s*\(/g,_0x38f602[_0x4a6c51(0x338,0x332)]=_0x4a6c51(0x37a,0x40b)+_0x4a6c51(0x17d,0x1f2)+_0x2921c6(0x340,0x2e9)+_0x4a6c51(0x2c9,0x2aa)+_0x2921c6(0x3f4,0x40f)+_0x2921c6(0x345,0x44d)+_0x4a6c51(0x25d,0x181)+_0x4a6c51(0x2a6,0x350)+_0x4a6c51(0x331,0x3e7)+'trlcp'+_0x4a6c51(0x36b,0x28e)+_0x2921c6(0x3f4,0x3c9)+_0x2921c6(0x4e3,0x41c)+_0x4a6c51(0x295,0x1f6)+_0x4a6c51(0x1d5,0x139)+_0x4a6c51(0x2b4,0x357)+_0x4a6c51(0x1e5,0x15f)+_0x2921c6(0x345,0x346)+'in\x20C+'+'+.';const _0x89d062={};_0x89d062['id']='C-BOF'+_0x2921c6(0x4f2,0x481),_0x89d062[_0x2921c6(0x281,0x2da)]=_0x2921c6(0x2cb,0x2d1)+'20',_0x89d062[_0x4a6c51(0x22e,0x120)+_0x2921c6(0x478,0x3c5)]=_0x4a6c51(0x1a3,0x2a0)+_0x4a6c51(0x2cd,0x3bb),_0x89d062[_0x4a6c51(0x17e,0x163)]='Buffe'+_0x2921c6(0x344,0x2b0)+_0x4a6c51(0x2d8,0x1f9)+_0x4a6c51(0x2c8,0x3b3)+'rcat\x20'+_0x4a6c51(0x333,0x2ae)+_0x4a6c51(0x1ac,0x191)+'unds',_0x89d062['descr'+_0x4a6c51(0x30c,0x39e)+'n']=_0x4a6c51(0x24f,0x1f0)+_0x4a6c51(0x1f6,0x2c9)+_0x2921c6(0x3ee,0x409)+_0x2921c6(0x2b6,0x29b)+_0x4a6c51(0x284,0x2d7)+_0x2921c6(0x36b,0x37d)+_0x2921c6(0x20c,0x283)+'s\x20che'+_0x4a6c51(0x223,0x10e)+'.',_0x89d062[_0x2921c6(0x23b,0x284)+_0x4a6c51(0x2d4,0x2be)]=['c',_0x2921c6(0x472,0x36e)],_0x89d062[_0x2921c6(0x2dd,0x29d)+'rn']=/\bstrcat\s*\(/g,_0x89d062[_0x4a6c51(0x338,0x2bb)]=_0x4a6c51(0x37a,0x319)+_0x4a6c51(0x262,0x1f8)+_0x4a6c51(0x362,0x478)+_0x2921c6(0x2c8,0x3d8)+_0x4a6c51(0x300,0x22c)+_0x4a6c51(0x33e,0x371)+_0x2921c6(0x3e6,0x36c)+_0x2921c6(0x1ba,0x2a3)+_0x2921c6(0x266,0x286)+_0x4a6c51(0x25d,0x20c)+'\x20-\x201)'+_0x4a6c51(0x331,0x24c)+'trlca'+'t().\x20'+_0x2921c6(0x38a,0x30c)+_0x4a6c51(0x1e1,0x22b)+_0x2921c6(0x416,0x398)+'ing\x20i'+_0x2921c6(0x402,0x474)+'.';const _0x7ed896={};_0x7ed896['id']='C-BOF'+'-004',_0x7ed896[_0x2921c6(0x28b,0x2da)]=_0x4a6c51(0x1c2,0x220)+'20';function _0x2921c6(_0x436be1,_0x264e3e){const _0x53cbcc={_0x43034c:0x19a};return _0x1f23(_0x264e3e-_0x53cbcc._0x43034c,_0x436be1);}_0x7ed896[_0x4a6c51(0x22e,0x1ca)+_0x2921c6(0x33c,0x3c5)]=_0x4a6c51(0x1a3,0x1ad)+'cal',_0x7ed896['title']='Buffe'+'r\x20Ove'+_0x2921c6(0x370,0x3e7)+_0x2921c6(0x458,0x34b)+_0x4a6c51(0x2b5,0x2ae)+'\x20with'+_0x2921c6(0x3e0,0x335)+_0x4a6c51(0x228,0x1a4),_0x7ed896['descr'+_0x4a6c51(0x30c,0x401)+'n']=_0x2921c6(0x350,0x316)+'tf()\x20'+_0x4a6c51(0x191,0x220)+_0x4a6c51(0x284,0x1e1)+'hout\x20'+_0x4a6c51(0x174,0x1c1)+_0x4a6c51(0x225,0x135)+_0x2921c6(0x42c,0x332)+_0x2921c6(0x4af,0x487)+_0x2921c6(0x35d,0x28e)+_0x4a6c51(0x38a,0x2d6)+_0x2921c6(0x390,0x349)+_0x4a6c51(0x2d8,0x25d)+'.',_0x7ed896['langu'+_0x4a6c51(0x2d4,0x2a5)]=['c','cpp'],_0x7ed896[_0x2921c6(0x398,0x29d)+'rn']=/\bsprintf\s*\(/g,_0x7ed896[_0x2921c6(0x39f,0x447)]=_0x2921c6(0x4a1,0x489)+_0x2921c6(0x3cf,0x49c)+'tf(bu'+'f,\x20si'+_0x2921c6(0x45f,0x44d)+'buf),'+_0x2921c6(0x1fe,0x2d4)+_0x4a6c51(0x321,0x271)+'\x20inst'+'ead\x20o'+'f\x20spr'+_0x4a6c51(0x1e0,0xef)+').';const _0x109017={};_0x109017['id']=_0x2921c6(0x35d,0x320)+_0x2921c6(0x2cc,0x2d7),_0x109017[_0x4a6c51(0x1cb,0xfd)]='CWE-1'+'20',_0x109017[_0x4a6c51(0x22e,0x25f)+_0x4a6c51(0x2b6,0x34e)]='high',_0x109017[_0x4a6c51(0x17e,0x1f0)]=_0x2921c6(0x38e,0x328)+_0x4a6c51(0x1a1,0x9f)+_0x4a6c51(0x2d8,0x276)+_0x2921c6(0x399,0x34c)+_0x4a6c51(0x217,0x288)+_0x2921c6(0x2f3,0x393)+_0x2921c6(0x2be,0x37d)+_0x4a6c51(0x1c0,0x250),_0x109017[_0x4a6c51(0x2ea,0x3fc)+_0x4a6c51(0x30c,0x216)+'n']=_0x2921c6(0x2db,0x39a)+'\x20with'+_0x2921c6(0x2a8,0x2f2)+_0x2921c6(0x500,0x488)+_0x4a6c51(0x333,0x360)+_0x4a6c51(0x1ac,0xe8)+_0x2921c6(0x2de,0x34d)+_0x4a6c51(0x1bf,0x17b)+'ing\x20b'+_0x2921c6(0x2b3,0x368)+_0x4a6c51(0x206,0x148)+_0x2921c6(0x2e6,0x3ca)+_0x2921c6(0x517,0x47c)+_0x2921c6(0x4e6,0x408)+_0x4a6c51(0x384,0x34a),_0x109017[_0x2921c6(0x2a1,0x284)+_0x2921c6(0x3fc,0x3e3)]=['c',_0x4a6c51(0x25f,0x252)],_0x109017[_0x4a6c51(0x18e,0x121)+'rn']=/scanf\s*\(\s*["'][^"']*%[^0-9]*s/g,_0x109017[_0x4a6c51(0x338,0x3bb)]='Speci'+'fy\x20a\x20'+'width'+_0x4a6c51(0x1dd,0x1a3)+'nf(\x22%'+'255s\x22'+_0x4a6c51(0x19b,0x1d4)+')\x20for'+_0x2921c6(0x419,0x44f)+_0x4a6c51(0x1fe,0x1c6)+_0x4a6c51(0x1e6,0x15a)+_0x2921c6(0x3a0,0x339)+_0x2921c6(0x3a1,0x30c)+'e\x20fge'+_0x2921c6(0x2ca,0x3a1);const _0x6fbfdf={};_0x6fbfdf['id']=_0x2921c6(0x4dd,0x40d)+_0x2921c6(0x3f4,0x43f),_0x6fbfdf[_0x2921c6(0x3b3,0x2da)]=_0x4a6c51(0x1c2,0x14f)+'34',_0x6fbfdf[_0x2921c6(0x259,0x33d)+_0x4a6c51(0x2b6,0x226)]=_0x2921c6(0x3c6,0x2b2)+_0x4a6c51(0x2cd,0x3a2),_0x6fbfdf[_0x4a6c51(0x17e,0xdc)]=_0x2921c6(0x371,0x347)+_0x4a6c51(0x336,0x2e1)+_0x2921c6(0x275,0x385)+_0x4a6c51(0x27b,0x1ea)+_0x4a6c51(0x26d,0x20c)+_0x4a6c51(0x296,0x331)+_0x4a6c51(0x369,0x36c)+_0x4a6c51(0x2de,0x379)+_0x4a6c51(0x221,0x14c)+_0x2921c6(0x2ab,0x31d)+_0x4a6c51(0x38c,0x39a)+'ng',_0x6fbfdf['descr'+'iptio'+'n']=_0x2921c6(0x35c,0x446)+_0x4a6c51(0x32a,0x3b4)+_0x2921c6(0x3f9,0x2fa)+_0x2921c6(0x281,0x2d8)+_0x4a6c51(0x2bc,0x2c6)+'\x20form'+_0x2921c6(0x2f4,0x3e1)+'ring\x20'+_0x4a6c51(0x31c,0x2f4)+_0x4a6c51(0x26a,0x252)+_0x2921c6(0x452,0x3b1)+'y\x20fun'+'ction'+_0x2921c6(0x3e2,0x2e8)+_0x2921c6(0x500,0x464)+_0x2921c6(0x52c,0x46f)+_0x4a6c51(0x2dc,0x228)+'ting\x20'+_0x2921c6(0x34e,0x3b6)+_0x4a6c51(0x38b,0x3d7)+'memor'+'y.',_0x6fbfdf[_0x4a6c51(0x175,0x15d)+'ages']=['c','cpp'],_0x6fbfdf[_0x2921c6(0x2bb,0x29d)+'rn']=/(?:printf|fprintf|sprintf|snprintf|syslog|err|warn)\s*\(\s*(?!["'])[a-zA-Z_]/g,_0x6fbfdf[_0x2921c6(0x3eb,0x447)]='Alway'+_0x4a6c51(0x1db,0x2e8)+_0x2921c6(0x41d,0x468)+_0x4a6c51(0x322,0x2ba)+'strin'+_0x4a6c51(0x178,0xd2)+_0x4a6c51(0x36e,0x34e)+_0x4a6c51(0x32c,0x22a)+_0x4a6c51(0x37d,0x27e)+_0x4a6c51(0x2ec,0x284)+_0x2921c6(0x268,0x299)+_0x4a6c51(0x2aa,0x2eb)+'\x20not\x20'+_0x2921c6(0x356,0x466)+_0x4a6c51(0x290,0x226)+'r_inp'+_0x4a6c51(0x1c3,0x1dd);const _0x527a4e={};_0x527a4e['id']=_0x2921c6(0x3ea,0x32d)+_0x4a6c51(0x330,0x275),_0x527a4e[_0x2921c6(0x1cf,0x2da)]=_0x2921c6(0x328,0x2d1)+'90',_0x527a4e['sever'+'ity']=_0x4a6c51(0x2a5,0x29e),_0x527a4e[_0x2921c6(0x385,0x28d)]=_0x2921c6(0x57e,0x48f)+_0x2921c6(0x385,0x2eb)+'erflo'+_0x2921c6(0x342,0x314)+_0x2921c6(0x368,0x3af)+_0x4a6c51(0x2c1,0x305)+'ked\x20A'+_0x4a6c51(0x356,0x37f)+'etic\x20'+'for\x20A'+_0x2921c6(0x3c1,0x3c0)+'tion',_0x527a4e['descr'+_0x4a6c51(0x30c,0x399)+'n']=_0x2921c6(0x3a5,0x48f)+'er\x20ov'+_0x2921c6(0x4b4,0x3f8)+'w\x20in\x20'+_0x2921c6(0x30a,0x28f)+'calcu'+_0x2921c6(0x3f0,0x497)+_0x2921c6(0x3c4,0x31e)+'r\x20mal'+_0x2921c6(0x4a5,0x3ac)+'alloc'+_0x2921c6(0x299,0x354)+_0x2921c6(0x2c0,0x3c2)+_0x2921c6(0x31b,0x2a7)+_0x4a6c51(0x265,0x36f)+_0x2921c6(0x26c,0x368)+_0x4a6c51(0x2f0,0x3c8)+_0x4a6c51(0x2f2,0x20b)+_0x2921c6(0x3c3,0x33b)+_0x2921c6(0x2b2,0x315)+'flow.',_0x527a4e[_0x4a6c51(0x175,0x1f1)+_0x2921c6(0x325,0x3e3)]=['c',_0x4a6c51(0x25f,0x2a0)],_0x527a4e['patte'+'rn']=/malloc\s*\(\s*[a-zA-Z_][a-zA-Z0-9_]*\s*\*\s*(?:sizeof|[a-zA-Z_])/g,_0x527a4e[_0x2921c6(0x46b,0x447)]=_0x2921c6(0x444,0x37b)+_0x4a6c51(0x1a6,0x241)+_0x4a6c51(0x1aa,0x196)+_0x2921c6(0x3c5,0x317)+_0x4a6c51(0x319,0x2da)+_0x4a6c51(0x1c4,0x27f)+_0x2921c6(0x41c,0x455)+_0x2921c6(0x345,0x38c)+_0x4a6c51(0x28f,0x1dd)+_0x4a6c51(0x371,0x34d)+_0x4a6c51(0x243,0x24f)+_0x2921c6(0x3e4,0x3ad)+'\x20>\x20SI'+'ZE_MA'+_0x2921c6(0x502,0x490)+_0x2921c6(0x4c0,0x3f1)+_0x4a6c51(0x2e5,0x2e5)+_0x4a6c51(0x1d7,0xe0)+_0x4a6c51(0x34c,0x41f)+_0x4a6c51(0x255,0x2a6)+_0x2921c6(0x393,0x329)+_0x2921c6(0x332,0x3a7)+'which'+_0x2921c6(0x3e2,0x360)+_0x2921c6(0x35d,0x2b3)+_0x2921c6(0x34c,0x27c)+'lly.';const _0x46486c={};_0x46486c['id']=_0x4a6c51(0x29f,0x1be)+_0x4a6c51(0x330,0x3b2),_0x46486c['cwe']='CWE-4'+'16',_0x46486c[_0x2921c6(0x439,0x33d)+_0x2921c6(0x3f2,0x3c5)]=_0x4a6c51(0x1a3,0xf5)+'cal',_0x46486c['title']=_0x4a6c51(0x306,0x233)+_0x2921c6(0x1d3,0x28a)+_0x2921c6(0x1ca,0x290)+_0x4a6c51(0x193,0x104)+_0x4a6c51(0x172,0x250)+_0x2921c6(0x553,0x47b)+_0x4a6c51(0x32f,0x380)+'t\x20nul'+_0x4a6c51(0x37c,0x45f)+_0x4a6c51(0x38f,0x2d8)+'er',_0x46486c['descr'+_0x2921c6(0x40d,0x41b)+'n']='Freed'+_0x4a6c51(0x2a8,0x253)+_0x2921c6(0x482,0x395)+'shoul'+'d\x20be\x20'+_0x2921c6(0x3ab,0x3a3)+'o\x20NUL'+'L\x20to\x20'+'preve'+'nt\x20us'+_0x2921c6(0x2d8,0x348)+_0x2921c6(0x545,0x4a0)+_0x4a6c51(0x332,0x3a6)+_0x4a6c51(0x2dd,0x25f)+_0x2921c6(0x359,0x3ea)+_0x4a6c51(0x308,0x33e),_0x46486c['langu'+'ages']=['c',_0x2921c6(0x2f9,0x36e)],_0x46486c['patte'+'rn']=/free\s*\(\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\)\s*;(?!