@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/quarantined/cwe-20/zm-js-cwe20-nextjs-api-routes.yaml

@@ -0,0 +1,142 @@
+# Source: common | Cluster: N/A
+# CWE-20 / CWE-200 / CWE-918: Next.js API Route 安全检测
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: Pages Router API Routes / App Router Route Handlers
+
+rules:
+
+# ZM-JS-NEXT-001: Next.js API Route 暴露服务端错误到客户端
+- id: zm-js-next-001
+  severity: WARNING
+  message: |
+    检测到 Next.js API Route handler 中可能将服务端错误详情直接返回给客户端。
+    包括未捕获异常、数据库错误详情、Internal Server Error with stack trace 等。
+
+    CVE-2021-43887: Next.js <12.0.4 错误响应泄露绝对路径。
+    CWE-209: Generation of Error Message Containing Sensitive Information。
+
+    修复:
+    1. 使用 try-catch 包裹所有 handler 逻辑，返回通用错误 msg
+    2. 生产环境 NODE_ENV=production 时，res.status(500).json({ error: 'Internal Server Error' })
+    3. 统一错误处理中间件脱敏
+    4. 使用 Sentry/Bugsnag 等服务端错误收集，不返回客户端
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        export default function handler($REQ, $RES) {
+          ...
+          $RES.status(500).json($ERR)
+        }
+    - pattern: |
+        export async function $HANDLER($REQ, $RES) {
+          ...
+          $RES.status(500).json(...)
+        }
+    - pattern: |
+        export async function $METHOD($REQ) {
+          ...
+          return NextResponse.json($ERR, { status: 500 })
+        }
+  metadata:
+    cwe: "CWE-209: Generation of Error Message Containing Sensitive Information + CWE-200: Exposure of Sensitive Information"
+    owasp: "A04:2021 - Insecure Design"
+    category: nextjs
+    precision: low
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-43887"
+      - "https://nextjs.org/docs/messages/api-routes-response-helpers"
+
+# ZM-JS-NEXT-002: Next.js API Route 未做输入验证 (SSRF/注入入口)
+- id: zm-js-next-002
+  severity: WARNING
+  message: |
+    检测到 Next.js API Route 中直接使用 req.body / req.query / params 进行外部请求
+    或数据库操作，未经过输入验证或 sanitization。
+
+    API Routes 直接暴露为 HTTP 端点，任何未验证的输入都可被攻击者利用。
+    CWE-20: Improper Input Validation。
+
+    修复:
+    1. 使用 zod/yup/joi 对 req.body 做 schema 验证
+    2. 对 URL 参数使用 encodeURIComponent 或 URL 白名单
+    3. Next.js middleware 层做全局输入验证
+    4. 限制 body 大小: export const config = { api: { bodyParser: { sizeLimit: '1mb' } } }
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: |
+            export default function handler($REQ, $RES) {
+              ...
+              fetch($REQ.query.url, ...)
+            }
+        - pattern: |
+            export default function handler($REQ, $RES) {
+              ...
+              $DB.query($REQ.body.query, ...)
+            }
+        - pattern: |
+            export async function $METHOD($REQ) {
+              ...
+              fetch(...)
+            }
+    - pattern-not: |
+        ...
+        $SCHEMA.parse($REQ.body)
+    - pattern-not: |
+        ...
+        $VALIDATOR(...)
+  metadata:
+    cwe: "CWE-20: Improper Input Validation + CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A03:2021 - Injection"
+    category: nextjs
+    precision: medium
+    references:
+      - "https://nextjs.org/docs/pages/building-your-application/routing/api-routes"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
+
+# ZM-JS-NEXT-003: Next.js getServerSideProps 泄露敏感数据
+- id: zm-js-next-003
+  severity: ERROR
+  message: |
+    检测到 getServerSideProps 中可能将敏感数据(token/密钥/password/db结果)直接通过 props
+    传递给客户端组件。getServerSideProps 返回的 props 会序列化为 JSON 嵌入页面源码中，
+    可被任何用户通过"查看页面源代码"获取。
+
+    CWE-200: Exposure of Sensitive Information。
+
+    修复:
+    1. Never pass process.env.SECRET_KEYS / db connection strings / internal URLs through props
+    2. 只在服务端使用环境变量，不在客户端展示
+    3. 仅返回组件渲染所需的最小数据集
+    4. 使用 server-only npm 标记仅服务端代码
+    5. 敏感数据通过 API Route 按需获取，而非 SSR props 全量传递
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        export async function getServerSideProps($CTX) {
+          ...
+          return {
+            props: {
+              ...$SECRETS
+            }
+          }
+        }
+    - pattern: |
+        export const getServerSideProps = async ($CTX) => {
+          ...
+          return { props: { ...$DATA } }
+        }
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: nextjs
+    precision: medium
+    references:
+      - "https://nextjs.org/docs/pages/building-your-application/data-fetching/get-server-side-props"
+      - "https://cwe.mitre.org/data/definitions/200.html"

