npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/common/zm-js-cwe345-websocket-security.yaml ADDED Viewed

@@ -0,0 +1,90 @@
+# CWE-345 / CWE-306: WebSocket 安全检测规则
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: ws库、Socket.IO、SockJS 无认证/无Origin验证
+rules:
+# ZM-JS-WS-001: WebSocket服务器未验证Origin头 (跨站WebSocket劫持)
+- id: zm-js-ws-001
+  severity: ERROR
+  message: |
+    检测到 ws WebSocket 服务器可能未验证请求 Origin 头，可能导致跨站WebSocket劫持(CSWSH)。
+    攻击者可从恶意页面建立WebSocket连接，以受害者身份发送消息、窃取数据。
+    CVE-2019-1000002: ws <7.x 未默认验证Origin头。
+    CWE-345: Insufficient Verification of Data Authenticity。
+    修复:
+    1. 服务端验证 origin 头白名单:
+       const wss = new WebSocket.Server({ verifyClient: (info) => allowedOrigins.includes(info.origin) })
+    2. Socket.IO: 配置 cors.origin 白名单，设置 credentials: true + origin 校验
+    3. 使用 CSRF token 或自定义子协议(sub-protocol)进行二次认证
+    4. 生产环境禁止 origin: '*' 通配符
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        new WebSocket.Server({
+          ...
+        })
+    - pattern: |
+        new WebSocketServer({
+          ...
+        })
+    - pattern: http.createServer(...).on('upgrade', ...)
+    - pattern: socketio($SERVER, {...})
+    - pattern: new Server($SERVER, {...})
+  metadata:
+    cwe: "CWE-345: Insufficient Verification of Data Authenticity + CWE-346: Origin Validation Error"
+    owasp: "A01:2021 - Broken Access Control"
+    category: websocket
+    precision: medium
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-1000002"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#websocket-security"
+      - "https://christian-schneider.net/CrossSiteWebSocketHijacking.html"
+# ZM-JS-WS-002: WebSocket连接无认证/授权机制
+- id: zm-js-ws-002
+  severity: ERROR
+  message: |
+    检测到 WebSocket 服务器未实现连接级别的认证机制(token/cookie/session校验)。
+    WebSocket 本身不继承 HTTP 的同源策略和 Cookie 自动携带限制，
+    若无认证，任何客户端可连接并使用服务端资源。
+    CWE-306: Missing Authentication for Critical Function。
+    CWE-862: Missing Authorization。
+    修复:
+    1. 连接时验证 token/API Key: 在 upgrade 阶段检查 url query 或自定义 header
+    2. Socket.IO: 使用 auth middleware 在 connection 事件中验证
+       io.use((socket, next) => { const token = socket.handshake.auth.token; ... })
+    3. 使用 JWT/OAuth2 token 对每条消息签名
+    4. 禁止仅依赖客户端 IP 做认证
+    5. 连接后立刻发送 challenge-response 协议
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        io.on('connection', ($SOCKET) => {
+          ...
+        })
+    - pattern: |
+        $WSS.on('connection', ($WS, $REQ) => {
+          ...
+        })
+    - pattern: |
+        $SERVER.on('connection', ($SOCKET) => {
+          ...
+        })
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function + CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    category: websocket
+    precision: low
+    references:
+      - "https://socket.io/docs/v4/middlewares/"
+      - "https://cwe.mitre.org/data/definitions/306.html"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"

package/rules/common/zm-js-cwe501-graphql-injection.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+rules:
+  - id: zm-js-gql-001
+    severity: WARNING
+    message: >-
+      GraphQL未禁用introspection。生产环境应关闭内省查询。
+      修复：Apollo Server设置introspection:false，NODE_ENV=production时强制关闭。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-either:
+          - pattern: new ApolloServer({...})
+          - pattern: graphqlHTTP({...})
+          - pattern: createYoga({...})
+    metadata:
+      cwe: "CWE-200"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A05:2021"
+      category: graphql
+      cve: "CVE-2020-15084"
+  - id: zm-js-gql-002
+    severity: ERROR
+    message: >-
+      GraphQL resolver中拼接args参数到knex.raw/ORM查询。
+      修复：resolver内使用参数化查询，安装graphql-depth-limit。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-regex: 'knex\.raw\('
+    metadata:
+      cwe: "CWE-89"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A03:2021"
+      category: graphql
+      cve: "CVE-2023-22474"
+  - id: zm-js-gql-003
+    severity: WARNING
+    message: >-
+      GraphQL未配置查询深度/复杂度限制，可能导致DoS。
+      修复：使用graphql-depth-limit，设置maxDepth=5。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: new ApolloServer({...})
+    metadata:
+      cwe: "CWE-770"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A05:2021"
+      category: graphql
+      cve: "CVE-2019-1000019"