\s*\1\s*=\s*NULL)/g,_0x46486c[_0x2921c6(0x37e,0x447)]=_0x4a6c51(0x2f7,0x24a)+'ointe'+_0x4a6c51(0x185,0x10b)+_0x4a6c51(0x34b,0x25e)+_0x2921c6(0x36b,0x291)+_0x4a6c51(0x19d,0x260)+_0x4a6c51(0x1ca,0x1d2)+_0x4a6c51(0x1c7,0x2b4)+_0x4a6c51(0x266,0x282)+_0x2921c6(0x1ec,0x2e5)+_0x4a6c51(0x2fc,0x28e);const _0x5bd7a0={};_0x5bd7a0['id']=_0x4a6c51(0x258,0x2dc)+_0x2921c6(0x293,0x288),_0x5bd7a0[_0x4a6c51(0x1cb,0x212)]=_0x2921c6(0x406,0x3fd)+'76',_0x5bd7a0[_0x4a6c51(0x22e,0x27c)+_0x2921c6(0x2d8,0x3c5)]=_0x2921c6(0x337,0x3b4),_0x5bd7a0[_0x2921c6(0x373,0x28d)]='Use\x20o'+'f\x20Ban'+_0x4a6c51(0x343,0x3fa)+_0x2921c6(0x314,0x39d)+_0x4a6c51(0x1b6,0x148)+_0x2921c6(0x290,0x38d)+'on\x20—\x20'+'realp'+'ath()',_0x5bd7a0[_0x2921c6(0x34d,0x3f9)+_0x2921c6(0x4ee,0x41b)+'n']='realp'+_0x4a6c51(0x2c4,0x200)+_0x4a6c51(0x22b,0x206)+_0x4a6c51(0x34e,0x2de)+_0x4a6c51(0x29c,0x1ba)+'ng\x20th'+_0x4a6c51(0x21b,0x160)+'ult\x20c'+_0x4a6c51(0x1fc,0x1bd)+_0x4a6c51(0x24a,0x1e9)+_0x2921c6(0x365,0x295)+_0x4a6c51(0x26f,0x1c3)+'symli'+'nk\x20ra'+_0x4a6c51(0x326,0x3cc)+_0x4a6c51(0x318,0x343)+'U).',_0x5bd7a0[_0x4a6c51(0x175,0x7e)+_0x2921c6(0x425,0x3e3)]=['c',_0x2921c6(0x433,0x36e)],_0x5bd7a0['patte'+'rn']=/\brealpath\s*\(/g,_0x5bd7a0[_0x4a6c51(0x338,0x292)]=_0x4a6c51(0x329,0x317)+_0x4a6c51(0x312,0x271)+_0x4a6c51(0x2b0,0x33d)+_0x2921c6(0x3cd,0x3bb)+_0x4a6c51(0x1b7,0x14b)+_0x4a6c51(0x169,0x252)+_0x4a6c51(0x251,0x2e6)+'king\x20'+_0x4a6c51(0x303,0x21e)+_0x4a6c51(0x1e7,0x11c)+'\x20the\x20'+_0x4a6c51(0x334,0x424)+'ved\x20p'+_0x4a6c51(0x2f3,0x3a1)+_0x4a6c51(0x284,0x267)+_0x2921c6(0x4c5,0x454)+_0x2921c6(0x329,0x410)+'pecte'+_0x2921c6(0x437,0x3cc)+_0x2921c6(0x476,0x3f2)+'y.';const _0x28f4a7={};_0x28f4a7['id']=_0x2921c6(0x31a,0x367)+'C-002',_0x28f4a7['cwe']=_0x2921c6(0x3d8,0x3fd)+'76',_0x28f4a7['sever'+'ity']=_0x4a6c51(0x2a5,0x2eb),_0x28f4a7[_0x4a6c51(0x17e,0x1ee)]='Use\x20o'+'f\x20Ban'+_0x2921c6(0x34a,0x452)+_0x2921c6(0x343,0x39d)+_0x2921c6(0x206,0x2c5)+_0x4a6c51(0x27e,0x19d)+_0x2921c6(0x41a,0x3bc)+'strto'+_0x2921c6(0x449,0x358),_0x28f4a7['descr'+_0x2921c6(0x3c3,0x41b)+'n']=_0x4a6c51(0x351,0x404)+_0x4a6c51(0x2a3,0x1a4)+'ses\x20g'+'lobal'+_0x4a6c51(0x2b8,0x1eb)+'e,\x20is'+'\x20not\x20'+_0x4a6c51(0x27f,0x330)+'d-saf'+_0x2921c6(0x365,0x473)+_0x2921c6(0x2b6,0x3be)+'ifies'+_0x2921c6(0x279,0x333)+_0x4a6c51(0x2de,0x3f1)+_0x4a6c51(0x38c,0x416)+_0x4a6c51(0x19f,0x94),_0x28f4a7[_0x2921c6(0x1e4,0x284)+_0x4a6c51(0x2d4,0x2c7)]=['c'],_0x28f4a7[_0x4a6c51(0x18e,0x1ba)+'rn']=/\bstrtok\s*\(/g,_0x28f4a7[_0x2921c6(0x429,0x447)]=_0x4a6c51(0x37a,0x377)+_0x4a6c51(0x37b,0x2bb)+'_r()\x20'+_0x4a6c51(0x1b9,0x1e3)+_0x2921c6(0x2e9,0x277)+_0x4a6c51(0x173,0x19d)+_0x2921c6(0x1e6,0x2e7)+'afety'+_0x4a6c51(0x302,0x250)+_0x2921c6(0x264,0x35d)+_0x2921c6(0x34c,0x27f)+_0x2921c6(0x45d,0x472);const _0x13afc6={};_0x13afc6['id']=_0x4a6c51(0x258,0x251)+_0x4a6c51(0x30e,0x37a),_0x13afc6[_0x2921c6(0x214,0x2da)]='CWE-6'+'76',_0x13afc6['sever'+_0x2921c6(0x2fb,0x3c5)]=_0x2921c6(0x390,0x419)+'m',_0x13afc6['title']=_0x4a6c51(0x37f,0x3c5)+_0x2921c6(0x341,0x35c)+'ned\x20F'+'uncti'+_0x4a6c51(0x2ad,0x26c)+'atoi('+')/ato'+_0x4a6c51(0x293,0x1db),_0x13afc6[_0x2921c6(0x431,0x3f9)+_0x2921c6(0x3ef,0x41b)+'n']=_0x2921c6(0x311,0x382)+_0x2921c6(0x281,0x2e2)+'have\x20'+_0x2921c6(0x485,0x377)+'ined\x20'+'behav'+_0x4a6c51(0x1d0,0x269)+'n\x20ove'+_0x4a6c51(0x2d8,0x2a5)+'\x20and\x20'+_0x2921c6(0x48d,0x391)+_0x4a6c51(0x32b,0x24a)+'tingu'+_0x2921c6(0x3f0,0x387)+_0x2921c6(0x34d,0x451)+_0x2921c6(0x49f,0x458)+_0x2921c6(0x3dd,0x3e5)+_0x4a6c51(0x213,0x275),_0x13afc6[_0x4a6c51(0x175,0x70)+_0x2921c6(0x34f,0x3e3)]=['c',_0x2921c6(0x393,0x36e)],_0x13afc6['patte'+'rn']=/\b(?:atoi|atol|atoll|atof)\s*\(/g,_0x13afc6['fix']=_0x4a6c51(0x37a,0x35d)+'trtol'+_0x2921c6(0x2ae,0x384)+_0x4a6c51(0x341,0x35e)+_0x4a6c51(0x20b,0x21f)+'rror\x20'+_0x4a6c51(0x199,0x204)+_0x4a6c51(0x1a5,0x12a)+_0x2921c6(0x1e7,0x27e)+_0x4a6c51(0x2ae,0x31b)+'\x20strt'+_0x2921c6(0x339,0x362)+_0x2921c6(0x2d0,0x285)+_0x4a6c51(0x1b0,0x239)+_0x2921c6(0x43f,0x479)+_0x4a6c51(0x1f1,0x1bc)+_0x2921c6(0x1c9,0x2c2)+'tr\x20=='+_0x2921c6(0x24e,0x30a)+_0x4a6c51(0x2ef,0x3b8)+'\x20erro'+_0x2921c6(0x23b,0x2fb)+'}';const _0x4c2a35={};_0x4c2a35['id']='C-CMD'+_0x2921c6(0x3b6,0x36f),_0x4c2a35[_0x4a6c51(0x1cb,0x1fa)]=_0x4a6c51(0x2e4,0x213)+'8',_0x4c2a35[_0x2921c6(0x311,0x33d)+_0x2921c6(0x3e6,0x3c5)]=_0x2921c6(0x2b4,0x2b2)+_0x4a6c51(0x2cd,0x391),_0x4c2a35[_0x4a6c51(0x17e,0x19c)]='Comma'+_0x4a6c51(0x2a1,0x251)+_0x2921c6(0x3f7,0x361)+_0x2921c6(0x3fb,0x3bc)+_0x4a6c51(0x2d0,0x258)+_0x4a6c51(0x1bc,0xa9)+_0x2921c6(0x282,0x2f1)+_0x4a6c51(0x361,0x3c3)+_0x2921c6(0x3bf,0x41f)+'ut',_0x4c2a35[_0x4a6c51(0x2ea,0x26a)+_0x4a6c51(0x30c,0x395)+'n']=_0x4a6c51(0x2d0,0x2ac)+_0x2921c6(0x524,0x495)+_0x2921c6(0x418,0x44a)+_0x2921c6(0x44b,0x467)+'ands\x20'+_0x2921c6(0x2aa,0x289)+_0x4a6c51(0x283,0x37d)+_0x2921c6(0x395,0x331)+'ll.\x20U'+'ser\x20i'+_0x4a6c51(0x1f3,0x2f5)+_0x4a6c51(0x210,0x221)+'es\x20ar'+_0x2921c6(0x285,0x350)+'ry\x20co'+_0x4a6c51(0x201,0x132)+_0x2921c6(0x1d6,0x2af)+_0x4a6c51(0x35d,0x35a)+'.',_0x4c2a35[_0x4a6c51(0x175,0x138)+_0x4a6c51(0x2d4,0x237)]=['c','cpp'],_0x4c2a35[_0x4a6c51(0x18e,0x1af)+'rn']=/\bsystem\s*\(\s*(?!["'])/g,_0x4c2a35[_0x4a6c51(0x338,0x3b9)]='Use\x20e'+_0x2921c6(0x40d,0x37f)+_0x2921c6(0x4a0,0x418)+_0x4a6c51(0x28d,0x323)+_0x4a6c51(0x267,0x1f6)+_0x4a6c51(0x304,0x1f5)+_0x2921c6(0x498,0x477)+_0x4a6c51(0x2d9,0x1de)+'ys\x20in'+_0x4a6c51(0x285,0x33a)+_0x2921c6(0x3f3,0x386)+_0x4a6c51(0x33a,0x3b0)+'().\x20N'+_0x2921c6(0x360,0x3d1)+_0x4a6c51(0x264,0x16c)+'user\x20'+'input'+'\x20to\x20s'+'ystem'+_0x2921c6(0x374,0x472);const _0x82e798={};_0x82e798['id']=_0x2921c6(0x4e1,0x3e0)+_0x4a6c51(0x269,0x2e2),_0x82e798[_0x4a6c51(0x1cb,0x274)]='CWE-7'+'8',_0x82e798['sever'+_0x4a6c51(0x2b6,0x33e)]=_0x4a6c51(0x1a3,0xbd)+_0x4a6c51(0x2cd,0x236),_0x82e798['title']=_0x4a6c51(0x35c,0x366)+_0x4a6c51(0x2a1,0x34b)+_0x4a6c51(0x252,0x284)+_0x2921c6(0x3b9,0x3bc)+_0x2921c6(0x24f,0x30f)+_0x2921c6(0x341,0x418)+_0x4a6c51(0x1b5,0x101)+_0x2921c6(0x37d,0x2bd)+'\x20inpu'+'t',_0x82e798[_0x2921c6(0x34b,0x3f9)+'iptio'+'n']=_0x2921c6(0x34c,0x30f)+_0x4a6c51(0x231,0x166)+'sses\x20'+'comma'+_0x4a6c51(0x23f,0x2be)+_0x2921c6(0x457,0x3db)+_0x2921c6(0x2ef,0x345)+'\x20shel'+_0x2921c6(0x342,0x3f7)+'ablin'+'g\x20inj'+_0x4a6c51(0x25e,0x26b)+'n.',_0x82e798['langu'+_0x2921c6(0x2fd,0x3e3)]=['c',_0x2921c6(0x2e7,0x36e)],_0x82e798[_0x4a6c51(0x18e,0x1a8)+'rn']=/\bpopen\s*\(\s*(?!["'])/g,_0x82e798[_0x2921c6(0x396,0x447)]=_0x4a6c51(0x1cf,0x151)+_0x2921c6(0x345,0x399)+_0x4a6c51(0x31e,0x2dd)+_0x2921c6(0x401,0x3e4)+_0x2921c6(0x3ed,0x2e0)+_0x2921c6(0x39e,0x3de)+_0x4a6c51(0x1f5,0x25a)+'s\x20cre'+_0x4a6c51(0x27d,0x207)+_0x2921c6(0x335,0x33a)+_0x2921c6(0x1f0,0x29a)+'hell\x20'+'inter'+_0x2921c6(0x475,0x469)+_0x4a6c51(0x2eb,0x394);const _0x360c9d={};_0x360c9d['id']='C-CRY'+_0x4a6c51(0x38e,0x338)+'01',_0x360c9d[_0x2921c6(0x251,0x2da)]=_0x2921c6(0x3ba,0x321)+'27',_0x360c9d[_0x4a6c51(0x22e,0x27e)+'ity']=_0x2921c6(0x40c,0x3b4),_0x360c9d[_0x2921c6(0x36c,0x28d)]='Weak\x20'+_0x2921c6(0x3e3,0x4a2)+_0x2921c6(0x2c7,0x2f9)+_0x2921c6(0x3ef,0x356)+_0x4a6c51(0x32e,0x35d)+_0x2921c6(0x451,0x396),_0x360c9d['descr'+'iptio'+'n']=_0x2921c6(0x2b7,0x355)+_0x4a6c51(0x17c,0x1ae)+'A1\x20ar'+_0x4a6c51(0x19a,0x94)+_0x2921c6(0x437,0x42c)+_0x4a6c51(0x24c,0x34d)+_0x4a6c51(0x2df,0x3c2)+'broke'+_0x2921c6(0x418,0x369)+_0x4a6c51(0x248,0x280)+_0x2921c6(0x3cd,0x33c)+_0x4a6c51(0x1fc,0x1a1)+_0x4a6c51(0x2b9,0x349)+'rated'+'.';function _0x4a6c51(_0x9a7e4c,_0x5652f7){const _0x4a86b7={_0x565f30:0x8b};return _0x1f23(_0x9a7e4c-_0x4a86b7._0x565f30,_0x5652f7);}_0x360c9d[_0x4a6c51(0x175,0xfb)+_0x2921c6(0x37b,0x3e3)]=['c',_0x4a6c51(0x25f,0x328)],_0x360c9d[_0x4a6c51(0x18e,0x106)+'rn']=/(?:MD5_Init|MD5_Update|MD5_Final|SHA1_Init|SHA1_Update|SHA1_Final|MD5\s*\(|SHA1\s*\()/g,_0x360c9d['fix']='Use\x20S'+_0x2921c6(0x483,0x43c)+_0x4a6c51(0x16b,0x75)+_0x2921c6(0x541,0x456)+_0x2921c6(0x400,0x342)+'SHA25'+'6_Ini'+_0x4a6c51(0x307,0x2d8)+_0x2921c6(0x40d,0x475)+_0x2921c6(0x4bb,0x448)+_0x2921c6(0x4eb,0x426)+_0x2921c6(0x433,0x400)+_0x2921c6(0x2e9,0x2c0);const _0xb7ae={};_0xb7ae['id']=_0x2921c6(0x434,0x3b3)+'PTO-0'+'02',_0xb7ae[_0x4a6c51(0x1cb,0x1c5)]=_0x4a6c51(0x212,0x2c9)+'38',_0xb7ae[_0x2921c6(0x3ba,0x33d)+_0x2921c6(0x2c7,0x3c5)]=_0x2921c6(0x4b3,0x3b4),_0xb7ae[_0x2921c6(0x206,0x28d)]=_0x2921c6(0x358,0x30e)+_0x4a6c51(0x1ad,0x1b5)+'andom'+_0x4a6c51(0x1f9,0x2a5)+_0x4a6c51(0x31b,0x2f8)+_0x4a6c51(0x280,0x2e8)+'()\x20fo'+_0x2921c6(0x4c3,0x494)+'urity',_0xb7ae[_0x4a6c51(0x2ea,0x2ff)+_0x2921c6(0x42e,0x41b)+'n']='rand('+')\x20is\x20'+'a\x20wea'+'k\x20PRN'+_0x4a6c51(0x36f,0x3f7)+'\x20must'+'\x20not\x20'+_0x4a6c51(0x19e,0x201)+_0x2921c6(0x3c3,0x37a)+_0x2921c6(0x4d0,0x494)+_0x4a6c51(0x27c,0x244)+_0x4a6c51(0x354,0x3e0)+_0x4a6c51(0x1b8,0x166)+_0x4a6c51(0x316,0x333)+_0x2921c6(0x442,0x38c)+'s.',_0xb7ae[_0x2921c6(0x33c,0x284)+_0x2921c6(0x4df,0x3e3)]=['c',_0x2921c6(0x300,0x36e)],_0xb7ae[_0x2921c6(0x2d9,0x29d)+'rn']=/\b(?:rand|srand)\s*\(/g,_0xb7ae[_0x4a6c51(0x338,0x285)]='Use\x20/'+'dev/u'+'rando'+_0x2921c6(0x204,0x312)+_0x2921c6(0x29c,0x280)+_0x2921c6(0x1f4,0x2a1)+_0x2921c6(0x354,0x2ed)+_0x2921c6(0x555,0x45e)+_0x2921c6(0x30b,0x2db)+'buf()'+_0x4a6c51(0x1a6,0x1d1)+_0x4a6c51(0x377,0x2c3)+_0x4a6c51(0x1ea,0x188)+_0x4a6c51(0x190,0x26c)+_0x4a6c51(0x1e8,0x12a)+'cure\x20'+'rando'+'m.';const _0x28a3cb={};_0x28a3cb['id']='C-MEM'+_0x2921c6(0x3fb,0x43f),_0x28a3cb[_0x4a6c51(0x1cb,0x118)]='CWE-4'+'01',_0x28a3cb['sever'+_0x4a6c51(0x2b6,0x227)]=_0x4a6c51(0x30a,0x246)+'m',_0x28a3cb[_0x2921c6(0x191,0x28d)]=_0x2921c6(0x56a,0x462)+_0x4a6c51(0x21c,0x1ae)+'Memor'+_0x2921c6(0x2ac,0x2d0)+_0x4a6c51(0x271,0x18f)+_0x2921c6(0x326,0x3c2)+_0x2921c6(0x26e,0x33a)+'out\x20c'+_0x4a6c51(0x1d4,0x2cf)+_0x4a6c51(0x328,0x430)+_0x4a6c51(0x389,0x359)+'ee',_0x28a3cb[_0x4a6c51(0x2ea,0x34e)+'iptio'+'n']=_0x2921c6(0x4e9,0x4a1)+_0x4a6c51(0x37e,0x323)+_0x2921c6(0x2a4,0x29c)+_0x2921c6(0x39c,0x2e1)+_0x4a6c51(0x204,0x107)+_0x2921c6(0x456,0x3ac)+_0x2921c6(0x44c,0x3c2)+_0x4a6c51(0x2f5,0x405)+_0x4a6c51(0x299,0x307)+_0x2921c6(0x3ad,0x343)+_0x4a6c51(0x16c,0x87)+_0x4a6c51(0x311,0x2cc)+_0x4a6c51(0x2e6,0x298)+'ent\x20m'+_0x2921c6(0x43e,0x483)+'\x20leak'+_0x2921c6(0x48e,0x403)+'\x20even'+_0x4a6c51(0x23b,0x137)+_0x2921c6(0x30e,0x2ee),_0x28a3cb[_0x4a6c51(0x175,0x277)+_0x2921c6(0x42e,0x3e3)]=['c'],_0x28a3cb['patte'+'rn']=/(?:malloc|calloc|realloc)\s*\([^)]+\)\s*;/g,_0x28a3cb[_0x2921c6(0x4d9,0x447)]=_0x2921c6(0x2e0,0x344)+_0x2921c6(0x3bc,0x32e)+_0x2921c6(0x45c,0x372)+_0x4a6c51(0x202,0x105)+_0x2921c6(0x525,0x45b)+_0x2921c6(0x43a,0x3dd)+'\x20a\x20co'+_0x2921c6(0x1a4,0x298)+_0x4a6c51(0x240,0x1a7)+_0x2921c6(0x386,0x2ba)+_0x4a6c51(0x220,0x269)+_0x4a6c51(0x229,0x2ea)+_0x2921c6(0x33f,0x29e)+_0x2921c6(0x495,0x3f0)+'s,\x20in'+'cludi'+_0x4a6c51(0x33c,0x2ad)+_0x4a6c51(0x1b2,0x2c4)+_0x4a6c51(0x2d3,0x3aa);const _0x1bdefd={};_0x1bdefd['id']='C-RAC'+_0x2921c6(0x31d,0x40a),_0x1bdefd[_0x4a6c51(0x1cb,0x142)]=_0x2921c6(0x384,0x321)+'67',_0x1bdefd['sever'+'ity']=_0x2921c6(0x3ff,0x3b4),_0x1bdefd[_0x2921c6(0x248,0x28d)]=_0x2921c6(0x34d,0x427)+_0x4a6c51(0x216,0x151)+_0x4a6c51(0x1a9,0x237)+'ccess'+'()\x20fo'+'llowe'+_0x2921c6(0x4e2,0x405)+_0x4a6c51(0x2c6,0x3d8)+')',_0x1bdefd[_0x4a6c51(0x2ea,0x27f)+'iptio'+'n']=_0x2921c6(0x2d4,0x37b)+_0x4a6c51(0x34a,0x2e8)+_0x2921c6(0x1fd,0x2fd)+_0x2921c6(0x1e1,0x2ca)+'en\x20op'+_0x2921c6(0x545,0x42f)+_0x2921c6(0x344,0x333)+_0x4a6c51(0x33f,0x401)+_0x2921c6(0x482,0x397)+_0x2921c6(0x377,0x44c)+_0x4a6c51(0x35b,0x43e)+_0x2921c6(0x440,0x3d9)+'tion\x20'+_0x4a6c51(0x1fa,0x140)+_0x2921c6(0x433,0x432)+_0x2921c6(0x317,0x353)+_0x2921c6(0x4bd,0x42e)+_0x2921c6(0x312,0x3f6)+'\x20Use)'+'.',_0x1bdefd[_0x2921c6(0x21f,0x284)+_0x4a6c51(0x2d4,0x292)]=['c',_0x2921c6(0x452,0x36e)],_0x1bdefd[_0x2921c6(0x268,0x29d)+'rn']=/access\s*\([^)]+\)[\s\S]{0,50}(?:fopen|open)\s*\(/g,_0x1bdefd['fix']=_0x4a6c51(0x1c6,0xe6)+'the\x20f'+'ile\x20d'+_0x2921c6(0x29d,0x36b)+'ly\x20an'+_0x2921c6(0x445,0x3a6)+_0x2921c6(0x3ac,0x327)+'rmiss'+_0x2921c6(0x3c2,0x36a)+_0x4a6c51(0x2c0,0x36e)+_0x4a6c51(0x261,0x1e5)+'e\x20des'+_0x2921c6(0x528,0x482)+'or,\x20n'+'ot\x20th'+'e\x20pat'+'h.';const _0xad0dfe={};_0xad0dfe['id']=_0x4a6c51(0x2e0,0x380)+_0x4a6c51(0x1be,0x297)+'01',_0xad0dfe['cwe']=_0x2921c6(0x453,0x3f3)+'04',_0xad0dfe[_0x2921c6(0x41d,0x33d)+_0x4a6c51(0x2b6,0x2dc)]=_0x4a6c51(0x30a,0x2e0)+'m',_0xad0dfe['title']=_0x4a6c51(0x314,0x3e8)+_0x4a6c51(0x29b,0x1a3)+'t\x20—\x20r'+_0x4a6c51(0x250,0x1b8)+_0x4a6c51(0x31a,0x2da)+_0x4a6c51(0x1f7,0x2cb)+_0x4a6c51(0x27a,0x35e)+_0x4a6c51(0x1ce,0x109)+_0x4a6c51(0x383,0x2db)+'t',_0xad0dfe[_0x2921c6(0x328,0x3f9)+_0x4a6c51(0x30c,0x341)+'n']=_0x2921c6(0x32f,0x383)+'erpre'+_0x4a6c51(0x1cd,0x104)+_0x2921c6(0x31a,0x297)+_0x2921c6(0x505,0x422)+'yle\x20c'+_0x2921c6(0x533,0x424)+_0x4a6c51(0x375,0x40f)+_0x4a6c51(0x2bf,0x21b)+_0x2921c6(0x328,0x2ab)+_0x2921c6(0x31b,0x365)+'nd\x20ca'+_0x4a6c51(0x242,0x1c6)+_0x2921c6(0x3ba,0x453)+'undef'+_0x4a6c51(0x2cb,0x1cd)+_0x4a6c51(0x16e,0x250)+'ior.',_0xad0dfe[_0x2921c6(0x250,0x284)+'ages']=[_0x2921c6(0x352,0x36e)],_0xad0dfe[_0x2921c6(0x25b,0x29d)+'rn']=/(?:reinterpret_cast\s*<|(?:^|[^a-zA-Z_])\(\s*(?:int|char|void|long|short|unsigned)\s*\*?\s*\))/g,_0xad0dfe[_0x4a6c51(0x338,0x345)]=_0x4a6c51(0x37a,0x26b)+_0x4a6c51(0x2d7,0x3ae)+_0x2921c6(0x392,0x306)+_0x2921c6(0x3cd,0x341)+_0x4a6c51(0x361,0x2ff)+_0x2921c6(0x31a,0x2a5)+_0x4a6c51(0x29a,0x37a)+_0x4a6c51(0x35f,0x442)+_0x4a6c51(0x250,0x352)+_0x2921c6(0x41f,0x429)+_0x4a6c51(0x1f7,0x301)+_0x4a6c51(0x1e9,0x1d3)+_0x2921c6(0x4c1,0x407)+_0x2921c6(0x42c,0x414)+_0x2921c6(0x495,0x41a)+_0x2921c6(0x38c,0x496)+_0x2921c6(0x357,0x3a0);const _0x80e1d9={};_0x80e1d9['id']='CPP-S'+_0x4a6c51(0x279,0x23a)+'001',_0x80e1d9[_0x2921c6(0x23f,0x2da)]=_0x2921c6(0x573,0x46d)+'16',_0x80e1d9[_0x4a6c51(0x22e,0x2b3)+'ity']=_0x4a6c51(0x30a,0x3fa)+'m',_0x80e1d9[_0x2921c6(0x282,0x28d)]='Raw\x20n'+_0x2921c6(0x4cd,0x45c)+_0x4a6c51(0x187,0x227)+_0x4a6c51(0x1ef,0x227)+'\x20Smar'+_0x4a6c51(0x2ed,0x2c9)+'nters',_0x80e1d9[_0x2921c6(0x4b4,0x3f9)+'iptio'+'n']='Manua'+'l\x20new'+_0x2921c6(0x3cf,0x491)+_0x4a6c51(0x28c,0x17f)+_0x4a6c51(0x390,0x46c)+_0x4a6c51(0x324,0x2f9)+_0x2921c6(0x365,0x363)+_0x2921c6(0x307,0x318)+_0x4a6c51(0x38f,0x32d)+_0x2921c6(0x241,0x301)+'reven'+_0x2921c6(0x2fc,0x2fc)+_0x4a6c51(0x1f0,0x2bb)+_0x4a6c51(0x2b7,0x203)+_0x2921c6(0x2d1,0x2be)+_0x4a6c51(0x2b2,0x274)+_0x4a6c51(0x227,0x31e)+_0x2921c6(0x2d6,0x291)+_0x4a6c51(0x1af,0x2b0)+'.',_0x80e1d9[_0x4a6c51(0x175,0xa8)+'ages']=['cpp'],_0x80e1d9[_0x4a6c51(0x18e,0x19a)+'rn']=/\bnew\s+[A-Z][a-zA-Z]*(?:\s*\[|\s*\()/g,_0x80e1d9[_0x4a6c51(0x338,0x2cd)]='Use\x20s'+_0x2921c6(0x39e,0x457)+'ake_u'+_0x4a6c51(0x197,0x209)+_0x4a6c51(0x331,0x42c)+_0x4a6c51(0x348,0x2d4)+_0x2921c6(0x28f,0x32c)+'hared'+_0x4a6c51(0x2da,0x384)+_0x4a6c51(0x1a2,0x1e2)+_0x4a6c51(0x370,0x2ac)+'d::ma'+'ke_un'+_0x4a6c51(0x20c,0x147)+_0x2921c6(0x4bb,0x45f)+_0x2921c6(0x293,0x279)+');';export const cCppRules=[_0x4d5cb7,_0x38f602,_0x89d062,_0x7ed896,_0x109017,_0x6fbfdf,_0x527a4e,_0x46486c,_0x5bd7a0,_0x28f4a7,_0x13afc6,_0x4c2a35,_0x82e798,_0x360c9d,_0xb7ae,_0x28a3cb,_0x1bdefd,_0xad0dfe,_0x80e1d9];function _0xf3dc(){const _0x45d78a=['ig92zxi','C3bYAw4','Bg93igi','BwfYDca','AwyGC28','AxrOigu','Axf1ztW','nde5mde2u01iqM5X','B3jTyxq','BNmGzM8','zw5HyMW','qY1ct0y','q1Dfltm','DhvYBI4','mtjXyKrRtfO','ndi5nJmXng1oANLbuq','vsbsywm','yw5Micu','y2SGCgu','qNvMzMu','BNqSihm','zsbYzxm','DgLHBca','ywTLx3m','qY1jtLq','zsbLDMu','zsGPigK','igfZigy','zsbZAgu','y2TPBMC','ihrOzsa','CYbJAgu','B3v0igi','ihvZzs0','B3vUzhm','BIbHBgW','zMvYlIa','ihDPDgG','igHLyxa','B25Zigm','C2v2zxi','DxjJzsa','mta2mtuYmezJwLbZAa','kcKGCge','ig9Yigq','z2vYoIa','Dxn0igi','rw5ZDxi','Acb0Agu','CMLUzYa','rM9YBwe','zs1HzNq','CIbVDMu','DhvHBca','iokaLcbZCa','iokaLcbZyW','Dw5KCYW','BMrZihq','B25KAw4','yML0CMe','BIbSzwe','mcaMjIa','AgvJAYa','ignHBIa','tuq1ige','AhKG4Ocuia','BgXPC2K','AYGP','igv4CgW','nde4mdvnENnJv2C','yxbOAwm','zIbcyw4','DxnLihm','C3rYy2e','zwLUDgu','ignOzwm','AMvJDgK','B2WOC3q','BMuUifm','yYHJB3u','zxr5ige','Aw5Nigi','qY1gvu4','DwzMzxi','BI4Gq28','Aw9UCYa','AxjLy3q','zgvZDcK','zwn0Aw8','y3bW','ss0Wmde','zsbMAwW','DhjUy2e','CNKGBwe','CgfZCYa','Aw55igi','ktSGChq','CgXPy2K','Dw5Kzwy','ss0Wmdi','Aw50zI0','zwqGzM8','q2HLy2S','ywjPBgK','Ag91Dca','ihzPysa','EgvJDMu','AYdIGjqGBq','z2v0CYG','yxrVAs8','CMvPBNq','l3n0CNq','Aw5Nify','ig9Mihm','AxnOigu','tufsvc0','ig9Yiem','DwXUzxi','DxjPDhK','yxrPB24','Dw5JDgK','DgHYzwe','C3jHBMq','Aw5ZDgu','y2fUBM8','z2GGDgG','CYb3Axq','C3rLywq','DgvYCYa','seeX','y3jLyxq','oJPZDhi','AxbLkcK','C2nHBMy','DguGAxm','DgGGzxG','yw5Nzxi','oIbPzIa','zIH1C2u','yxj5lG','DhmOks4','BcGP','C2v0ihq','ywjSzs4','DhKG4Ocuia','zcbJAgu','AxPLksa','Bg9Jig0','Dc4Gqxy','zsbdyxm','AgvJA2K','Bg9Jl2m','y291BNq','qY1vquy','AYdIGjqGvq','BMqGsw4','zMfTAwW','AYGPihu','qY1duLK','AgLNAa','ic0GmsK','yxjIAxq','ihbVAw4','vxnLigy','BNb1DcK','B3bPzxm','DgGGChi','B24G4Ocuia','DMfSid0','zcbTB2q','DgGGD2K','BgXVy2e','lcbHBMq','ywXSB2m','C2uGC3q','CMLUDgy','Axr5','B3vIBgu','ihn0yxq','igDLBMu','AgvYzsa','zMXVDYa','CYb0Agu','zcbKAxi','zxHJzwu','CYb0Exa','B24GDgG','BMnOzwm','zxzLCIa','B3vZiem','yxrOkcK','DgHLig0','B3bLBIG','ksWGC3q','iokaLcbZDa','DcWGC3i','y29UzgK','Aw5Lzca','AhjVDwC','y2fS','yYbOyxm','zM9Yiha','C3LZDgu','qY1dtuq','yxqGC3q','yxrOCY4','ywDLCW','kcKVzxG','idaGCMu','Dgf0Awm','CMzSB3C','igfYCMe','oIbHDxq','yMXLlwy','zY93CMK','zcbKB3u','Aw5WDxq','ywXSEsa','q1bqlum','ihbHDgG','ksbHyM8','zwn0B3i','q1DfltC','CNqOktS','ihbYzxy','BwuGB2y','BcWGzw4','zxjMBg8','zgvZy3i','DgLVBI4','CYiSihu','DcbqB2K','q1Dflty','ihSGlYO','CYWGy2e','ntzFrMK','DxnPBMC','yxrOigK','CYbHBMq','l3jLywW','zcbIEsa','u2v0iha','C3mGywi','BMCGAw4','B25Jyxq','rs0Wmde','vuXmoW','DhmOksa','qY1gtvq','C3rPBMe','yYWGC2K','AguGzxG','lcbVCIa','yw5Kihy','DcbHCMC','C29SDxq','vxnLiee','Dc9tsee','CMvLlG','kcKGD2K','BwvKAxu','zwX5ig4','Axb0Aw8','yxzHAwW','qY0Wmdm','EsGPigm','yYbPBNa','zwqGDg8','zwfSCge','iemTC3q','vw5Zywy','yxn0CYa','ig9Wzxi','l1niqti','ve9dve8','zwzVCMu','CNbYzxq','BMqOks8','Dg8GChi','ChrVz3i','l2zVCMS','Dg8GvgK','zw5PBMC','ic4UlIK','CM1HDca','ig9Miem','CI1WCM8','mZK2ndCYrMHVEw9H','y2vZicG','Dw5KCW','Cg9UzgK','vxnLihi','BMCGDxm','DcbKAxm','ihbYAw4','seeTmJu','tuq1l1m','AxrOB3u','ltaWmq','ig9Yihm','zwuGyw4','D2L0Ag8','CMvZB2W','ltaWmG','DcbtDhi','ugfZC2K','zML4','CgrHDgu','Exn0zw0','yxnZzxm','BMCGzxi','zxmGysa','EMvVzIG','zMLSzsa','igeGmJu','B2XSihC','CNjVCNm','BMvKl0q','zcb0BYa','AgLUihq','AxbSAwm','C3rYB24','Dgq6oM0','igzYB20','Aw5Nige','tLvmtca','y2fSBg8','zxCVzgu','B3v0igm','CMm0CMe','vhLWzt4','C3rYDg8','zhmGzgu','ug90zw4','lxnLBNm','B3DZihi','CML0Ag0','ChjPBNq','ignVBw0','igeGzM8','ChjLDge','CMfJzsa','q29TBwe','DxrPB24','q1Dfltq','B2LKihi','zwfKAw4','Ew5HBwK','DcHKzxm','kcKU','zsWGyw4','BIbdkYS','mJu2x1u','n3zHue1Xqq','Dw1LBNq','vxnLCIa','lcaXmcK','EsGPihC','zsGPihC','B24GBg8','zxjHBdO','rYbHBMq','id0GC3q','kg4GpIa','ltaWmW','y3jPChq','zw1VCNK','yNLWyxm','mtiWuw9hwMno','y3j5Chq','lcbYAxm','zwfKCYa','vxnLihm','Dhj0B2S','BgLUzYa','DgyOiIu','EsbHBgW','vxnLig8','sw50zwC','wcaVig4','l2rLBgu','zsbJyxm','Chv0lG','CIbZzwm','BsGPiha','zwnLC3m','Bgf0Aw8','BMCGzNi','yNvMzMu','CMfYEsa','ihn0CMK','BNbYAw4','ufrplta','Cg9PBNq','igvYCM8','zxiTzNi','twvTB3i','q3j5Chq','wcKGzM8','zxjYB3i','kgfYz3m','nIbVCIa','zsbMCMu','DgvYBMe','yMvOyxy','Bg9UzYa','DhjZzxa','DhjHBMq','4OcuigzYzq','CIb0Ahi','yM91BMq','BgfUz3u','CIWGjMu','CMXLBIG','zYbSAxq','qY0Wmde','DgHYB3u','zNrLCIa','BMqGu0G','DhjUy3a','DgL0Bgu','A2LUzYa','C2L6zsa','rNjLzsa','ywz0zxi','ody4otvdCfjytLm','BIbdmte','CIb0BYa','B2L0zwq','Bgv0zsa','DcbHBMq','CNjLC3a','C2vYx2K','B3v0ihm','zw5HDgu','B2nHDgu','Cgf0Dgu','ignVzgu','AgLJywW','D3jPDgu','B20OksW','uMLZAYa','ic0GC3q','C2L6zw8','y19Jyxm','BMLXDwu','yxrLihq','y2HLy2S','zsbJCNK','lcbIDwy','zsbZywy','igzYzwu','yMuGDxm','BMCU','igv4zwm','CIbpDMu','BYbWDhi','y3jPDgK','A3mGAw4','Aw5NoIa','igzVCIa','zgLUksa','ywqGB2y','zsdIGjqGyq','B3zLCMy','zYbMCMu','DxqGyM8','DxjLifi','BMfTAwm','lwzYzwu','BMrWDhi','BMfSlG','CM9Yiha','kgvUzha','mvHlCMvTAG','DgGGzhK','B3vZiey','B3bLCIa','AxrPDMu','kfbpu0K','ifjLBw8','kcKGDgG','BsGPihC','iokaLcbNzq','qvnulta','ignHDxm','D2LKDgG','Esbmzwe','q1Dflte','DxqPlG','ig11Bhq','igzTDcW','t3bLBIa','zsHWDhi','ltaWnq','Chv0ige','oIbMCMu','y3DL','BMrVBv8','Df9Jyxm','lxn0EwW','vxnLiha','Aw9Yig8','zwmOksa','zcb3Axq','yxrVBca','B3jYzxm','ie9Yihu','CIa9ie4','ifvZzsa','zwfKihm','CYbHBgW','EsHKzxm','CYb1C2u','zxiGt3y','oIbZy2e','ig9Yige','rg9tlG','Aw50zIG','zsbZDgq','AxrOigq','icvZihi','A2LUzYW','zdO6C3q','zsbIDwy','zxjPzNK','BhKGC2u','ihvUBgu','B2DYyxa','zxiGAw4','CIaQlYa','DcbSzwe','y2nLC3m','4OcuifvZzq','A3mSigq','oYbPzIa','zxjZiha','BNb1Dca','B3n0igq','CM9Jzxm','DcGPigm','x2nHC3q','otqXnZeYt0jLy1jU','iokaLcbYyq','kfrPBwu','ihn0CIK','yw4GyMu','t3iGDxm','nI1IExq','sw5Zzwm','Cg9Wzw4','Bw1HBMq','BgXVyY8','BsWGz2u','AcbTywW','DYbsAxm'];_0xf3dc=function(){return _0x45d78a;};return _0xf3dc();}