package/rules/quarantined/cwe-200/cl-200-all-189.yaml

@@ -0,0 +1,46 @@
+# zhuma-nvd-200-200-all-189.yaml
+# Generated: 2026-06-28T10:37:40.289Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-200-ALL-189 | CWE: CWE-200 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 1163 | KEV: 2 | Exploit: 21
+
+rules:
+- id: zhuma-nvd-200-200-all-189
+  metadata:
+    category: A04:2021-Insecure Design
+    cwe: "CWE-200: Information Disclosure"
+    cve: "CVE-2021-41277, CVE-2024-24919, CVE-2020-6170, CVE-2020-5330, CVE-2014-4019, CVE-2014-7863, CVE-2013-0291, CVE-2013-1602"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-24919
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-6170
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-5330
+      - https://nvd.nist.gov/vuln/detail/CVE-2014-4019
+      - https://cwe.mitre.org/data/definitions/200.html
+
+  message: |
+    检测到敏感信息泄露风险。错误信息/堆栈追踪暴露了系统内部信息。
+        修复: 生产环境关闭DEBUG模式，使用通用错误页面，日志单独存储。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: '\.printStackTrace|traceback\.print_exc'
+  # Stack trace in production output
+  # CONSTRAINT: ⚠️ CRITICAL: This pattern has inherent high FP risk with Semgrep OSS
+  # CONSTRAINT: pattern-not: exclude common false-positive patterns documented in rule message
+  # CONSTRAINT: Reduce severity to INFO — do not block CI/CD pipelines
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-200-ALL-189
+  # cwe: CWE-200 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 7 | tier: N/A

package/rules/quarantined/cwe-200/cl-200-all-190.yaml

@@ -0,0 +1,45 @@
+# zhuma-nvd-200-200-all-190.yaml
+# Generated: 2026-06-28T10:37:40.290Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-200-ALL-190 | CWE: CWE-200 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 1163 | KEV: 2 | Exploit: 21
+
+rules:
+- id: zhuma-nvd-200-200-all-190
+  metadata:
+    category: A04:2021-Insecure Design
+    cwe: "CWE-200: Information Disclosure"
+    cve: "CVE-2021-41277, CVE-2024-24919, CVE-2020-6170, CVE-2020-5330, CVE-2014-4019, CVE-2014-7863, CVE-2013-0291, CVE-2013-1602"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-24919
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-6170
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-5330
+      - https://nvd.nist.gov/vuln/detail/CVE-2014-4019
+      - https://cwe.mitre.org/data/definitions/200.html
+
+  message: |
+    检测到敏感信息泄露风险。错误信息/堆栈追踪暴露了系统内部信息。
+        修复: 生产环境关闭DEBUG模式，使用通用错误页面，日志单独存储。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: 'SQLException|DatabaseError'
+  # CONSTRAINT: ⚠️ CRITICAL: This pattern has inherent high FP risk with Semgrep OSS
+  # CONSTRAINT: pattern-not: exclude common false-positive patterns documented in rule message
+  # CONSTRAINT: Reduce severity to INFO — do not block CI/CD pipelines
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-200-ALL-190
+  # cwe: CWE-200 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 7 | tier: N/A

