npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/common/zm-java-rce-cwe78-001.yaml ADDED Viewed

@@ -0,0 +1,98 @@
+# CWE-78: RCE链 — ProcessBuilder/Runtime绕过 / 命令注入变体
+# ZhuMa V4.1 — Command Injection深度检测
+# 覆盖: ProcessBuilder命令注入 / Runtime.exec() Shell绕过 / ScriptEngine RCE
+rules:
+# ZM-JAVA-RCE-PROCESSBUILDER-001: ProcessBuilder参数由用户可控
+- id: zm-java-rce-processbuilder-001
+  severity: CRITICAL
+  message: |
+    ProcessBuilder.command() 或构造函数参数包含HTTP请求参数 — 命令注入RCE。
+    即使使用了List<String>参数化形式，如果列表元素本身来自用户输入且未过滤，仍可注入。
+    修复: 1) 严格白名单允许的命令和参数 2) 禁止用户控制命令字 3) 参数使用正则校验 [a-zA-Z0-9._-]+
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ProcessBuilder().command($REQ.getParameter(...), ...)
+    - pattern: |
+        new ProcessBuilder($REQ.getParameter(...))
+    - pattern: |
+        new ProcessBuilder($CMD_LIST)
+    - pattern: |
+        $PB.command().add($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    severity: CRITICAL
+    precision: medium
+    category: command-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22965"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
+      - "https://owasp.org/www-community/attacks/Command_Injection"
+# ZM-JAVA-RCE-RUNTIME-001: Runtime.exec() 参数拼接用户输入
+- id: zm-java-rce-runtime-001
+  severity: CRITICAL
+  message: |
+    Runtime.getRuntime().exec() 命令字符串直接拼接HTTP请求参数 — 命令注入RCE。
+    字符串形式的exec()会经过shell解析，特殊字符(;, |, &&, ``,$())可被利用。
+    CVE-2022-42889: Apache Commons Text StringSubstitutor命令注入(Runtime.getRuntime().exec sink)。
+    修复: 使用 ProcessBuilder 传递参数列表而非字符串，并对每个参数严格白名单校验。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Runtime.getRuntime().exec($STR + $REQ.getParameter(...))
+    - pattern: |
+        Runtime.getRuntime().exec($REQ.getParameter(...) + $STR)
+    - pattern: |
+        Runtime.getRuntime().exec(String.format(..., $REQ.getParameter(...)))
+    - pattern: |
+        Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", $REQ.getParameter(...)})
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    severity: CRITICAL
+    precision: high
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
+      - "https://cwe.mitre.org/data/definitions/78.html"
+# ZM-JAVA-RCE-SCRIPTENGINE-001: ScriptEngine.eval() 执行用户脚本
+- id: zm-java-rce-scriptengine-001
+  severity: CRITICAL
+  message: |
+    ScriptEngine.eval() 将HTTP请求参数作为JavaScript/Groovy/Python脚本执行 — RCE。
+    CVE-2021-44228: Log4Shell充分利用了JNDI lookup()在ScriptEngine执行链中的组合利用。
+    注意: Java 15+ 已移除Nashorn，但项目中可能使用GraalJS/GroovyShell等替代。
+    修复: 1) 禁止用户输入作为脚本执行 2) 沙箱限制(ClassFilter) 3) 替换为安全表达式引擎
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $ENGINE.eval($REQ.getParameter(...))
+    - pattern: |
+        $ENGINE.eval($REQ.getHeader(...))
+    - pattern: |
+        new ScriptEngineManager().getEngineByName(...).eval($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4000"
+      - "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection"