|
|
1
|
+
export const cCppRules = [
|
|
2
|
+
// === Buffer Overflow ===
|
|
3
|
+
{
|
|
4
|
+
id: "C-BOF-001",
|
|
5
|
+
cwe: "CWE-120",
|
|
6
|
+
severity: "critical",
|
|
7
|
+
title: "Buffer Overflow — gets() usage",
|
|
8
|
+
description: "gets() reads input without bounds checking and is the most dangerous C function. Removed in C11.",
|
|
9
|
+
languages: ["c", "cpp"],
|
|
10
|
+
pattern: /\bgets\s*\(/g,
|
|
11
|
+
fix: "Use fgets(buf, sizeof(buf), stdin) instead of gets().",
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
id: "C-BOF-002",
|
|
15
|
+
cwe: "CWE-120",
|
|
16
|
+
severity: "critical",
|
|
17
|
+
title: "Buffer Overflow — strcpy without bounds",
|
|
18
|
+
description: "strcpy() copies without bounds checking, causing buffer overflow if source exceeds destination.",
|
|
19
|
+
languages: ["c", "cpp"],
|
|
20
|
+
pattern: /\bstrcpy\s*\(/g,
|
|
21
|
+
fix: "Use strncpy(dest, src, sizeof(dest) - 1) or strlcpy() where available. Or use std::string in C++.",
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
id: "C-BOF-003",
|
|
25
|
+
cwe: "CWE-120",
|
|
26
|
+
severity: "critical",
|
|
27
|
+
title: "Buffer Overflow — strcat without bounds",
|
|
28
|
+
description: "strcat() concatenates without bounds checking.",
|
|
29
|
+
languages: ["c", "cpp"],
|
|
30
|
+
pattern: /\bstrcat\s*\(/g,
|
|
31
|
+
fix: "Use strncat(dest, src, sizeof(dest) - strlen(dest) - 1) or strlcat(). Or use std::string in C++.",
|
|
32
|
+
},
|
|
33
|
+
{
|
|
34
|
+
id: "C-BOF-004",
|
|
35
|
+
cwe: "CWE-120",
|
|
36
|
+
severity: "critical",
|
|
37
|
+
title: "Buffer Overflow — sprintf without bounds",
|
|
38
|
+
description: "sprintf() writes without bounds checking, risking buffer overflow.",
|
|
39
|
+
languages: ["c", "cpp"],
|
|
40
|
+
pattern: /\bsprintf\s*\(/g,
|
|
41
|
+
fix: "Use snprintf(buf, sizeof(buf), fmt, ...) instead of sprintf().",
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
id: "C-BOF-005",
|
|
45
|
+
cwe: "CWE-120",
|
|
46
|
+
severity: "high",
|
|
47
|
+
title: "Buffer Overflow — scanf %s without width",
|
|
48
|
+
description: "scanf with %s reads without bounds, causing buffer overflow on long input.",
|
|
49
|
+
languages: ["c", "cpp"],
|
|
50
|
+
pattern: /scanf\s*\(\s*["'][^"']*%[^0-9]*s/g,
|
|
51
|
+
fix: "Specify a width: scanf(\"%255s\", buf) for a 256-byte buffer. Or use fgets().",
|
|
52
|
+
},
|
|
53
|
+
// === Format String ===
|
|
54
|
+
{
|
|
55
|
+
id: "C-FMT-001",
|
|
56
|
+
cwe: "CWE-134",
|
|
57
|
+
severity: "critical",
|
|
58
|
+
title: "Format String Vulnerability — User input as format string",
|
|
59
|
+
description: "Passing user input as the format string to printf-family functions allows reading/writing arbitrary memory.",
|
|
60
|
+
languages: ["c", "cpp"],
|
|
61
|
+
pattern: /(?:printf|fprintf|sprintf|snprintf|syslog|err|warn)\s*\(\s*(?!["'])[a-zA-Z_]/g,
|
|
62
|
+
fix: "Always use a format string literal: printf(\"%s\", user_input) not printf(user_input).",
|
|
63
|
+
},
|
|
64
|
+
// === Integer Overflow ===
|
|
65
|
+
{
|
|
66
|
+
id: "C-INT-001",
|
|
67
|
+
cwe: "CWE-190",
|
|
68
|
+
severity: "high",
|
|
69
|
+
title: "Integer Overflow Risk — Unchecked Arithmetic for Allocation",
|
|
70
|
+
description: "Integer overflow in size calculations for malloc/calloc can allocate tiny buffers, causing heap overflow.",
|
|
71
|
+
languages: ["c", "cpp"],
|
|
72
|
+
pattern: /malloc\s*\(\s*[a-zA-Z_][a-zA-Z0-9_]*\s*\*\s*(?:sizeof|[a-zA-Z_])/g,
|
|
73
|
+
fix: "Check for overflow before multiplication: if (n > 0 && count > SIZE_MAX / n) abort(); Use calloc(count, size) which checks internally.",
|
|
74
|
+
},
|
|
75
|
+
// === Use After Free ===
|
|
76
|
+
{
|
|
77
|
+
id: "C-UAF-001",
|
|
78
|
+
cwe: "CWE-416",
|
|
79
|
+
severity: "critical",
|
|
80
|
+
title: "Use After Free Risk — free() without nulling pointer",
|
|
81
|
+
description: "Freed pointers should be set to NULL to prevent use-after-free and double-free.",
|
|
82
|
+
languages: ["c", "cpp"],
|
|
83
|
+
pattern: /free\s*\(\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\)\s*;(?!\s*\1\s*=\s*NULL)/g,
|
|
84
|
+
fix: "Set pointer to NULL after free: free(ptr); ptr = NULL;",
|
|
85
|
+
},
|
|
86
|
+
// === Dangerous Functions ===
|
|
87
|
+
{
|
|
88
|
+
id: "C-FUNC-001",
|
|
89
|
+
cwe: "CWE-676",
|
|
90
|
+
severity: "high",
|
|
91
|
+
title: "Use of Banned/Dangerous Function — realpath()",
|
|
92
|
+
description: "realpath() without checking the result can be exploited via symlink races (TOCTOU).",
|
|
93
|
+
languages: ["c", "cpp"],
|
|
94
|
+
pattern: /\brealpath\s*\(/g,
|
|
95
|
+
fix: "Use realpath with proper error checking and verify the resolved path is within the expected directory.",
|
|
96
|
+
},
|
|
97
|
+
{
|
|
98
|
+
id: "C-FUNC-002",
|
|
99
|
+
cwe: "CWE-676",
|
|
100
|
+
severity: "high",
|
|
101
|
+
title: "Use of Banned/Dangerous Function — strtok()",
|
|
102
|
+
description: "strtok() uses global state, is not thread-safe, and modifies the input string.",
|
|
103
|
+
languages: ["c"],
|
|
104
|
+
pattern: /\bstrtok\s*\(/g,
|
|
105
|
+
fix: "Use strtok_r() (POSIX) for thread safety, or use strsep().",
|
|
106
|
+
},
|
|
107
|
+
{
|
|
108
|
+
id: "C-FUNC-003",
|
|
109
|
+
cwe: "CWE-676",
|
|
110
|
+
severity: "medium",
|
|
111
|
+
title: "Use of Banned Function — atoi()/atol()",
|
|
112
|
+
description: "atoi/atol have undefined behavior on overflow and cannot distinguish errors from 0 return.",
|
|
113
|
+
languages: ["c", "cpp"],
|
|
114
|
+
pattern: /\b(?:atoi|atol|atoll|atof)\s*\(/g,
|
|
115
|
+
fix: "Use strtol/strtoll with error checking: long val = strtol(str, &endptr, 10); if (endptr == str) { /* error */ }",
|
|
116
|
+
},
|
|
117
|
+
// === Command Injection ===
|
|
118
|
+
{
|
|
119
|
+
id: "C-CMDI-001",
|
|
120
|
+
cwe: "CWE-78",
|
|
121
|
+
severity: "critical",
|
|
122
|
+
title: "Command Injection — system() with dynamic input",
|
|
123
|
+
description: "system() passes commands through the shell. User input enables arbitrary command execution.",
|
|
124
|
+
languages: ["c", "cpp"],
|
|
125
|
+
pattern: /\bsystem\s*\(\s*(?!["'])/g,
|
|
126
|
+
fix: "Use execve() with explicit argument arrays instead of system(). Never pass user input to system().",
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
id: "C-CMDI-002",
|
|
130
|
+
cwe: "CWE-78",
|
|
131
|
+
severity: "critical",
|
|
132
|
+
title: "Command Injection — popen() with dynamic input",
|
|
133
|
+
description: "popen() passes commands through the shell, enabling injection.",
|
|
134
|
+
languages: ["c", "cpp"],
|
|
135
|
+
pattern: /\bpopen\s*\(\s*(?!["'])/g,
|
|
136
|
+
fix: "Use pipe()/fork()/exec() for process creation without shell interpretation.",
|
|
137
|
+
},
|
|
138
|
+
// === Weak Crypto ===
|
|
139
|
+
{
|
|
140
|
+
id: "C-CRYPTO-001",
|
|
141
|
+
cwe: "CWE-327",
|
|
142
|
+
severity: "high",
|
|
143
|
+
title: "Weak Cryptography — MD5/SHA1",
|
|
144
|
+
description: "MD5 and SHA1 are cryptographically broken. Collisions can be generated.",
|
|
145
|
+
languages: ["c", "cpp"],
|
|
146
|
+
pattern: /(?:MD5_Init|MD5_Update|MD5_Final|SHA1_Init|SHA1_Update|SHA1_Final|MD5\s*\(|SHA1\s*\()/g,
|
|
147
|
+
fix: "Use SHA-256 or stronger: SHA256_Init/SHA256_Update/SHA256_Final.",
|
|
148
|
+
},
|
|
149
|
+
{
|
|
150
|
+
id: "C-CRYPTO-002",
|
|
151
|
+
cwe: "CWE-338",
|
|
152
|
+
severity: "high",
|
|
153
|
+
title: "Insecure Random — rand()/srand() for security",
|
|
154
|
+
description: "rand() is a weak PRNG and must not be used for security-sensitive operations.",
|
|
155
|
+
languages: ["c", "cpp"],
|
|
156
|
+
pattern: /\b(?:rand|srand)\s*\(/g,
|
|
157
|
+
fix: "Use /dev/urandom, getrandom(), or arc4random_buf() for cryptographically secure random.",
|
|
158
|
+
},
|
|
159
|
+
// === Memory Leak ===
|
|
160
|
+
{
|
|
161
|
+
id: "C-MEM-001",
|
|
162
|
+
cwe: "CWE-401",
|
|
163
|
+
severity: "medium",
|
|
164
|
+
title: "Potential Memory Leak — malloc without corresponding free",
|
|
165
|
+
description: "Memory allocated with malloc/calloc/realloc must be freed to prevent memory leaks and eventual DoS.",
|
|
166
|
+
languages: ["c"],
|
|
167
|
+
pattern: /(?:malloc|calloc|realloc)\s*\([^)]+\)\s*;/g,
|
|
168
|
+
fix: "Ensure every malloc/calloc has a corresponding free() in all code paths, including error paths.",