package/rules/quarantined/cwe-200/cl-200-all-191.yaml

@@ -0,0 +1,43 @@
+# zhuma-nvd-200-200-all-191.yaml
+# Generated: 2026-06-28T10:37:40.290Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-200-ALL-191 | CWE: CWE-200 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 1163 | KEV: 2 | Exploit: 21
+
+rules:
+- id: zhuma-nvd-200-200-all-191
+  metadata:
+    category: A04:2021-Insecure Design
+    cwe: "CWE-200: Information Disclosure"
+    cve: "CVE-2021-41277, CVE-2024-24919, CVE-2020-6170, CVE-2020-5330, CVE-2014-4019, CVE-2014-7863, CVE-2013-0291, CVE-2013-1602"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-24919
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-6170
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-5330
+      - https://nvd.nist.gov/vuln/detail/CVE-2014-4019
+      - https://cwe.mitre.org/data/definitions/200.html
+
+  message: |
+    检测到敏感信息泄露风险。错误信息/堆栈追踪暴露了系统内部信息。
+        修复: 生产环境关闭DEBUG模式，使用通用错误页面，日志单独存储。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: 'Server:|X-Powered-By|X-AspNet-Version'
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-200-ALL-191
+  # cwe: CWE-200 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 7 | tier: N/A

package/rules/quarantined/cwe-200/cl-200-all-192.yaml

@@ -0,0 +1,43 @@
+# zhuma-nvd-200-200-all-192.yaml
+# Generated: 2026-06-28T10:37:40.291Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-200-ALL-192 | CWE: CWE-200 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 1163 | KEV: 2 | Exploit: 21
+
+rules:
+- id: zhuma-nvd-200-200-all-192
+  metadata:
+    category: A04:2021-Insecure Design
+    cwe: "CWE-200: Information Disclosure"
+    cve: "CVE-2021-41277, CVE-2024-24919, CVE-2020-6170, CVE-2020-5330, CVE-2014-4019, CVE-2014-7863, CVE-2013-0291, CVE-2013-1602"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-24919
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-6170
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-5330
+      - https://nvd.nist.gov/vuln/detail/CVE-2014-4019
+      - https://cwe.mitre.org/data/definitions/200.html
+
+  message: |
+    检测到敏感信息泄露风险。错误信息/堆栈追踪暴露了系统内部信息。
+        修复: 生产环境关闭DEBUG模式，使用通用错误页面，日志单独存储。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: 'file not found|include_path'
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-200-ALL-192
+  # cwe: CWE-200 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 7 | tier: N/A

package/rules/quarantined/cwe-200/cl-200-all-193.yaml

@@ -0,0 +1,43 @@
+# zhuma-nvd-200-200-all-193.yaml
+# Generated: 2026-06-28T10:37:40.291Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-200-ALL-193 | CWE: CWE-200 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 1163 | KEV: 2 | Exploit: 21
+
+rules:
+- id: zhuma-nvd-200-200-all-193
+  metadata:
+    category: A04:2021-Insecure Design
+    cwe: "CWE-200: Information Disclosure"
+    cve: "CVE-2021-41277, CVE-2024-24919, CVE-2020-6170, CVE-2020-5330, CVE-2014-4019, CVE-2014-7863, CVE-2013-0291, CVE-2013-1602"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-41277
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-24919
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-6170
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-5330
+      - https://nvd.nist.gov/vuln/detail/CVE-2014-4019
+      - https://cwe.mitre.org/data/definitions/200.html
+
+  message: |
+    检测到敏感信息泄露风险。错误信息/堆栈追踪暴露了系统内部信息。
+        修复: 生产环境关闭DEBUG模式，使用通用错误页面，日志单独存储。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: 'DEBUG=True|debug: true|NODE_ENV=development'
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-200-ALL-193
+  # cwe: CWE-200 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 7 | tier: N/A

package/rules/quarantined/cwe-200/cwe-200-sensitive-data-exposure.yaml

@@ -0,0 +1,62 @@
+# Source: common | Cluster: N/A
+# CWE-200: 敏感数据暴露检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-SDE-001: 日志输出密码/Token 变量
+- id: zm-java-sde-001
+  severity: HIGH
+  message: |
+    检测到日志中可能输出敏感变量 (password / token / secret / apiKey)。
+    敏感数据不应出现在日志中，可能导致信息泄露。
+    应在日志中脱敏或移除敏感字段。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $LOGGER.info($PWD);
+    - pattern: |
+        $LOGGER.debug($PWD);
+    - pattern: |
+        $LOGGER.error($PWD);
+    - pattern: |
+        $LOGGER.warn($PWD);
+    - pattern: |
+        System.out.println($PWD);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-low
+
+# ZM-JAVA-SDE-002: toString 暴露敏感字段
+- id: zm-java-sde-002
+  severity: MEDIUM
+  message: |
+    toString() 方法中包含 password/token 等敏感字段输出。
+    应在 toString 中排除或脱敏敏感字段。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        return "..." + $PWD + "...";
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-low
+
+# ZM-JAVA-SDE-003: printStackTrace 泄漏堆栈
+- id: zm-java-sde-003
+  severity: LOW
+  message: |
+    检测到异常堆栈直接输出到标准输出/错误流。
+    生产环境应将异常记录到日志框架，避免向用户暴露内部实现细节。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $E.printStackTrace();
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-high