package/rules/common/zm-java-springsec-cwe284-001.yaml ADDED Viewed

@@ -0,0 +1,109 @@
+# CWE-284/862/863: Spring Security配置缺陷 — 访问控制绕过多维度
+# ZhuMa V4.1 — Spring Security Misconfiguration深度检测
+# 覆盖: antMatcher顺序错误 / permitAll过度使用 / 方法级安全缺失 / CSRF误配置
+rules:
+# ZM-JAVA-SPRINGSEC-MATCHER-001: SecurityFilterChain规则顺序错误(仅permitAll优先)
+- id: zm-java-springsec-matcher-001
+  severity: ERROR
+  message: |
+    Spring Security antMatchers规则中 permitAll() 出现在 authenticated() 之前 — 访问控制失效。
+    规则按顺序匹配，若先匹配到 permitAll("/**")，后续所有authenticated规则被绕过。
+    这是严重的Spring Security反模式，导致整站无需认证即可访问。
+    CVE-2022-22978: Spring Security 授权绕过(asterisk模式匹配缺陷)。
+    修复: 1) 最具体的规则写在最前面 2) permitAll 仅限于静态资源和公开路由 3) 使用 requestMatchers 替代 antMatchers
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP
+            .antMatchers("/**").permitAll()
+            .antMatchers($SECURE).authenticated()
+    - pattern: |
+        $HTTP
+            .requestMatchers("/**").permitAll()
+            .requestMatchers($SECURE).authenticated()
+    - pattern: |
+        $HTTP
+            .authorizeRequests()
+            .antMatchers("/**").permitAll()
+            .anyRequest().authenticated()
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: ERROR
+    precision: high
+    category: spring-security
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22978"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
+      - "https://spring.io/security/cve-2022-22978"
+      - "https://cwe.mitre.org/data/definitions/284.html"
+# ZM-JAVA-SPRINGSEC-METHOD-001: 方法级安全注解缺失
+- id: zm-java-springsec-method-001
+  severity: WARNING
+  message: |
+    Controller/RestController 方法未添加 @PreAuthorize/@Secured/@RolesAllowed 注解 — 缺少方法级授权。
+    仅依赖URL级安全(antMatchers)可能导致IDOR: 已认证用户可操作其他用户的资源。
+    CVE-2023-34034: Spring Security WebFlux 方法级Bypass; CVE-2023-20860: Spring MVC IDOR。
+    修复: 1) @PreAuthorize("hasRole('ADMIN')") 方法级授权 2) @PostAuthorize 过滤返回结果
+    3) @PreFilter 过滤集合参数中的未授权元素
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern: |
+          @RequestMapping(...)
+      - pattern-not: |
+          @PreAuthorize(...)
+      - pattern-not: |
+          @Secured(...)
+      - pattern-not: |
+          @RolesAllowed(...)
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    severity: WARNING
+    precision: low
+    category: spring-security
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
+      - "https://spring.io/guides/topicals/spring-security-architecture"
+# ZM-JAVA-SPRINGSEC-CSRF-001: SecurityFilterChain中CSRF保护被意外禁用
+- id: zm-java-springsec-csrf-001
+  severity: ERROR
+  message: |
+    SecurityFilterChain中显式调用了 .csrf().disable() — CSRF保护被禁用。
+    关闭CSRF保护时，所有state-changing操作(GET/POST/PUT/DELETE)易受跨站请求伪造攻击。
+    仅在无状态REST API中使用JWT/bearer Token可考虑禁用，但需确保无Cookie-based Session。
+    CVE-2021-22044: Spring Cloud CSRF保护不足; CVE-2023-20863: CSRF token验证绕过。
+    修复: 1) 恢复CSRF保护 2) 仅对无状态API禁用并添加注释说明 3) 使用 CsrfTokenRequestHandler
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.csrf().disable()
+    - pattern: |
+        $HTTP.csrf($CSRF -> $CSRF.disable())
+    - pattern: |
+        $HTTP.csrf(AbstractHttpConfigurer::disable)
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    severity: ERROR
+    precision: high
+    category: spring-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-22044"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-20863"
+      - "https://docs.spring.io/spring-security/reference/features/exploits/csrf.html"

package/rules/common/zm-java-xstream-cwe502-001.yaml ADDED Viewed

@@ -0,0 +1,73 @@
+# CWE-502: XStream反序列化 — 不安全配置与绕过检测
+# ZhuMa V4.1 — XStream deserialization RCE
+# 覆盖: XStream.fromXML() / setupDefaultSecurity缺失 / 黑名单绕过
+rules:
+# ZM-JAVA-XSTREAM-001: XStream.fromXML() 未设置安全框架
+- id: zm-java-xstream-001
+  severity: CRITICAL
+  message: |
+    XStream.fromXML() 直接反序列化用户输入，未调用 XStream.setupDefaultSecurity() 未启用白名单。
+    默认XStream允许反序列化任意类，攻击者可利用多种gadget chain(如ImageIO/JNDI/Runtime)实现RCE。
+    CVE-2021-43859: XStream <=1.4.18 高危反序列化链(CVE-2021-21344至CVE-2021-39154共14个CVE)。
+    修复: 1) 必须调用 xstream.setupDefaultSecurity() 2) 显式 allowTypesByWildcard 白名单
+    3) 升级到 XStream >=1.4.19
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new XStream().fromXML($REQ.getParameter(...))
+    - pattern: |
+        $XSTREAM.fromXML($REQ.getInputStream())
+    - pattern: |
+        $XSTREAM.fromXML($REQ.getReader())
+    - pattern: |
+        XStream $X = new XStream();
+        ...
+        $X.fromXML($INPUT);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-43859"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39144"
+      - "https://x-stream.github.io/security.html"
+# ZM-JAVA-XSTREAM-002: XStream自定义Converter绕过
+- id: zm-java-xstream-002
+  severity: CRITICAL
+  message: |
+    检测到XStream使用自定义Converter或registerConverter() — 可能引入新的gadget chain.
+    自定义Converter如果调用反射API(如Method.invoke/Class.forName)可能被恶意XML触发RCE。
+    攻击者通过构造特殊XML字符串利用Converter逻辑执行任意代码。
+    CVE-2021-39145: XStream DynamicProxyConverter导致任意代码执行。
+    修复: 1) Converter中禁止使用反射 2) 对所有输入类严格校验 3) 在Converter中实现类型白名单
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern-inside: |
+          $XS = new XStream(new $D());
+          ...
+      - pattern: |
+          $XS.registerConverter(...)
+    - pattern: |
+        $XSTREAM.registerConverter($CONVERTER)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39145"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39147"
+      - "https://x-stream.github.io/CVE-2021-39145.html"