|
|
169
|
+
},
|
|
170
|
+
// === Race Condition ===
|
|
171
|
+
{
|
|
172
|
+
id: "C-RACE-001",
|
|
173
|
+
cwe: "CWE-367",
|
|
174
|
+
severity: "high",
|
|
175
|
+
title: "TOCTOU Race — access() followed by open()",
|
|
176
|
+
description: "Checking access() then opening the file creates a race condition (Time of Check to Time of Use).",
|
|
177
|
+
languages: ["c", "cpp"],
|
|
178
|
+
pattern: /access\s*\([^)]+\)[\s\S]{0,50}(?:fopen|open)\s*\(/g,
|
|
179
|
+
fix: "Open the file directly and check permissions on the file descriptor, not the path.",
|
|
180
|
+
},
|
|
181
|
+
// === C++ Specific ===
|
|
182
|
+
{
|
|
183
|
+
id: "CPP-CAST-001",
|
|
184
|
+
cwe: "CWE-704",
|
|
185
|
+
severity: "medium",
|
|
186
|
+
title: "Unsafe Cast — reinterpret_cast or C-style cast",
|
|
187
|
+
description: "reinterpret_cast and C-style casts bypass type safety and can lead to undefined behavior.",
|
|
188
|
+
languages: ["cpp"],
|
|
189
|
+
pattern: /(?:reinterpret_cast\s*<|(?:^|[^a-zA-Z_])\(\s*(?:int|char|void|long|short|unsigned)\s*\*?\s*\))/g,
|
|
190
|
+
fix: "Use static_cast or dynamic_cast. Avoid reinterpret_cast unless absolutely necessary.",
|
|
191
|
+
},
|
|
192
|
+
{
|
|
193
|
+
id: "CPP-SMART-001",
|
|
194
|
+
cwe: "CWE-416",
|
|
195
|
+
severity: "medium",
|
|
196
|
+
title: "Raw new/delete — Use Smart Pointers",
|
|
197
|
+
description: "Manual new/delete is error-prone. Smart pointers prevent leaks, double-free, and use-after-free.",
|
|
198
|
+
languages: ["cpp"],
|
|
199
|
+
pattern: /\bnew\s+[A-Z][a-zA-Z]*(?:\s*\[|\s*\()/g,
|
|
200
|
+
fix: "Use std::make_unique or std::make_shared: auto ptr = std::make_unique<Type>(args);",
|
|
201
|
+
},
|
|
202
|
+
];
|
package/dist/rules/cicd.js
CHANGED
|
@@ -1 +1,144 @@
|
|
|
1
|
-
(function(_0x9ac937,_0x271e11){const _0x13815a={_0x3e764c:0x30,_0x29d627:0x112,_0x15b614:0x2f8,_0x594ecf:0x388,_0x1d5f2e:0x2b4,_0x120fff:0x13d,_0x25e923:0x16b,_0x5e9e98:0x304,_0x443021:0x91,_0x356402:0x4d0,_0x5636ab:0x17f,_0x3ac41a:0x347,_0x488c94:0x163},_0x594f92={_0x5bcb2e:0x245};function _0x57d692(_0xf53ad5,_0x2f7c1e){return _0x1fe2(_0xf53ad5- -_0x594f92._0x5bcb2e,_0x2f7c1e);}function _0x552c20(_0x1ef3b2,_0x4906e5){return _0x1fe2(_0x1ef3b2-0x20d,_0x4906e5);}const _0x1a6848=_0x9ac937();while(!![]){try{const _0x4fefcf=-parseInt(_0x57d692(-_0x13815a._0x3e764c,-_0x13815a._0x29d627))/(-0x1c1c+-0x1c07+0xe09*0x4)*(parseInt(_0x552c20(_0x13815a._0x15b614,_0x13815a._0x594ecf))/(0x1686+-0x3d9*0x5+-0x347))+parseInt(_0x552c20(_0x13815a._0x1d5f2e,0x2cb))/(-0xbf7*-0x3+-0x1fca+-0x2*0x20c)+-parseInt(_0x57d692(-_0x13815a._0x120fff,-_0x13815a._0x25e923))/(0x3f1+0x1669*-0x1+0x127c)*(-parseInt(_0x552c20(0x36a,0x2f1))/(0x20ff+0x8+-0x2102))+parseInt(_0x552c20(0x31e,_0x13815a._0x5e9e98))/(0x1427+0x19b6+-0x2dd7)+parseInt(_0x57d692(-_0x13815a._0x443021,-0x118))/(0x5*-0x6f5+-0x16*-0x3d+0x1d92)*(-parseInt(_0x552c20(0x438,_0x13815a._0x356402))/(-0x2611+0x511*-0x1+0x2b2a))+-parseInt(_0x57d692(-0x10c,-0x8c))/(-0xc8b+-0xc41*-0x1+0x53)*(-parseInt(_0x57d692(-_0x13815a._0x5636ab,-0xc8))/(0x6e+-0x3e*0x2f+0xafe))+parseInt(_0x552c20(_0x13815a._0x3ac41a,0x297))/(0x3*-0xaf1+-0xdc7*0x1+-0x2ea5*-0x1)*(parseInt(_0x57d692(-0x85,-_0x13815a._0x488c94))/(-0x241c+-0x172c*0x1+0x3b54));if(_0x4fefcf===_0x271e11)break;else _0x1a6848['push'](_0x1a6848['shift']());}catch(_0x150854){_0x1a6848['push'](_0x1a6848['shift']());}}}(_0x1906,-0x48f2d+0x97fa2*0x1+0x1*0xda31));const _0x51560d={};_0x51560d['id']='CICD-'+_0x16c572(0xf8,0xb6)+'01',_0x51560d[_0x5f047d(0x5d8,0x50b)]=_0x16c572(-0x3c,0x85)+'29',_0x51560d[_0x16c572(-0xb5,-0x8d)+_0x5f047d(0x47f,0x4e4)]='high',_0x51560d[_0x16c572(0x4b,-0x1)]=_0x16c572(-0x8a,0x45)+'b\x20Act'+_0x5f047d(0x5d3,0x5aa)+_0x16c572(0x1c0,0x108)+_0x5f047d(0x5ec,0x5f2)+_0x16c572(0xa4,0xe)+'\x20Supp'+'ly\x20Ch'+_0x16c572(-0x21,0x41)+'isk',_0x51560d[_0x5f047d(0x46c,0x484)+_0x16c572(0x41,0x34)+'n']=_0x5f047d(0x62f,0x54b)+_0x5f047d(0x602,0x6d3)+_0x16c572(-0xa9,-0x9b)+'ced\x20b'+_0x5f047d(0x476,0x532)+_0x5f047d(0x469,0x432)+_0x16c572(0xc8,0xff)+'(v1,\x20'+'v2,\x20m'+_0x16c572(0xd2,0xf2)+_0x16c572(0x2a,-0x3c)+_0x5f047d(0x46a,0x548)+_0x5f047d(0x532,0x4db)+_0x16c572(-0x5b,0x0)+_0x5f047d(0x62a,0x570)+_0x16c572(0x2d,0x1d)+'0066\x20'+_0x5f047d(0x569,0x5ae)+_0x16c572(0x113,0xcb)+'s/cha'+_0x5f047d(0x563,0x638)+'files'+_0x16c572(0x106,0x59)+'iltra'+'ted\x20s'+_0x16c572(-0x147,-0x59)+'s\x20fro'+'m\x2023,'+'000+\x20'+'repos'+_0x5f047d(0x4e1,0x4dc)+_0x16c572(0xff,0x132)+_0x16c572(-0xb7,-0x8a)+_0x5f047d(0x51c,0x507)+'n.',_0x51560d[_0x5f047d(0x604,0x67a)+'ages']=['yaml'],_0x51560d[_0x16c572(-0x23,-0x2d)+'rn']=/uses\s*:\s*[a-zA-Z0-9\-_.]+\/[a-zA-Z0-9\-_.]+@(?:v\d+|main|master|latest|dev)\s*$/gm,_0x51560d[_0x16c572(0x182,0x90)]=_0x5f047d(0x550,0x5f1)+_0x16c572(0xc3,0xcb)+'s\x20to\x20'+_0x5f047d(0x4a4,0x479)+'l\x20com'+_0x16c572(0x44,0x9b)+_0x5f047d(0x517,0x4c0)+_0x16c572(0xa1,-0x32)+_0x5f047d(0x592,0x655)+_0x16c572(0xb,-0x1e)+'eckou'+_0x5f047d(0x560,0x592)+_0x5f047d(0x4f8,0x5a7)+_0x5f047d(0x4e3,0x4fb)+_0x16c572(-0x2d,-0x5d)+_0x16c572(-0x120,-0x45)+_0x16c572(0x5f,-0x71)+_0x16c572(0x19,-0x93)+_0x16c572(0x6a,0xbc)+_0x16c572(0x77,0x3)+'to\x20ke'+_0x16c572(0x8f,0x50)+'As\x20up'+'dated'+'.';const _0x779667={};_0x779667['id']=_0x5f047d(0x535,0x62b)+_0x5f047d(0x59c,0x59e)+'01',_0x779667[_0x5f047d(0x5d8,0x5a9)]=_0x16c572(-0x4d,-0x33)+'4',_0x779667['sever'+_0x16c572(-0x9,-0x73)]=_0x16c572(-0xba,-0x16)+_0x16c572(0xc0,0x52),_0x779667[_0x5f047d(0x4f1,0x5e7)]=_0x5f047d(0x574,0x59f)+_0x16c572(-0xd2,-0x6a)+'t\x20—\x20p'+'ull_r'+_0x16c572(-0x63,-0x6a)+_0x16c572(-0x41,0x97)+_0x16c572(-0x1e,0x7a)+_0x5f047d(0x58c,0x4d7)+_0x16c572(0x6e,-0x24)+_0x16c572(0xd7,0x15),_0x779667[_0x16c572(-0x10d,-0x86)+'iptio'+'n']=_0x5f047d(0x4ae,0x4d0)+_0x5f047d(0x5ee,0x6dc)+_0x5f047d(0x593,0x565)+'rget\x20'+_0x5f047d(0x559,0x502)+_0x5f047d(0x5f7,0x6e2)+'write'+_0x5f047d(0x5be,0x543)+_0x5f047d(0x502,0x41c)+'ns\x20an'+_0x16c572(0xac,0xeb)+'rets\x20'+_0x5f047d(0x4fe,0x58b)+_0x16c572(0x42,0xad)+_0x5f047d(0x605,0x651)+'g\x20out'+'\x20the\x20'+_0x16c572(-0xc5,-0x8)+_0x5f047d(0x5f9,0x618)+_0x16c572(0xdd,0x2c)+_0x5f047d(0x628,0x60f)+_0x5f047d(0x494,0x54c)+_0x5f047d(0x5a5,0x532)+'th\x20th'+_0x16c572(0x62,0xe5)+_0x5f047d(0x55c,0x4d9)+_0x5f047d(0x596,0x586)+'.',_0x779667[_0x5f047d(0x604,0x627)+_0x16c572(0x196,0x128)]=['yaml'],_0x779667[_0x16c572(0x2e,-0x2d)+'rn']=/pull_request_target/g,_0x779667[_0x16c572(0x105,0x90)]=_0x5f047d(0x4b3,0x3ee)+_0x5f047d(0x603,0x542)+_0x16c572(-0xac,-0x6a)+'t\x20tri'+_0x5f047d(0x4f4,0x5b2)+_0x16c572(-0x16a,-0x99)+_0x16c572(-0x118,-0x90)+'f\x20pul'+_0x16c572(0xf,0xbf)+_0x5f047d(0x4c1,0x479)+_0x16c572(0x17,0xe4)+'t\x20is\x20'+_0x5f047d(0x55d,0x61a)+_0x16c572(0x1b,0xc0)+'ver\x20c'+'hecko'+_0x16c572(0xd,-0x48)+'e\x20PR\x20'+_0x16c572(0x9d,0x42)+_0x5f047d(0x5c6,0x520)+_0x16c572(-0x50,0x44)+_0x16c572(0x1a,0xc9);function _0x1fe2(_0x4c4c31,_0x491aea){_0x4c4c31=_0x4c4c31-(0x5de+-0xd4c+0x808);const _0x5ef733=_0x1906();let _0x4e2c5a=_0x5ef733[_0x4c4c31];if(_0x1fe2['zlJMRB']===undefined){var _0x2f1bb2=function(_0x4542e6){const _0x24d55d='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x200a7b='',_0xd2629e='';for(let _0x289da9=-0x179a+0x1*0x1a5d+-0x2c3*0x1,_0x139263,_0x55bad7,_0x5ca940=0x155e+-0x1c1d+0xb*0x9d;_0x55bad7=_0x4542e6['charAt'](_0x5ca940++);~_0x55bad7&&(_0x139263=_0x289da9%(-0x1*0x2045+-0x2ed+0x2336)?_0x139263*(0xa*-0x3ac+0x848+0x264*0xc)+_0x55bad7:_0x55bad7,_0x289da9++%(-0x1*0x20a5+-0xa7d+0x6*0x731))?_0x200a7b+=String['fromCharCode'](0x40*0x2f+-0x1f86+0x14c5&_0x139263>>(-(-0x1b1c+-0x1*-0x1b0c+0x12)*_0x289da9&0x34*-0x54+-0x160a+-0x2720*-0x1)):0xae0*-0x1+-0x9d*-0x2+0x9a6){_0x55bad7=_0x24d55d['indexOf'](_0x55bad7);}for(let _0x917de2=0x34*0xab+0x1f*-0xd8+0x12*-0x7a,_0x5c7e5d=_0x200a7b['length'];_0x917de2<_0x5c7e5d;_0x917de2++){_0xd2629e+='%'+('00'+_0x200a7b['charCodeAt'](_0x917de2)['toString'](-0x159e+0x1eb+0x13c3))['slice'](-(0x13ef+-0xe5f+-0x58e));}return decodeURIComponent(_0xd2629e);};_0x1fe2['Pgmpoo']=_0x2f1bb2,_0x1fe2['FkMdfR']={},_0x1fe2['zlJMRB']=!![];}const _0x107b56=_0x5ef733[-0x15ec+-0x12e5+0x489*0x9],_0x2062d2=_0x4c4c31+_0x107b56,_0x49c706=_0x1fe2['FkMdfR'][_0x2062d2];return!_0x49c706?(_0x4e2c5a=_0x1fe2['Pgmpoo'](_0x4e2c5a),_0x1fe2['FkMdfR'][_0x2062d2]=_0x4e2c5a):_0x4e2c5a=_0x49c706,_0x4e2c5a;}const _0x49c44f={};_0x49c44f['id']='CICD-'+'LOG-0'+'01',_0x49c44f[_0x5f047d(0x5d8,0x4fe)]='CWE-5'+'32',_0x49c44f['sever'+_0x5f047d(0x47f,0x42e)]='criti'+_0x16c572(0xb8,0x52),_0x49c44f[_0x5f047d(0x4f1,0x4b2)]=_0x5f047d(0x4f9,0x5e5)+_0x5f047d(0x57e,0x539)+_0x16c572(-0x90,-0x65)+'to\x20Lo'+'gs',_0x49c44f[_0x5f047d(0x46c,0x51b)+'iptio'+'n']=_0x16c572(-0xc6,0x18)+_0x16c572(-0xbe,-0xd)+_0x16c572(-0x13f,-0x59)+'s\x20to\x20'+_0x5f047d(0x57c,0x4b0)+'gs\x20ma'+_0x16c572(0xd8,0x63)+_0x16c572(-0xcf,-0x1c)+_0x5f047d(0x4ac,0x3ef)+_0x16c572(-0xf,0x27)+_0x16c572(-0x4d,-0x9a)+_0x5f047d(0x633,0x6a0)+_0x16c572(0x4,0x3b)+_0x16c572(0x1c1,0x101)+_0x16c572(0x109,0x146)+_0x5f047d(0x611,0x6c2)+'\x20with'+_0x16c572(0x53,-0x66)+'\x20acce'+_0x5f047d(0x5fb,0x5a1),_0x49c44f[_0x5f047d(0x604,0x53d)+'ages']=[_0x16c572(0xae,0xc6)],_0x49c44f[_0x5f047d(0x4c5,0x497)+'rn']=/echo\s+.