package/rules/common/zm-js-cwe502-deserialization-extended.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# CWE-502: Node.js 不安全反序列化深度检测 (扩展)
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: node-serialize、cryo、serialize-to-js、sexpression 等已知危险库
+rules:
+# ZM-JS-DSER2-001: node-serialize / cryo / funcster 危险反序列化
+- id: zm-js-dser2-001
+  severity: ERROR
+  message: |
+    检测到使用 node-serialize.unserialize() / cryo.parse() / funcster.deepDeserialize()
+    等已知危险的反序列化库。这些库支持函数/代码对象序列化，攻击者可构造恶意对象
+    实现远程代码执行(RCE)。
+    CVE-2017-5941: node-serialize 0.0.4 RCE via IIFE injection。
+    CVE-2020-28269: cryo 代码执行 via __proto__ pollution。
+    CVE-2022-25883: semver ReDoS + node-serialize组合攻击链。
+    修复:
+    1. 禁止使用 node-serialize、cryo、funcster、serialize-to-js 等危险库
+    2. 替换为安全的序列化方案:
+       - JSON.parse / JSON.stringify (仅数据，不含函数)
+       - superjson (支持 Date/Map/Set，不含代码)
+       - v8.serialize / v8.deserialize (Node.js 原生，仅 Node 内使用)
+    3. 如必须使用复杂序列化，实施完整性校验(HMAC签名 + 过期检查)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: nodeSerialize.unserialize($INPUT, ...)
+    - pattern: $NS.unserialize($INPUT, ...)
+    - pattern: cryo.parse($INPUT, ...)
+    - pattern: cryo.parse(...)
+    - pattern: funcster.deserialize($INPUT, ...)
+    - pattern: funcster.deepDeserialize($INPUT, ...)
+    - pattern: serializeToJs.deserialize($INPUT, ...)
+    - pattern: $SEXPR.parse($INPUT, ...)
+    - pattern: require('node-serialize')
+    - pattern: require('cryo')
+    - pattern: require('funcster')
+    - pattern: require('serialize-to-js')
+  metavariable-regex:
+    - metavariable: $NS
+      regex: '(?i)(nodeSerialize|node_serialize|cryo|funcster|serialize|unserialize|deser)'
+    - metavariable: $SEXPR
+      regex: '(?i)(sexpr|sexpression|sexp|serialized|deserial)'
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    category: deserialization
+    precision: high
+    confidence: high
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-5941"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-28269"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883"
+      - "https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-attack-for-remote-code-execution/"
+# ZM-JS-DSER2-002: eval/new Function 反序列化调用链
+- id: zm-js-dser2-002
+  severity: ERROR
+  message: |
+    检测到 eval() 或 new Function() 直接接受来自 JSON.parse / req.body / 外部输入，
+    构成危险的反序列化→代码执行链。
+    某些框架/业务逻辑中，开发者将序列化的函数体存储在数据库中，反序列化后
+    通过 eval/Function constructor 执行，这等价于远程代码执行。
+    CVE-2019-10744: lodash.defaultsDeep 原型污染 + 代码执行。
+    CVE-2020-8203: lodash zipObjectDeep 原型污染导致代码执行。
+    CWE-95: Code Injection。
+    修复:
+    1. 永远不要对用户输入执行 eval / new Function
+    2. 若必须动态执行代码表达式，使用沙箱:
+       - vm2 (已废弃，不推荐)
+       - isolated-vm (V8隔离环境)
+       - WebAssembly 沙箱
+    3. 使用 JSON Path 表达式解析库替代自定义 eval
+    4. 在代码审查中标记所有 eval/new Function 并确保非用户输入
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: eval(JSON.parse($INPUT, ...))
+    - pattern: new Function(JSON.parse($INPUT, ...))
+    - pattern: new Function('return ' + JSON.parse($INPUT, ...))
+    - pattern: $FN = new Function($JSON.parse(...))
+    - pattern: eval($JSON.parse($REQ.body.$FIELD))
+    - pattern: eval($JSON.parse($REQ.query.$FIELD))
+    - pattern: new Function($JSON.parse($REQ.body.$FIELD))
+    - pattern: new Function($JSON.parse($REQ.query.$FIELD))
+  metavariable-regex:
+    - metavariable: $REQ
+      regex: '(?i)(req|request|ctx|context)'
+    - metavariable: $FIELD
+      regex: '(?i)(code|script|func|fn|body|data|input|payload|template|formula|expr)'
+  metadata:
+    cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
+    owasp: "A03:2021 - Injection"
+    category: deserialization
+    precision: high
+    confidence: high
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
+      - "https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data"