package/rules/common/zm-java-xxe-cwe611-003.yaml ADDED Viewed

@@ -0,0 +1,105 @@
+# CWE-611: XXE深入 — DocumentBuilder以外的XML解析器覆盖
+# ZhuMa V4.1 — XXE全解析器深度检测
+# 覆盖: SAXParser / StAX XMLEventReader / DOM4J SAXReader
+rules:
+# ZM-JAVA-XXE-SAX-001: SAXParser解析用户输入未禁用DTD
+- id: zm-java-xxe-sax-001
+  severity: ERROR
+  message: |
+    SAXParser.parse() 直接解析HTTP请求中的XML，未设置禁用DTD和外部实体。
+    SAXParser默认启用外部实体解析，攻击者可读取服务器敏感文件(/etc/passwd)或发起SSRF。
+    修复: 设置 SAXParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+          + setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
+          + setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, "")
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SAXParserFactory.newInstance().newSAXParser().parse($REQ.getInputStream(), $DH)
+    - pattern: |
+        $SP.parse($REQ.getInputStream(), $DH)
+    - pattern: |
+        $SP.parse(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $SP.parse(new InputSource($REQ.getReader()))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-12615"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-12415"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
+# ZM-JAVA-XXE-STAX-001: StAX XMLEventReader/XMLStreamReader 解析用户XML
+- id: zm-java-xxe-stax-001
+  severity: ERROR
+  message: |
+    XMLEventReader/XMLStreamReader直接解析HTTP输入流，未禁用DTD — XXE注入。
+    尽管StAX解析器默认相对安全，但未显式设置 XMLInputFactory.SUPPORT_DTD=false
+    在部分实现中仍可能处理外部实体。CVE-2019-12415: Apache POI XSSF XXE via StAX。
+    修复: XMLInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
+          + setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        $FACTORY.createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLStreamReader($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: medium
+    category: xxe
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-12415"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
+      - "https://rules.sonarsource.com/java/RSPEC-2755/"
+# ZM-JAVA-XXE-DOM4J-001: DOM4J SAXReader 解析用户XML
+- id: zm-java-xxe-dom4j-001
+  severity: ERROR
+  message: |
+    DOM4J SAXReader.read() 直接解析HTTP请求输入流 — XXE注入。
+    DOM4J SAXReader默认不安全，必须显式禁用DOCTYPE声明和外部实体。
+    CVE-2021-33813: JDOM2 XXE via SAXBuilder (类似dom4j模式); CVE-2020-10683: dom4j XXE.
+    修复: reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+          + reader.setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SAXReader().read($REQ.getInputStream())
+    - pattern: |
+        $READER.read($REQ.getInputStream())
+    - pattern: |
+        new SAXReader().read(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $READER.read($REQ.getReader())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-10683"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"