package/rules/quarantined/cwe-200/zm-go-cwe200-grpc-metadata.yaml

@@ -0,0 +1,41 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-go-grpc-meta-001
+    severity: ERROR
+    message: >-
+      gRPC metadata明文传输"authorization"/"token"/"api-key"等认证凭据。
+      若不使用TLS则以明文在HTTP/2帧中发送，可被网络嗅探获取。
+      修复：使用TLS加密gRPC连接(credentials.NewClientTLSFromCert)，
+      或使用应用层加密传输敏感元数据。
+    languages:
+      - go
+    patterns:
+      - pattern-either:
+          - pattern: $X.New($Y, "$Z")
+    metadata:
+      cwe: "CWE-200"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A04:2021"
+      category: grpc-security
+      cve: "CVE-2022-31081"
+  - id: zm-go-grpc-meta-002
+    severity: WARNING
+    message: >-
+      gRPC metadata Append/Set方法设置敏感键名("authorization"/"token"等)。
+      若gRPC连接未加密，这些元数据将以明文传输。
+      修复：确保gRPC使用TLS，或用protobuf消息体传输敏感数据。
+    languages:
+      - go
+    patterns:
+      - pattern-either:
+          - pattern: $X.Append("$Z", $VAL)
+          - pattern: $X.Set("$Z", $VAL)
+    metadata:
+      cwe: "CWE-200"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A04:2021"
+      category: grpc-security

package/rules/quarantined/cwe-200/zm-java-cwe200-actuator-exposure.yaml

@@ -0,0 +1,9 @@
+# Source: common | Cluster: N/A
+# CWE-200: Spring Boot Actuator 敏感端点暴露
+rules:
+- id: zm-java-act-02
+  severity: WARNING
+  message: SecurityConfig permits all Actuator endpoints - /actuator/env /actuator/heapdump externally accessible.
+  languages: [java]
+  pattern: EndpointRequest.toAnyEndpoint().permitAll()
+  metadata: { cwe: "CWE-200", precision: very-high, category: config, owasp: "A05:2021" }

package/rules/quarantined/cwe-200/zm-java-cwe200-info-disclosure.yaml

@@ -0,0 +1,92 @@
+# Source: common | Cluster: N/A
+# CWE-200 信息泄露深度覆盖 (v2): 敏感配置、调试端点、Stacktrace暴露
+
+rules:
+
+# ZM-JAVA-STACKTRACE-001: 未捕获异常直接输出到HTTP响应
+- id: zm-java-stacktrace-001
+  severity: MEDIUM
+  message: |
+    e.printStackTrace() 输出到 System.err，而 Spring Boot 默认将 stderr 路由到 HTTP 响应体。
+    替换为结构化日志（SLF4J）并只返回通用错误消息。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $E.printStackTrace();
+    - pattern: $E.printStackTrace($WRITER);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information Through Stack Trace"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: high
+    tags: [info-disclosure, stacktrace, error-handling]
+
+# ZM-JAVA-CONSOLE-001: System.out/System.err 直接输出敏感变量
+- id: zm-java-console-001
+  severity: LOW
+  message: |
+    System.out/err 在控制器中使用——通常用于调试（密码/令牌/token 关键词）。
+    生产环境应使用 SLF4J/Logback 的级别过滤。
+  languages:
+    - java
+  pattern-either:
+    - pattern: System.out.println($X);
+    - pattern: System.err.println($X);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    precision: low
+    tags: [info-disclosure, console, debug]
+
+# ZM-JAVA-SPRING-DEVTOOLS-001: Spring DevTools 远程调试在生产环境启用
+- id: zm-java-devtools-001
+  severity: HIGH
+  message: |
+    spring-boot-devtools 在生产 classpath 中——Remote Restart 可被利用执行任意代码。
+    移除生产环境的 devtools 依赖或设置 `spring.devtools.remote.enabled=false`。
+  languages:
+    - java
+  pattern: |
+    import org.springframework.boot.devtools.$X;
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: very-high
+    tags: [info-disclosure, devtools, rce]
+
+# ZM-JAVA-ERROR-PAGE-001: 自定义错误页面中泄露内部路径/类名
+- id: zm-java-error-page-001
+  severity: LOW
+  message: |
+    ResponseEntity 构造中可能包含 `e.getMessage()` — 泄露内部类名/路径。
+    生产环境返回通用错误消息 `"Internal Server Error"` 而非异常消息。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        return ResponseEntity.status(500).body($E.getMessage());
+    - pattern: |
+        ResponseEntity.status($CODE).body($E.getMessage())
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+    tags: [info-disclosure, error-page, spring-boot]
+
+# ZM-JAVA-CORS-WILDCARD: CORS Access-Control-Allow-Origin 为 * + credentials
+- id: zm-java-cors-wildcard-001
+  severity: MEDIUM
+  message: |
+    CORS origin 为 "*" 且 allowCredentials=true——违反 W3C CORS 规范，
+    浏览器将拒绝该响应，配置无效。改为显式列出受信任 origin。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @CrossOrigin(origins = "*")
+    - pattern: |
+        @CrossOrigin(origins = {"*"})
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: very-high
+    tags: [cors, misconfiguration]