*\$\{\{\s*secrets\./g,_0x49c44f[_0x5f047d(0x582,0x587)]=_0x16c572(-0xe6,-0x2b)+_0x16c572(0x23,-0x40)+'\x20secr'+_0x5f047d(0x5c2,0x6b5)+_0x16c572(0xc4,0x100)+_0x16c572(-0x159,-0x78)+_0x16c572(-0x67,0x60)+'ly\x20in'+'\x20envi'+_0x5f047d(0x619,0x663)+_0x5f047d(0x607,0x679)+'riabl'+_0x5f047d(0x51f,0x46c)+_0x16c572(0x98,0xee)+'e\x20to\x20'+_0x5f047d(0x49a,0x4b3)+'\x20with'+_0x5f047d(0x5e1,0x5a2)+_0x16c572(0xdc,0x130)+'d\x20acc'+_0x16c572(0x25,0xae);const _0xd60337={};_0xd60337['id']=_0x5f047d(0x535,0x491)+_0x16c572(-0xa9,0x3e)+'01',_0xd60337[_0x5f047d(0x5d8,0x671)]='CWE-7'+'8',_0xd60337[_0x5f047d(0x465,0x4c3)+'ity']=_0x16c572(0x34,-0x16)+_0x16c572(0xce,0x52),_0xd60337[_0x16c572(-0xf3,-0x1)]=_0x16c572(-0x4,0x45)+_0x16c572(0xc2,0x65)+_0x5f047d(0x51b,0x5ed)+_0x16c572(0xc7,0x126)+_0x5f047d(0x551,0x572)+_0x5f047d(0x463,0x409)+_0x16c572(0x10e,0x96)+_0x5f047d(0x5ff,0x5b4)+_0x16c572(0xcf,0x11d)+_0x16c572(0x1b,-0x1d)+_0x5f047d(0x594,0x583)+'n:';function _0x16c572(_0x1ba033,_0x627131){const _0x4c9137={_0x515435:0x13f};return _0x1fe2(_0x627131- -_0x4c9137._0x515435,_0x1ba033);}_0xd60337['descr'+'iptio'+'n']=_0x5f047d(0x4a0,0x402)+_0x16c572(0x118,0x13b)+_0x16c572(0xf8,0x98)+_0x16c572(0xee,0xce)+_0x16c572(0xa4,-0x1f)+_0x16c572(-0xe7,-0x6c)+_0x16c572(0xcd,0x23)+_0x16c572(0xc3,-0x4)+_0x5f047d(0x56e,0x482)+_0x16c572(0x77,0x4d)+_0x5f047d(0x615,0x57e)+_0x16c572(0x13,-0x69)+_0x5f047d(0x594,0x511)+_0x16c572(-0x2,-0x25)+_0x16c572(0x66,0xd1)+_0x16c572(0x11,-0xa3)+_0x16c572(0x1ff,0x11e)+'mmand'+_0x5f047d(0x46b,0x452)+_0x5f047d(0x5bd,0x541)+'\x20via\x20'+'craft'+'ed\x20PR'+_0x5f047d(0x483,0x49b)+_0x16c572(0x17c,0xe8),_0xd60337['langu'+_0x16c572(0xd3,0x128)]=['yaml'],_0xd60337['patte'+'rn']=/run\s*:.*\$\{\{\s*github\.event\.(?:issue|pull_request|comment|review|discussion|head_commit)\.(?:title|body|message)/g,_0xd60337['fix']=_0x16c572(-0x27,0x30)+'untru'+'sted\x20'+_0x5f047d(0x4cb,0x449)+_0x16c572(-0xf6,-0x11)+'envir'+_0x16c572(-0x170,-0x7f)+_0x16c572(0x5e,0x8e)+_0x16c572(0x11c,0xbb)+_0x16c572(0x5e,-0x83)+'v:\x20TI'+_0x16c572(0x6e,0x8d)+_0x5f047d(0x4ca,0x4bb)+_0x5f047d(0x508,0x462)+_0x5f047d(0x5f4,0x5ee)+_0x16c572(0x171,0xc4)+_0x16c572(0x7c,0xac)+_0x16c572(-0xe2,0x4)+_0x16c572(-0x23,0x66)+_0x5f047d(0x4d2,0x451)+_0x5f047d(0x480,0x4a6)+_0x16c572(0xef,0x36)+'TLE\x20i'+_0x5f047d(0x4e7,0x598)+_0x5f047d(0x4d9,0x416)+_0x5f047d(0x5b0,0x53c);const _0x2eb70a={};_0x2eb70a['id']=_0x16c572(-0x82,0x43)+_0x5f047d(0x635,0x547)+_0x16c572(0x166,0x7b),_0x2eb70a[_0x16c572(0xcd,0xe6)]=_0x5f047d(0x524,0x47e)+'69',_0x2eb70a[_0x16c572(-0x51,-0x8d)+_0x5f047d(0x47f,0x4b7)]=_0x5f047d(0x5a1,0x533),_0x2eb70a[_0x5f047d(0x4f1,0x58a)]='Overl'+_0x5f047d(0x4af,0x3c8)+_0x5f047d(0x52e,0x4df)+'ve\x20Wo'+_0x16c572(0x18f,0x120)+_0x16c572(0x76,0x12)+_0x16c572(-0xb7,0x3c)+_0x16c572(0x113,0xb4),_0x2eb70a[_0x16c572(-0x23,-0x86)+_0x5f047d(0x526,0x4f1)+'n']=_0x5f047d(0x4de,0x4cf)+_0x5f047d(0x5e8,0x5c2)+'or\x20br'+_0x5f047d(0x506,0x4b8)+_0x5f047d(0x45e,0x368)+'permi'+_0x5f047d(0x4a5,0x3e4)+_0x5f047d(0x61b,0x54a)+_0x16c572(-0x4e,0x5c)+_0x16c572(0x28,0x7d)+_0x5f047d(0x497,0x472)+_0x5f047d(0x4b5,0x480)+_0x5f047d(0x586,0x5eb)+_0x5f047d(0x58b,0x5b3)+'\x20acce'+'ss.',_0x2eb70a['langu'+_0x16c572(0x74,0x128)]=[_0x16c572(0x8c,0xc6)],_0x2eb70a[_0x16c572(0x19,-0x2d)+'rn']=/permissions\s*:\s*['"]?write-all['"]?/g,_0x2eb70a['fix']=_0x5f047d(0x5aa,0x628)+_0x5f047d(0x59b,0x546)+_0x5f047d(0x554,0x4c8)+_0x5f047d(0x50b,0x5c8)+'permi'+_0x16c572(0x23,-0x4d)+_0x16c572(0x73,0x6f)+_0x16c572(0xab,0x73)+_0x16c572(0x154,0xab)+'\x20what'+_0x5f047d(0x49d,0x44a)+'eded:'+_0x5f047d(0x5be,0x6a6)+_0x16c572(0xc9,0x10)+_0x5f047d(0x590,0x4eb)+_0x16c572(0x1f3,0x10a)+_0x5f047d(0x511,0x591)+_0x16c572(0xbf,0x135)+_0x16c572(0x15d,0x87)+_0x16c572(-0xcf,-0x41)+_0x16c572(0xd1,0x104)+':\x20wri'+_0x16c572(-0x7e,-0x1a);const _0x266bc3={};_0x266bc3['id']=_0x5f047d(0x535,0x44d)+_0x16c572(0x61,0x143)+_0x5f047d(0x55f,0x5c0),_0x266bc3['cwe']=_0x5f047d(0x524,0x4f9)+'69',_0x266bc3[_0x5f047d(0x465,0x3b0)+_0x5f047d(0x47f,0x405)]=_0x16c572(-0x6d,-0x68)+'m',_0x266bc3['title']=_0x5f047d(0x545,0x554)+'low\x20P'+_0x16c572(0x4,0x6a)+'sions'+_0x16c572(0x162,0x142)+_0x5f047d(0x527,0x4ac)+_0x16c572(-0x20,-0x2),_0x266bc3[_0x5f047d(0x46c,0x429)+_0x5f047d(0x526,0x593)+'n']=_0x16c572(0x8c,0x2f)+_0x5f047d(0x4cf,0x5a3)+_0x5f047d(0x4c9,0x52a)+_0x5f047d(0x4bc,0x5ac)+_0x16c572(0x119,0x3c)+_0x16c572(0x11f,0x125)+_0x16c572(-0xa4,-0x9a)+'lows\x20'+_0x16c572(0x28,0xf0)+_0x16c572(-0x77,0x22)+'e\x20rep'+'osito'+_0x5f047d(0x578,0x4af)+_0x5f047d(0x44e,0x4b5)+_0x16c572(0x3b,0x4a)+_0x5f047d(0x58f,0x5a7)+'broad'+_0x5f047d(0x5cd,0x5e0)+'en\x20pe'+'rmiss'+'ions.',_0x266bc3['langu'+_0x16c572(0xa7,0x128)]=['yaml'],_0x266bc3[_0x5f047d(0x4c5,0x565)+'rn']=/^on\s*:\s*$/gm,_0x266bc3[_0x16c572(-0x25,0x90)]=_0x16c572(-0xb2,-0x10)+'xplic'+_0x5f047d(0x49b,0x437)+_0x16c572(0x142,0xf9)+_0x5f047d(0x51b,0x4ca)+_0x16c572(-0xe4,-0x82)+'\x20at\x20t'+_0x5f047d(0x4a1,0x538)+'rkflo'+'w\x20lev'+_0x16c572(0x5e,0x10b)+'ermis'+_0x5f047d(0x596,0x595)+_0x5f047d(0x598,0x509)+_0x16c572(-0x5,0xd3)+'ts:\x20r'+_0x16c572(0x6a,0x103);const _0x3799e2={};_0x3799e2['id']=_0x16c572(0x1d,0x43)+_0x16c572(0xcf,0x88)+_0x16c572(0xcf,0x7b),_0x3799e2[_0x5f047d(0x5d8,0x5ef)]=_0x16c572(0xc3,0x85)+'29',_0x3799e2[_0x5f047d(0x465,0x381)+_0x16c572(0x75,-0x73)]=_0x16c572(0x13c,0xaf),_0x3799e2[_0x16c572(-0xa1,-0x1)]=_0x5f047d(0x609,0x65c)+_0x5f047d(0x50c,0x48d)+_0x16c572(-0xb0,-0x39)+_0x16c572(-0xe3,0x8)+_0x16c572(0xc4,0xd2),_0x3799e2[_0x16c572(0x33,-0x86)+'iptio'+'n']=_0x16c572(0x125,0xf8)+_0x16c572(-0xf,-0x47)+_0x5f047d(0x466,0x545)+_0x5f047d(0x600,0x5ba)+_0x16c572(0x148,0xa8)+'\x20scri'+_0x5f047d(0x539,0x541)+'n\x20CI\x20'+_0x16c572(0xec,0xb)+_0x16c572(0xae,0x54)+_0x5f047d(0x5a4,0x4f3)+_0x16c572(0x140,0xbd)+_0x5f047d(0x46a,0x3d4)+_0x5f047d(0x532,0x5aa)+'sed\x20c'+_0x5f047d(0x5dc,0x67f)+'ith\x20C'+_0x5f047d(0x531,0x46d)+_0x5f047d(0x4a7,0x414)+'als.',_0x3799e2[_0x16c572(0x19d,0x112)+'ages']=[_0x16c572(-0xf,0xc6)],_0x3799e2[_0x16c572(0x4e,-0x2d)+'rn']=/(?:curl|wget)\s+[^|]*\|\s*(?:bash|sh|sudo\s+(?:bash|sh))/g,_0x3799e2[_0x16c572(0xac,0x90)]=_0x5f047d(0x5ea,0x676)+_0x16c572(0x6c,0x3a)+_0x5f047d(0x487,0x48b)+_0x5f047d(0x53d,0x59e)+_0x5f047d(0x5df,0x63d)+_0x5f047d(0x60d,0x54d)+'s\x20che'+'cksum'+',\x20the'+'n\x20exe'+_0x16c572(-0x4a,-0x56)+'\x20Or\x20u'+'se\x20a\x20'+_0x5f047d(0x61c,0x604)+'d\x20Git'+_0x5f047d(0x625,0x5f9)+_0x5f047d(0x5bd,0x62c)+_0x16c572(0x1aa,0x139)+_0x5f047d(0x450,0x507);const _0x428968={};_0x428968['id']=_0x16c572(-0x7c,0x43)+_0x5f047d(0x5cf,0x56e)+'R-001',_0x428968['cwe']=_0x16c572(-0x60,0x32)+'50',_0x428968['sever'+_0x16c572(-0x141,-0x73)]=_0x5f047d(0x5a1,0x659),_0x428968[_0x16c572(-0x90,-0x1)]='Self-'+_0x5f047d(0x540,0x4a2)+_0x5f047d(0x509,0x58d)+'ner\x20o'+'n\x20Pub'+_0x5f047d(0x601,0x579)+_0x5f047d(0x45b,0x44e)+_0x5f047d(0x4b8,0x473)+'trary'+_0x5f047d(0x523,0x541)+'\x20Exec'+_0x5f047d(0x5ba,0x509),_0x428968[_0x5f047d(0x46c,0x535)+'iptio'+'n']=_0x16c572(0x8b,0xe7)+'hoste'+'d\x20run'+'ners\x20'+_0x5f047d(0x616,0x5ea)+_0x5f047d(0x5d0,0x5d2)+_0x16c572(0x85,0x2b)+_0x5f047d(0x5d4,0x693)+_0x5f047d(0x5e5,0x66d)+_0x16c572(-0x128,-0x4a)+_0x16c572(-0x74,0x28)+_0x16c572(-0x12d,-0x92)+_0x16c572(0xf1,0x55)+'o\x20exe'+_0x5f047d(0x484,0x40a)+'code\x20'+'on\x20yo'+'ur\x20in'+_0x16c572(0x19b,0xf7)+_0x16c572(0x7f,0x21)+_0x16c572(0x136,0xc5),_0x428968[_0x5f047d(0x604,0x525)+_0x5f047d(0x61a,0x70a)]=['yaml'],_0x428968['patte'+'rn']=/runs-on\s*:\s*['"]?self-hosted['"]?/g,_0x428968['fix']='Use\x20G'+_0x5f047d(0x516,0x4b5)+_0x5f047d(0x587,0x622)+_0x16c572(0x21f,0x137)+'nners'+'\x20for\x20'+_0x5f047d(0x5cb,0x671)+'c\x20rep'+_0x16c572(0x1db,0x11c)+_0x16c572(0xa2,0xc2)+_0x16c572(0x29,0x93)+'sted,'+'\x20rest'+'rict\x20'+_0x5f047d(0x4e8,0x52c)+_0x5f047d(0x471,0x4b1)+_0x5f047d(0x48c,0x56e)+_0x16c572(0x174,0x13a)+_0x16c572(-0x78,0x5b)+_0x5f047d(0x4a9,0x4e3)+_0x16c572(0x4f,0x26)+'ovals'+'.';const _0x84d96e={};_0x84d96e['id']=_0x16c572(0x10f,0x43)+_0x5f047d(0x608,0x572)+_0x16c572(-0x10b,-0x18)+'01',_0x84d96e['cwe']=_0x5f047d(0x577,0x61b)+'29',_0x84d96e[_0x16c572(0xb,-0x8d)+_0x5f047d(0x47f,0x547)]='mediu'+'m',_0x84d96e[_0x16c572(0xa7,-0x1)]=_0x5f047d(0x512,0x59f)+_0x16c572(0x176,0x119)+'pload'+'/Down'+'load\x20'+_0x16c572(-0x70,0x2f)+_0x16c572(0x106,0x74)+_0x5f047d(0x53e,0x500)+_0x16c572(0xaa,0x114),_0x84d96e['descr'+_0x5f047d(0x526,0x563)+'n']=_0x16c572(0xa4,0x53)+'low\x20a'+_0x5f047d(0x581,0x611)+_0x16c572(0x38,-0x7d)+_0x16c572(-0x7f,-0x3)+_0x5f047d(0x571,0x632)+'oned.'