package/rules/common/zm-js-cwe20-nextjs-api-routes.yaml ADDED Viewed

@@ -0,0 +1,141 @@
+# CWE-20 / CWE-200 / CWE-918: Next.js API Route 安全检测
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: Pages Router API Routes / App Router Route Handlers
+rules:
+# ZM-JS-NEXT-001: Next.js API Route 暴露服务端错误到客户端
+- id: zm-js-next-001
+  severity: WARNING
+  message: |
+    检测到 Next.js API Route handler 中可能将服务端错误详情直接返回给客户端。
+    包括未捕获异常、数据库错误详情、Internal Server Error with stack trace 等。
+    CVE-2021-43887: Next.js <12.0.4 错误响应泄露绝对路径。
+    CWE-209: Generation of Error Message Containing Sensitive Information。
+    修复:
+    1. 使用 try-catch 包裹所有 handler 逻辑，返回通用错误 msg
+    2. 生产环境 NODE_ENV=production 时，res.status(500).json({ error: 'Internal Server Error' })
+    3. 统一错误处理中间件脱敏
+    4. 使用 Sentry/Bugsnag 等服务端错误收集，不返回客户端
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        export default function handler($REQ, $RES) {
+          ...
+          $RES.status(500).json($ERR)
+        }
+    - pattern: |
+        export async function $HANDLER($REQ, $RES) {
+          ...
+          $RES.status(500).json(...)
+        }
+    - pattern: |
+        export async function $METHOD($REQ) {
+          ...
+          return NextResponse.json($ERR, { status: 500 })
+        }
+  metadata:
+    cwe: "CWE-209: Generation of Error Message Containing Sensitive Information + CWE-200: Exposure of Sensitive Information"
+    owasp: "A04:2021 - Insecure Design"
+    category: nextjs
+    precision: low
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-43887"
+      - "https://nextjs.org/docs/messages/api-routes-response-helpers"
+# ZM-JS-NEXT-002: Next.js API Route 未做输入验证 (SSRF/注入入口)
+- id: zm-js-next-002
+  severity: WARNING
+  message: |
+    检测到 Next.js API Route 中直接使用 req.body / req.query / params 进行外部请求
+    或数据库操作，未经过输入验证或 sanitization。
+    API Routes 直接暴露为 HTTP 端点，任何未验证的输入都可被攻击者利用。
+    CWE-20: Improper Input Validation。
+    修复:
+    1. 使用 zod/yup/joi 对 req.body 做 schema 验证
+    2. 对 URL 参数使用 encodeURIComponent 或 URL 白名单
+    3. Next.js middleware 层做全局输入验证
+    4. 限制 body 大小: export const config = { api: { bodyParser: { sizeLimit: '1mb' } } }
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: |
+            export default function handler($REQ, $RES) {
+              ...
+              fetch($REQ.query.url, ...)
+            }
+        - pattern: |
+            export default function handler($REQ, $RES) {
+              ...
+              $DB.query($REQ.body.query, ...)
+            }
+        - pattern: |
+            export async function $METHOD($REQ) {
+              ...
+              fetch(...)
+            }
+    - pattern-not: |
+        ...
+        $SCHEMA.parse($REQ.body)
+    - pattern-not: |
+        ...
+        $VALIDATOR(...)
+  metadata:
+    cwe: "CWE-20: Improper Input Validation + CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A03:2021 - Injection"
+    category: nextjs
+    precision: medium
+    references:
+      - "https://nextjs.org/docs/pages/building-your-application/routing/api-routes"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
+# ZM-JS-NEXT-003: Next.js getServerSideProps 泄露敏感数据
+- id: zm-js-next-003
+  severity: ERROR
+  message: |
+    检测到 getServerSideProps 中可能将敏感数据(token/密钥/password/db结果)直接通过 props
+    传递给客户端组件。getServerSideProps 返回的 props 会序列化为 JSON 嵌入页面源码中，
+    可被任何用户通过"查看页面源代码"获取。
+    CWE-200: Exposure of Sensitive Information。
+    修复:
+    1. Never pass process.env.SECRET_KEYS / db connection strings / internal URLs through props
+    2. 只在服务端使用环境变量，不在客户端展示
+    3. 仅返回组件渲染所需的最小数据集
+    4. 使用 server-only npm 标记仅服务端代码
+    5. 敏感数据通过 API Route 按需获取，而非 SSR props 全量传递
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        export async function getServerSideProps($CTX) {
+          ...
+          return {
+            props: {
+              ...$SECRETS
+            }
+          }
+        }
+    - pattern: |
+        export const getServerSideProps = async ($CTX) => {
+          ...
+          return { props: { ...$DATA } }
+        }
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: nextjs
+    precision: medium
+    references:
+      - "https://nextjs.org/docs/pages/building-your-application/data-fetching/get-server-side-props"
+      - "https://cwe.mitre.org/data/definitions/200.html"