package/rules/quarantined/cwe-200/zm-js-cwe200-info-disclosure.yaml

@@ -0,0 +1,96 @@
+# Source: common | Cluster: N/A
+# CWE-200: Node.js 敏感信息泄露检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: Error stack trace 返回、console.log 含密码、helmet 未配置、res.json(err) 内网信息
+
+rules:
+
+# ZM-JS-INFO-001: 错误处理中直接返回 error stack trace
+- id: zm-js-info-001
+  severity: WARNING
+  message: |
+    检测到HTTP响应中直接返回 error.stack / err (可能未脱敏)。
+    泄露服务器路径/依赖版本等信息。
+    修复: 生产环境返回通用错误 res.send({ error: 'Internal Server Error' })。
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: $RES.send($ERR.stack)
+        - pattern: $RES.json($ERR.stack)
+    - pattern-not: |
+        ...;
+        $RES.send({...});
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: info-disclosure
+    precision: high
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html"
+
+# ZM-JS-INFO-002: console.log 输出敏感信息
+- id: zm-js-info-002
+  severity: WARNING
+  message: |
+    检测到 console.log 可能输出了 password / token / secret 等敏感字段。
+    生产环境日志可能被持久化存储，造成凭据泄露。
+    修复: 使用日志脱敏库(pino.redact)或生产环境禁用 console 输出。
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern: console.$FUNC(...)
+    - metavariable-regex:
+        metavariable: $FUNC
+        regex: ^(log|error|warn)$
+    - pattern: |
+        console.$FUNC($OBJ.$FIELD, ...)
+    - metavariable-regex:
+        metavariable: $FIELD
+        regex: ^(password|passwd|token|secret|apiKey|api_key|credential|accessKey|access_key|privateKey|private_key)$
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: info-disclosure
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/532.html"
+
+# ZM-JS-INFO-003: Helmet 安全头未配置 / 缺失
+- id: zm-js-info-003
+  severity: WARNING
+  message: |
+    检测到 Express 应用可能未启用 helmet 安全头中间件。
+    缺少安全响应头可能导致信息泄露 (X-Powered-By 暴露技术栈)、
+    点击劫持 (X-Frame-Options)、MIME sniffing 等风险。
+
+    修复:
+    1. app.use(helmet()) — 启用默认安全头
+    2. 至少手动设置:
+       - X-Content-Type-Options: nosniff
+       - X-Frame-Options: DENY
+       - X-XSS-Protection: 0 (已废弃，但保留)
+       - Referrer-Policy: no-referrer
+       - Strict-Transport-Security: max-age=31536000
+       - 移除 X-Powered-By 头: app.disable('x-powered-by')
+    3. helmet.contentSecurityPolicy() 配置CSP防止XSS
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        const express = require('express')
+        ...
+        const app = express()
+      # 检测 express() 调用但无 helmet
+    - pattern: $APP.listen(...)
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: info-disclosure
+    precision: low
+    references:
+      - "https://helmetjs.github.io/"
+      - "https://expressjs.com/en/advanced/best-practice-security.html"