+_0x5f047d(0x53b,0x47d)+_0x16c572(0x73,0xb1)+_0x5f047d(0x55a,0x57a)+_0x5f047d(0x620,0x69a)+_0x5f047d(0x4ba,0x496)+_0x16c572(-0x64,0x48)+_0x16c572(-0x91,-0x74)+_0x5f047d(0x54a,0x539)+_0x5f047d(0x461,0x3bf)+_0x5f047d(0x4bd,0x47c)+_0x16c572(0xb8,-0x15)+'\x20work'+_0x16c572(-0x67,0x80)+_0x5f047d(0x54c,0x4fe)+_0x16c572(-0x6f,-0x8b)+'upply'+'\x20chai'+_0x5f047d(0x454,0x469)+_0x5f047d(0x5fe,0x5d1),_0x84d96e[_0x16c572(0xe2,0x112)+'ages']=['yaml'],_0x84d96e[_0x16c572(-0x32,-0x2d)+'rn']=/uses\s*:\s*actions\/download-artifact/g,_0x84d96e[_0x5f047d(0x582,0x4c7)]='Verif'+_0x5f047d(0x621,0x620)+_0x16c572(-0x7e,-0x62)+'\x20inte'+'grity'+_0x16c572(0x2d,-0x38)+_0x5f047d(0x55b,0x5cb)+_0x5f047d(0x584,0x4cf)+_0x16c572(-0x168,-0x77)+_0x16c572(0x3f,0xdf)+_0x5f047d(0x47d,0x53d)+_0x16c572(0x1af,0xdc)+_0x5f047d(0x543,0x45d)+_0x5f047d(0x46d,0x40c)+_0x5f047d(0x549,0x55e)+'attes'+'tatio'+'n.';const _0x2c1e56={};_0x2c1e56['id']=_0x5f047d(0x535,0x5b1)+_0x5f047d(0x61d,0x65b)+_0x16c572(0x151,0x7b),_0x2c1e56['cwe']='CWE-3'+'62',_0x2c1e56[_0x16c572(0x42,-0x8d)+_0x16c572(-0xf3,-0x73)]=_0x5f047d(0x525,0x4af),_0x2c1e56['title']=_0x5f047d(0x4eb,0x543)+_0x5f047d(0x47c,0x511)+_0x5f047d(0x496,0x50c)+_0x16c572(0xa3,0x61)+_0x16c572(-0x1d,-0x2c)+'\x20—\x20Du'+_0x5f047d(0x61e,0x65a)+'te\x20Wo'+_0x16c572(0x15c,0x120)+_0x5f047d(0x4a6,0x4b7)+'s',_0x2c1e56[_0x5f047d(0x46c,0x3c6)+_0x5f047d(0x526,0x468)+'n']=_0x5f047d(0x521,0x579)+_0x5f047d(0x529,0x586)+_0x5f047d(0x496,0x576)+_0x16c572(0x7e,0x61)+_0x16c572(0x101,0x56)+_0x16c572(-0x43,-0xa0)+_0x5f047d(0x591,0x62f)+_0x16c572(0xfb,0x106)+'kflow'+'\x20runs'+'\x20can\x20'+_0x5f047d(0x4be,0x59a)+_0x16c572(-0x2c,0x76)+_0x16c572(0x126,0xa5)+_0x5f047d(0x4ff,0x498)+'isten'+'t\x20dep'+'loyme'+_0x5f047d(0x5c7,0x5db),_0x2c1e56[_0x16c572(0x1b7,0x112)+_0x16c572(0x183,0x128)]=['yaml'],_0x2c1e56[_0x16c572(-0x99,-0x2d)+'rn']=/^on\s*:\s*\n\s*push\s*:/gm,_0x2c1e56['fix']=_0x16c572(0x153,0x12d)+_0x5f047d(0x4db,0x4fc)+_0x5f047d(0x54f,0x505)+':\x20{\x20g'+'roup:'+_0x16c572(0x9c,0xa3)+_0x16c572(0xc0,0x64)+_0x5f047d(0x56b,0x565)+_0x16c572(-0x96,-0x4f)+_0x16c572(0x146,0x13f)+_0x5f047d(0x485,0x3f8)+_0x16c572(0x17b,0x89)+_0x5f047d(0x5db,0x6be)+'},\x20ca'+_0x16c572(-0x148,-0x9f)+'in-pr'+'ogres'+_0x16c572(0x4a,-0x9c)+'ue\x20}';const _0x4a0948={};_0x4a0948['id']=_0x5f047d(0x535,0x44e)+'3P-00'+'1',_0x4a0948['cwe']=_0x16c572(0x6d,0x85)+'29',_0x4a0948[_0x16c572(-0x68,-0x8d)+_0x5f047d(0x47f,0x3c7)]='mediu'+'m',_0x4a0948[_0x5f047d(0x4f1,0x4d1)]=_0x5f047d(0x493,0x52b)+_0x5f047d(0x48e,0x46c)+_0x5f047d(0x4c2,0x4ce)+_0x5f047d(0x58e,0x55b)+'rom\x20U'+'nveri'+_0x16c572(0x9e,0x144)+'Publi'+'sher',_0x4a0948[_0x16c572(0x4d,-0x86)+_0x16c572(0xcc,0x34)+'n']='Actio'+'ns\x20fr'+_0x16c572(0x1d3,0xfd)+_0x5f047d(0x4a2,0x51a)+'\x20publ'+_0x5f047d(0x630,0x559)+_0x16c572(-0x97,-0x84)+_0x5f047d(0x5fc,0x5cb)+_0x5f047d(0x60c,0x6cd)+_0x5f047d(0x52f,0x608)+'ous\x20c'+_0x16c572(0x173,0x122)+_0x5f047d(0x50e,0x5e5)+'j-act'+_0x16c572(0x6,0x29)+_0x5f047d(0x5c9,0x518)+_0x5f047d(0x4c8,0x4a4)+_0x16c572(0x51,0xba)+_0x16c572(0xa9,0xd8)+_0x5f047d(0x4e9,0x446)+_0x5f047d(0x4b7,0x3db)+_0x16c572(-0x12c,-0x61),_0x4a0948[_0x16c572(0x1cf,0x112)+_0x16c572(0x1d4,0x128)]=['yaml'],_0x4a0948[_0x16c572(-0x38,-0x2d)+'rn']=/uses\s*:\s*(?!actions\/|github\/|docker\/|azure\/|aws-actions\/|google-github-actions\/)[a-zA-Z0-9\-_.]+\/[a-zA-Z0-9\-_.]+@/g,_0x4a0948[_0x16c572(0x73,0x90)]='Audit'+_0x16c572(0xc8,0xb9)+_0x5f047d(0x5b9,0x4cb)+_0x16c572(0x43,0xca)+'tions'+_0x5f047d(0x477,0x52c)+'re\x20us'+'e.\x20Pi'+'n\x20to\x20'+'SHA.\x20'+_0x16c572(0xce,0x8b)+_0x16c572(-0x2a,-0x63)+_0x16c572(-0x2c,0x9)+_0x5f047d(0x575,0x50c)+_0x16c572(0x1be,0x13e)+_0x16c572(-0x11,-0x60)+_0x16c572(0xc7,0xfe)+_0x5f047d(0x583,0x656)+_0x16c572(0x51,0xcb)+'.';function _0x1906(){const _0x396f38=['ksb0B2S','Dg9Yzsa','uLvotKu','yMXPyYa','ie9jrem','A2v5oIa','Aw9Uie4','igfSBg8','zwqGy2e','DgfYz2u','B3nLiha','y3DL','u2vSzI0','DwvZlG','CMvMih0','B2rLihC','zcbZzwm','ndiZmtm2D29evLbo','ihzLCMK','ihDYAxq','ihjLC3q','Aw5Ozxi','jhT7igG','ywLUksa','DYbHBNK','ieDjveG','D2L0Ag8','lwfSBca','zNjHC3q','rg93BMW','CM1PC3m','qs1qAw4','q1Dfltm','CMvXDwu','B20GDw4','zM9YAYa','DgfNCYa','vxnLihq','C3rVCNK','lMv2zw4','zwfKih0','DwvZDhm','D2L0Aca','zsb3B3i','ywqGCNu','B3qGu0G','C3mU','ignVBNq','zwW6iha','ywnRCY4','BNrYDxm','igv4zwm','BgLJifi','BNmGCMu','DwXSx3i','BgfUz3u','zwnRAw4','yxrPB24','BNqGDMe','qvjusuy','q3vYBca','AxjVBM0','ywn0ifu','ywLUig0','zNKGAxq','B3mUiey','DgvKieK','zxmGy28','BNLVBMu','CMTMBg8','DwiUCMu','B2rLlIa','igrPCMu','B24GChu','B25Zlca','u2nYAxa','CM9UBwu','ywDLCW','CYbNAxy','CgLUBMu','q09oqY0','CgXPy2e','qwrKigm','zMfJDhm','EsbHCNq','CMLJDgu','zIb9Fs0','DgfNig0','shvIiee','lxnJB3a','ihjLywq','Dhj1C3q','zwqGCNu','q1zflti','igLUC3q','CYb3Axq','igDPDgG','BYbhsvq','qwn0Aw8','AxnOzxi','ih19lsq','BMCGDw4','Bg93ihi','ie5VDca','uevsts0','zMLLzca','Aw4GyNi','ihrVige','zwqGAw4','zgvMyxu','zw5HyMW','zwfKlG','BMfIBgu','CYWGBxu','BMnLBc0','BIbHDhq','vxnLige','CZOGDhi','zMvYzw4','D29YA2y','Aw5ZDgu','ndGYnZeYAurIC0fh','zxbViokaLa','DxqGzgu','zw4GD3i','CML0zsa','B3qGB3i','zw5Zige','BIbPBIa','ywqUieK','zwn0Aw8','CYbZAge','C2v2zxi','zYbHBMq','BgvZihm','yw5PChu','ywjSzsa','zsbJB20','igLUAMu','zgvZy3i','CM92zw4','CYbTyxK','CZOGzw4','yMXVy2S','AxzHDgu','Dw5Uzxi','B25Tzw4','Bwv9pdW','y3rZigm','EsbTDxq','igjLzM8','lM9Zih0','mZbmDxjOD2S','AgvTigq','lIbvC2u','BMCGq28','l1nPz3m','zxjPzMK','Axr5','zxjLBMm','zw5Kywi','yxnOrMK','CY9PC3m','y3v0zsa','E3SGz2K','DcaODgK','AguGC2m','zxf1zxm','y3rSEsa','BwvKAxu','icD7BMe','ihjLCg8','BNrLzca','lvbHCNq','CIb2zxi','AwzHy3q','Cg9ZlG','CYbVCIa','vgHPCMq','zwqGy28','lI4Gvxm','BMn1CNi','zMXVDYa','vfbvvca','zwnYzxq','zMLSzxm','AxqGCgu','y3v0zs4','j3mGBMu','nhLIB2Xutq','zsbhsvq','vxnPBMC','AguGD28','A25VD24','A2zSB3C','ysbMDwW','C3nPB24','DYbsDw4','zgvUDgK','B25LihC','DwLYzwq','DxqGDgG','B2fKAw4','AxnPyMW','zsbezxa','ChvSBf8','Esbqzxi','v3jPDgK','Bc1Yzxe','igvJAg8','vxnLiha','vxnLigi','Dg9Rzw4','y2fUigi','mcSGCMu','iefYyMK','Dg8Gu2G','ihDPDgG','mJbAuwXYwgK','DcbWzxi','zg93BNm','CMfJzsW','q1DfltK','C2vZoIa','DwvZDf8','Esbby3q','B24U','mta4oti1ogXcz3L5tG','Cgf0Dgu','r3jVDxa','tMv2zxi','B21PC2u','CgXPy2K','jhT7igC','Aw5WDxq','Bg93iem','BJOGyMW','uIbdAgu','DxqGzxG','yxjPywi','AxrPBMC','BIbYzwy','B250zxG','BNmVy2G','BNb1Dca','AgvTihy','zw50ihy','DguGFq','ihnJCMK','qunulta','B25JDxi','y3jPDgK','DhjLyw0','D3jPDgu','q0fdseu','x0vovJO','ihzPysa','qwrKigu','zJq1nI4','zsCPih0','Aw5Nihm','BguGAw4','BIb0Agu','Dg8GChi','mJmSmda','ufiGAgu','twLZC2K','mtqXmJG0n1PrEMLYtW','mtyYmJvvwwvzBvm','yM9KEsW','yw4GyMu','zMLLza','DgL0Bgu','C2vKlIa','y2HLCYa','z2DLCIa','DMf0zsa','DgXLih0','BwL0zxi','mtiZzgu','u2vJCMu','zwXSigK','AwzPzwq','ihrVieC','CgLWzwW','ywnJzxm','BMnVBNm','BMvKiokaLa','FsCGpJ4','AxnZAw8','svrivui','DYbqzxi','uI0Wmde','B2fKihC','y2TVDxq','AxrODwi','zcbsDw4','uhjPBNq','BgvNzsa','ugLWzsa','y2TMAwW','vgHLihq','mdi1ltm','ndGXoda1tuTmsK9l','zw50CZO','qxj0Awy','CNvJDhu','AxqGDgG','DgXLlca','AxriDwi','see6ihu','igfWChi','zsbPBIa','Ag8GB3a','Aw9UCYa','Bgf0Aw8','CMvWB3m','BNmGDw4','zxmGB3i','DxqGu2m','v2L0Ag8','ugfZCYa','ienVzgu','q1Dflti','Bg93','Axb0Aw8','u3bLy2K','zsaKveK','DxqGy28','BYbHzMy','B3bLifi','B2fKihq','Dw4GAgK','BwLZC2K','ywXPy2K','su5klta','ssbJCMu','ChjVBwK','ywLUifi','AgvHzca','q0Ldrc0','zgLYzwm','r2L0shu','q2fJAgu','ChrZigK','B3v0ihy','ienVBNm','BhqGkg8','CMLWDcW','CMLMAwm','zw50CYK','sg9ZDgu','CMfUy2G','zxaGu0G','zM9Yiha','y2fS','v29YA2y','Aw5LCYa','ifbsihq','BgLTAxq','yw5Jzsa','y2f0Aw8','ksbLEgy','igvUywi','AcbYzxe','zsb0Agu','CMvUy3K','ugLUige','DcbjBMO','AxjLy3q','zw5JEsa','ChjPDMK','A2vZihq','z2L0Ahu','yIbby3q','Fsb0Agu','CNvUCYa','igfYDgK','ignOzwm','zxjTAxm','BMvLzgu','y2HLigS','mdaY','DebHyMm','CY4Gu3a','sfvcx0u','BMDLzc0','jhT7ihi','zwnPzNK','DxqGvMu','otHXANnIBg4','ignHDxm','khrQlwe','vw5Zywy','yI53B3i','z2v0ihC','mdaX','ignVBw0','ihDVCMS','zxLZoIa','ihbVAxm','zMXVD3m','ndm4meXpr1zntW','uhDUifi','ihb1yMW','zxn0CMK','q1DfltG','CNKNCYa','lcbWDwW','q1vstc0','DgH1yI4','q0KGBg8','uhjLzMu','DcbqCMK','veXfoIa','Dcb2yxi','CNrPzMe','zML4','DgHLige','A3n1Bxm','BgyTAg8','igv4y2u','lwHVC3q','BIdIGjqGvq','Df90yxi','DwiUzxy','C3nPDMu','AxrOifa','BwL0ifm','Aw9Uigy','zNrLBIa','BNm6ihS','BhrPCgW','ywn0Aw8','C3rFDge','Aw4GCNu','icr7EYa','C2LVBNm','Aw5NigK','oIb7igm','tLyGB3i','DxrPBMC','zwfZDc0','ufDolta','ig9UBhK','DwuUDgK','CY4Gq2G','zxnZlG','AgLNAa','ru5wvKe','Dw1PBMC','y2fUigu','zguGD2K','B25Z','zxiGD2G','ueLolta','CMvKige','vxnLigW','ihrOAxi','igfMzMu','AwfIBgu','ifjLBM8','EgvJDxq','ChqU','Bf9Yzxe','zcWGBMu','Fs0KE3S','B3iGC2u','y3jVC3m','Dc5PC3m','CMuU','EwfTBa','zc1Wyxi','DxrPB24','DgX5lG','DhKGywm','y3rPB24','ihbLCM0','q1DfltC','zw50igm','BgvZkcC','zxrZlIa','B2nRCYa','BIbdsq','B250zw4','y29Kzsa','BNrZlG','mZu2nZy1zMLOu2Xr','y29TChi','y3rLzca','ChvIBgK','E2rLBgK'];_0x1906=function(){return _0x396f38;};return _0x1906();}const _0x2eae7d={};_0x2eae7d['id']='CICD-'+_0x5f047d(0x5a2,0x5ac)+_0x5f047d(0x505,0x417),_0x2eae7d[_0x5f047d(0x5d8,0x6a4)]=_0x16c572(0x122,0xcd)+'8';function _0x5f047d(_0xe811ee,_0x3a5bce){return _0x1fe2(_0xe811ee-0x3b3,_0x3a5bce);}_0x2eae7d['sever'+'ity']=_0x5f047d(0x4dc,0x4b0)+_0x5f047d(0x544,0x45c),_0x2eae7d[_0x5f047d(0x4f1,0x56c)]=_0x16c572(-0x47,0x78)+_0x5f047d(0x49f,0x58b)+_0x16c572(0xed,0x70)+_0x5f047d(0x599,0x4ad)+_0x16c572(0x80,0xf4)+'UB_OU'+_0x16c572(0x85,-0x5a)+_0x5f047d(0x4b0,0x5a5)+'ng',_0x2eae7d[_0x5f047d(0x46c,0x3be)+_0x5f047d(0x526,0x583)+'n']='Writi'+_0x16c572(0x194,0x140)+_0x16c572(0x4a,0x136)+_0x5f047d(0x44d,0x41e)+'put\x20t'+_0x16c572(0x1bd,0x13c)+'HUB_E'+_0x5f047d(0x599,0x5c0)+_0x16c572(0x91,0xf4)+'UB_OU'+_0x5f047d(0x498,0x47c)+_0x16c572(0xcb,0xf5)+_0x5f047d(0x45c,0x3e4)+_0x16c572(0x141,0x56)+'ers\x20e'+_0x16c572(-0xae,-0xa1)+'s\x20env'+_0x5f047d(0x60a,0x5e6)+_0x16c572(0x58,-0x1b)+_0x16c572(0x1e,-0x22)+_0x5f047d(0x4e6,0x52a)+'jecti'+_0x5f047d(0x4c3,0x531),_0x2eae7d['langu'+_0x16c572(0x44,0x128)]=[_0x16c572(0x13b,0xc6)],_0x2eae7d[_0x16c572(-0xf2,-0x2d)+'rn']=/>>?