package/rules/common/zm-js-cwe287-aws-lambda-config.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# CWE-287 / CWE-284: AWS Lambda / Serverless Framework 安全配置
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: Lambda handler 权限、环境变量泄露、Serverless 配置缺陷
+rules:
+# ZM-JS-AWS-001: Lambda 环境变量中硬编码敏感凭证
+- id: zm-js-aws-001
+  severity: ERROR
+  message: |
+    检测到 AWS Lambda handler 中可能通过 process.env 直接使用硬编码的密钥/Token。
+    Lambda 环境变量在 AWS Console 中明文可见，若 IAM 角色配置不当或通过 API 泄露，
+    攻击者可获取所有环境变量值。
+    CVE-2018-1000048: AWS Lambda 环境变量注入导致RCE。
+    CWE-798: Use of Hard-coded Credentials。
+    CWE-522: Insufficiently Protected Credentials。
+    修复:
+    1. 使用 AWS Secrets Manager 存储敏感凭证:
+       const secrets = await secretsManager.getSecretValue({ SecretId: 'my-secret' }).promise()
+    2. 使用 AWS SSM Parameter Store (SecureString):
+       const param = await ssm.getParameter({ Name: '/app/db-password', WithDecryption: true }).promise()
+    3. 使用 AWS KMS 加密环境变量(即使存储在 Lambda 中也加密)
+    4. Lambda Execution Role 权限最小化，禁止 ssm:GetParameter * 通配
+    5. 不要在 serverless.yml 的 environment 段直接写密钥值
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: process.env.$SECRET
+    - pattern: process.env[$SECRET]
+    - pattern: process.env.SECRET_KEY
+    - pattern: process.env.API_KEY
+    - pattern: process.env.ACCESS_KEY
+    - pattern: process.env.DATABASE_URL
+    - pattern: process.env.REDIS_URL
+  metavariable-regex:
+    metavariable: $SECRET
+    regex: '(?i)(SECRET|TOKEN|KEY|PASSWORD|PASSWD|PWD|CRED|AUTH|API_KEY|ACCESS_KEY|PRIVATE_KEY|CERT|DATABASE_URL|REDIS_URL|MONGO|MYSQL|POSTGRES|MSSQL|ORACLE|ENCRYPT|DECRYPT|SIGN|VERIFY)'
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials + CWE-522: Insufficiently Protected Credentials"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: serverless
+    precision: low
+    confidence: medium
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2018-1000048"
+      - "https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Serverless_Security_Cheat_Sheet.html"
+# ZM-JS-AWS-002: Lambda handler 事件输入未验证直接使用
+- id: zm-js-aws-002
+  severity: WARNING
+  message: |
+    检测到 Lambda handler 中直接使用 event 对象作为数据库查询、文件操作或命令执行的参数，
+    未做输入验证和类型检查。攻击者可通过 AWS API Gateway / S3 trigger / SQS 等注入
+    恶意事件触发代码执行。
+    CWE-20: Improper Input Validation。
+    CWE-913: Improper Control of Dynamically-Managed Code Resources。
+    AWS Lambda 事件来源多样(API Gateway, S3, DynamoDB Streams, SNS, SQS),
+    每个来源的 event 格式不同，但均可被恶意构造。
+    修复:
+    1. 使用 zod/yup 对 event 对象做 schema 验证:
+       const schema = z.object({ name: z.string().min(1).max(100) })
+       const parsed = schema.parse(event)
+    2. 对 event.body (API Gateway proxy integration) 做 JSON.parse 后验证
+    3. 使用 API Gateway 请求验证器 + Model 做第一层过滤
+    4. 对所有文件路径、数据库查询参数做 is-this-safe 判断
+    5. 使用 middy 中间件统一验证: middy(handler).use(validator({ eventSchema }))
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        exports.handler = async ($EVENT) => {
+          ...
+          $DB.query(...)
+        }
+    - pattern: |
+        exports.handler = async ($EVENT, $CTX) => {
+          ...
+          $DB.query(...)
+        }
+    - pattern: |
+        module.exports.handler = async ($EVENT) => {
+          ...
+          $DB.exec(...)
+        }
+    - pattern: |
+        export const handler = async ($EVENT: $TYPE) => {
+          ...
+          $DB.query(...)
+        }
+  metadata:
+    cwe: "CWE-20: Improper Input Validation + CWE-913: Improper Control of Dynamically-Managed Code Resources"
+    owasp: "A03:2021 - Injection"
+    category: serverless
+    precision: low
+    confidence: medium
+    references:
+      - "https://docs.aws.amazon.com/lambda/latest/dg/lambda-services.html"
+      - "https://github.com/middyjs/middy"
+      - "https://owasp.org/www-project-serverless-top-10/"