\s*\$(?:GITHUB_ENV|GITHUB_OUTPUT)\b/g,_0x2eae7d['fix']=_0x5f047d(0x455,0x411)+'\x20uniq'+'ue\x20de'+'limit'+_0x5f047d(0x5a7,0x5af)+_0x16c572(-0x189,-0x95)+_0x5f047d(0x4d1,0x48a)+_0x16c572(0x79,0xa)+_0x16c572(-0x8e,0x11)+_0x5f047d(0x4e0,0x56e)+_0x16c572(-0x6c,-0x40)+_0x5f047d(0x48b,0x578)+_0x5f047d(0x474,0x521)+_0x16c572(0x1b3,0xda)+_0x16c572(-0x1f,0x5)+_0x5f047d(0x501,0x532)+'\x20$GIT'+'HUB_E'+'NV';const _0xdb4f88={};_0xdb4f88['id']='CICD-'+_0x16c572(-0x3c,-0x13)+'-001',_0xdb4f88[_0x5f047d(0x5d8,0x55c)]=_0x5f047d(0x5ed,0x650)+'45',_0xdb4f88[_0x16c572(-0x129,-0x8d)+'ity']=_0x16c572(0x34,-0x68)+'m',_0xdb4f88[_0x5f047d(0x4f1,0x59b)]=_0x5f047d(0x545,0x518)+_0x5f047d(0x4cc,0x3f4)+'ache\x20'+'Witho'+_0x16c572(-0x3,0x2e)+_0x16c572(-0xac,0x39)+_0x5f047d(0x576,0x481)+'ction',_0xdb4f88[_0x5f047d(0x46c,0x441)+_0x5f047d(0x526,0x56d)+'n']=_0x16c572(0x79,0x46)+_0x16c572(-0x166,-0x8e)+_0x5f047d(0x5a9,0x4c2)+_0x16c572(0xc1,0xc3)+'\x20bran'+_0x16c572(0xe9,0x1)+_0x5f047d(0x4b6,0x487)+'e\x20poi'+'soned'+'\x20by\x20a'+'\x20PR\x20t'+_0x5f047d(0x52a,0x540)+'ect\x20t'+'he\x20ma'+_0x5f047d(0x637,0x5d1)+'anch\x20'+'build'+'.',_0xdb4f88[_0x5f047d(0x604,0x5df)+_0x5f047d(0x61a,0x624)]=['yaml'],_0xdb4f88['patte'+'rn']=/uses\s*:\s*actions\/cache@/g,_0xdb4f88[_0x16c572(0xf7,0x90)]=_0x16c572(-0x104,-0x3e)+_0x16c572(-0x69,0x4f)+_0x5f047d(0x626,0x719)+_0x5f047d(0x5d5,0x68b)+_0x16c572(0xb4,0x6c)+_0x5f047d(0x570,0x615)+_0x16c572(0xc,0xe0)+_0x16c572(0xc0,0x72)+_0x5f047d(0x472,0x4de)+_0x5f047d(0x478,0x3ea)+_0x5f047d(0x5b3,0x68c)+_0x5f047d(0x62d,0x60f)+_0x16c572(0x1a5,0x121)+_0x16c572(0x15b,0x131)+_0x16c572(0x1dc,0xf1)+_0x16c572(-0x156,-0x70)+_0x5f047d(0x5c1,0x567)+'**/lo'+_0x5f047d(0x50d,0x5a9)+_0x16c572(0x12,-0xe)+'}';export const cicdRules=[_0x51560d,_0x779667,_0x49c44f,_0xd60337,_0x2eb70a,_0x266bc3,_0x3799e2,_0x428968,_0x84d96e,_0x2c1e56,_0x4a0948,_0x2eae7d,_0xdb4f88];
|
|
1
|
+
export const cicdRules = [
|
|
2
|
+
// === GitHub Actions SHA Pinning ===
|
|
3
|
+
{
|
|
4
|
+
id: "CICD-PIN-001",
|
|
5
|
+
cwe: "CWE-829",
|
|
6
|
+
severity: "high",
|
|
7
|
+
title: "GitHub Action Not SHA-Pinned — Supply Chain Risk",
|
|
8
|
+
description: "Actions referenced by mutable tags (v1, v2, main) can be compromised. CVE-2025-30066 (tj-actions/changed-files) exfiltrated secrets from 23,000+ repos via tag manipulation.",
|
|
9
|
+
languages: ["yaml"],
|
|
10
|
+
pattern: /uses\s*:\s*[a-zA-Z0-9\-_.]+\/[a-zA-Z0-9\-_.]+@(?:v\d+|main|master|latest|dev)\s*$/gm,
|
|
11
|
+
fix: "Pin actions to a full commit SHA: uses: actions/checkout@abc123def456... Use Dependabot or Renovate to keep SHAs updated.",
|
|
12
|
+
},
|
|
13
|
+
// === Pwn Request ===
|
|
14
|
+
{
|
|
15
|
+
id: "CICD-PWN-001",
|
|
16
|
+
cwe: "CWE-94",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
title: "Pwn Request — pull_request_target with PR Checkout",
|
|
19
|
+
description: "pull_request_target runs with write permissions and secrets access. Checking out the PR head runs untrusted code with those permissions.",
|
|
20
|
+
languages: ["yaml"],
|
|
21
|
+
pattern: /pull_request_target/g,
|
|
22
|
+
fix: "Use pull_request trigger instead. If pull_request_target is needed, never checkout the PR head code directly.",
|
|
23
|
+
},
|
|
24
|
+
// === Secrets Leaked to Logs ===
|
|
25
|
+
{
|
|
26
|
+
id: "CICD-LOG-001",
|
|
27
|
+
cwe: "CWE-532",
|
|
28
|
+
severity: "critical",
|
|
29
|
+
title: "Secret Printed to Logs",
|
|
30
|
+
description: "Printing secrets to CI logs makes them visible in workflow run history to anyone with repo access.",
|
|
31
|
+
languages: ["yaml"],
|
|
32
|
+
pattern: /echo\s+.*\$\{\{\s*secrets\./g,
|
|
33
|
+
fix: "Never echo secrets. Use them directly in environment variables or write to files with restricted access.",
|
|
34
|
+
},
|
|
35
|
+
// === Script Injection ===
|
|
36
|
+
{
|
|
37
|
+
id: "CICD-INJ-001",
|
|
38
|
+
cwe: "CWE-78",
|
|
39
|
+
severity: "critical",
|
|
40
|
+
title: "GitHub Actions Script Injection — Untrusted Input in run:",
|
|
41
|
+
description: "Using github.event context (title, body, comments) directly in run: blocks enables command injection via crafted PRs/issues.",
|
|
42
|
+
languages: ["yaml"],
|
|
43
|
+
pattern: /run\s*:.*\$\{\{\s*github\.event\.(?:issue|pull_request|comment|review|discussion|head_commit)\.(?:title|body|message)/g,
|
|
44
|
+
fix: "Pass untrusted input via environment variables: env: TITLE: ${{ github.event.issue.title }} then reference $TITLE in the script.",
|
|
45
|
+
},
|
|
46
|
+
// === Overly Permissive Permissions ===
|
|
47
|
+
{
|
|
48
|
+
id: "CICD-PERM-001",
|
|
49
|
+
cwe: "CWE-269",
|
|
50
|
+
severity: "high",
|
|
51
|
+
title: "Overly Permissive Workflow Permissions",
|
|
52
|
+
description: "write-all or broad write permissions give the workflow token excessive access.",
|
|
53
|
+
languages: ["yaml"],
|
|
54
|
+
pattern: /permissions\s*:\s*['"]?write-all['"]?/g,
|
|
55
|
+
fix: "Use least-privilege permissions. Specify only what's needed: permissions: { contents: read, pull-requests: write }",
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
id: "CICD-PERM-002",
|
|
59
|
+
cwe: "CWE-269",
|
|
60
|
+
severity: "medium",
|
|
61
|
+
title: "Workflow Permissions Not Specified",
|
|
62
|
+
description: "Without explicit permissions, workflows inherit the repository's default (often broad) token permissions.",
|
|
63
|
+
languages: ["yaml"],
|
|
64
|
+
pattern: /^on\s*:\s*$/gm,
|
|
65
|
+
fix: "Add explicit permissions block at the workflow level: permissions: { contents: read }",
|
|
66
|
+
},
|
|
67
|
+
// === Curl Pipe Bash ===
|
|
68
|
+
{
|
|
69
|
+
id: "CICD-CURL-001",
|
|
70
|
+
cwe: "CWE-829",
|
|
71
|
+
severity: "high",
|
|
72
|
+
title: "Curl Pipe to Shell in CI",
|
|
73
|
+
description: "Downloading and executing scripts in CI pipelines can execute compromised code with CI credentials.",
|
|
74
|
+
languages: ["yaml"],
|
|
75
|
+
pattern: /(?:curl|wget)\s+[^|]*\|\s*(?:bash|sh|sudo\s+(?:bash|sh))/g,
|
|
76
|
+
fix: "Download the script, verify its checksum, then execute. Or use a pinned GitHub Action instead.",
|
|
77
|
+
},
|
|
78
|
+
// === Self-hosted Runner Risks ===
|
|
79
|
+
{
|
|
80
|
+
id: "CICD-RUNNER-001",
|
|
81
|
+
cwe: "CWE-250",
|
|
82
|
+
severity: "high",
|
|
83
|
+
title: "Self-Hosted Runner on Public Repo — Arbitrary Code Execution",
|
|
84
|
+
description: "Self-hosted runners on public repos allow anyone who opens a PR to execute code on your infrastructure.",
|
|
85
|
+
languages: ["yaml"],
|
|
86
|
+
pattern: /runs-on\s*:\s*['"]?self-hosted['"]?/g,
|
|
87
|
+
fix: "Use GitHub-hosted runners for public repos. For self-hosted, restrict to private repos with required approvals.",
|
|
88
|
+
},
|
|
89
|
+
// === Artifact Poisoning ===
|
|
90
|
+
{
|
|
91
|
+
id: "CICD-ARTIFACT-001",
|
|
92
|
+
cwe: "CWE-829",
|
|
93
|
+
severity: "medium",
|
|
94
|
+
title: "Artifact Upload/Download Without Verification",
|
|
95
|
+
description: "Workflow artifacts can be poisoned. Consuming artifacts without verification in downstream workflows enables supply chain attacks.",
|
|
96
|
+
languages: ["yaml"],
|
|
97
|
+
pattern: /uses\s*:\s*actions\/download-artifact/g,
|
|
98
|
+
fix: "Verify artifact integrity with checksums. Use OIDC/Sigstore for provenance attestation.",
|
|
99
|
+
},
|
|
100
|
+
// === Concurrency ===
|
|
101
|
+
{
|
|
102
|
+
id: "CICD-CONC-001",
|
|
103
|
+
cwe: "CWE-362",
|
|
104
|
+
severity: "low",
|
|
105
|
+
title: "Missing Concurrency Group — Duplicate Workflow Runs",
|
|
106
|
+
description: "Without concurrency limits, multiple workflow runs can race, causing inconsistent deployments.",
|
|
107
|
+
languages: ["yaml"],
|
|
108
|
+
pattern: /^on\s*:\s*\n\s*push\s*:/gm,
|
|
109
|
+
fix: "Add concurrency: { group: ${{ github.workflow }}-${{ github.ref }}, cancel-in-progress: true }",
|
|
110
|
+
},
|
|
111
|
+
// === Third-party actions ===
|
|
112
|
+
{
|
|
113
|
+
id: "CICD-3P-001",
|
|
114
|
+
cwe: "CWE-829",
|
|
115
|
+
severity: "medium",
|
|
116
|
+
title: "Third-Party Action from Unverified Publisher",
|
|
117
|
+
description: "Actions from unknown publishers may contain malicious code. The tj-actions compromise affected 23,000+ repos.",
|
|
118
|
+
languages: ["yaml"],
|
|
119
|
+
pattern: /uses\s*:\s*(?!actions\/|github\/|docker\/|azure\/|aws-actions\/|google-github-actions\/)[a-zA-Z0-9\-_.]+\/[a-zA-Z0-9\-_.]+@/g,
|
|
120
|
+
fix: "Audit third-party actions before use. Pin to SHA. Prefer verified publishers or fork the action.",
|
|
121
|
+
},
|
|
122
|
+
// === GitHub Actions environment variable injection ===
|
|
123
|
+
{
|
|
124
|
+
id: "CICD-ENVVAR-001",
|
|
125
|
+
cwe: "CWE-78",
|
|
126
|
+
severity: "critical",
|
|
127
|
+
title: "Unsafe GITHUB_ENV or GITHUB_OUTPUT Writing",
|
|
128
|
+
description: "Writing untrusted input to GITHUB_ENV or GITHUB_OUTPUT without delimiters enables environment variable injection.",
|
|
129
|
+
languages: ["yaml"],
|
|
130
|
+
pattern: />>?\s*\$(?:GITHUB_ENV|GITHUB_OUTPUT)\b/g,
|
|
131
|
+
fix: "Use a unique delimiter when writing to GITHUB_ENV: echo '{name}<<{delimiter}' >> $GITHUB_ENV",
|
|
132
|
+
},
|
|
133
|
+
// === Cache Poisoning ===
|
|
134
|
+
{
|
|
135
|
+
id: "CICD-CACHE-001",
|
|
136
|
+
cwe: "CWE-345",
|
|
137
|
+
severity: "medium",
|
|
138
|
+
title: "Workflow Cache Without Scope Restriction",
|
|
139
|
+
description: "Caches shared across branches can be poisoned by a PR to affect the main branch build.",
|
|
140
|
+
languages: ["yaml"],
|
|
141
|
+
pattern: /uses\s*:\s*actions\/cache@/g,
|
|
142
|
+
fix: "Use branch-scoped cache keys: key: ${{ runner.os }}-${{ github.ref }}-${{ hashFiles('**/lockfile') }}",
|
|
143
|
+
},
|
|
144
|
+
];
|