package/rules/common/zm-js-cwe506-npm-supply-chain.yaml ADDED Viewed

@@ -0,0 +1,19 @@
+rules:
+  - id: zm-js-scm-001
+    severity: ERROR
+    message: >-
+      package.json包含preinstall/postinstall脚本，可能用于供应链攻击。
+      审计所有安装脚本，CVE-2022-0235。
+    languages: [json]
+    paths:
+      include: ["package.json"]
+    patterns:
+      - pattern-regex: '"(preinstall|postinstall|preuninstall|postuninstall)"\s*:'
+    metadata:
+      cwe: "CWE-506"
+      confidence: LOW
+      likelihood: LOW
+      impact: HIGH
+      owasp: "A06:2021"
+      category: supply-chain
+      cve: "CVE-2022-0235"

package/rules/common/zm-js-cwe79-electron-security.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+rules:
+  - id: zm-js-electron-001
+    severity: ERROR
+    message: >-
+      Electron BrowserWindow启用nodeIntegration或nodeIntegrationInWorker。
+      CVE-2019-5786。修复：nodeIntegration:false，preload脚本隔离。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          nodeIntegration: true
+    metadata:
+      cwe: "CWE-749"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A05:2021"
+      category: electron
+      cve: "CVE-2019-5786"
+  - id: zm-js-electron-002
+    severity: ERROR
+    message: >-
+      Electron webview标签未限制allowpopups/allowpopups或启用preload。
+      CVE-2022-21718。修复：限制webview权限，设置allowpopups:false。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          webviewTag: true
+    metadata:
+      cwe: "CWE-269"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A05:2021"
+      category: electron
+      cve: "CVE-2022-21718"

package/rules/common/zm-js-cwe79-react-xss-deep.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+rules:
+  - id: zm-js-react-xss-001
+    severity: ERROR
+    message: >-
+      React dangerouslySetInnerHTML直接使用未净化输入造成XSS。
+      CVE-2022-31178。修复：使用DOMPurify.sanitize()清理HTML。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          dangerouslySetInnerHTML: { __html: $X }
+    metadata:
+      cwe: "CWE-79"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A03:2021"
+      category: react
+      cve: "CVE-2022-31178"
+  - id: zm-js-react-xss-002
+    severity: WARNING
+    message: >-
+      React href使用javascript:伪协议可导致XSS。CVE-2023-32784。
+      修复：使用isSafeUrl()白名单过滤。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-regex: 'href\s*[:=]\s*["\x60]javascript:'
+    metadata:
+      cwe: "CWE-79"
+      confidence: HIGH
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: "A03:2021"
+      category: react
+      cve: "CVE-2023-32784"

package/rules/common/zm-js-cwe89-prisma-typeorm.yaml ADDED Viewed

@@ -0,0 +1,139 @@
+# CWE-89 / CWE-943: Prisma / TypeORM 不安全查询检测
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: Prisma $queryRaw/$executeRaw、TypeORM query/manager.query
+rules:
+# ZM-JS-ORM-001: Prisma $queryRaw / $executeRaw 拼接用户输入
+- id: zm-js-orm-001
+  severity: ERROR
+  message: |
+    检测到 Prisma Client 的 $queryRaw / $executeRaw 使用了字符串拼接或模板字符串构造
+    SQL查询。这些方法执行原始SQL，未使用参数化查询会造成SQL注入。
+    CVE-2023-22899: Prisma $queryRaw 若用模板字符串拼接仍存在注入。
+    Prisma 官方推荐模板字符串变量方式: prisma.$queryRaw`SELECT * FROM users WHERE id = ${id}`,
+    但仅安全当使用 Prisma 官方 tagged template 传递变量——使用普通模板字符串拼接仍不安全。
+    修复:
+    1. 使用 tagged template: prisma.$queryRaw`SELECT * FROM users WHERE id = ${id}`
+    2. 使用 Prisma Client API 替代 raw query: prisma.user.findUnique({ where: { id } })
+    3. 如必须用 raw, 确保用 Prisma 参数化: $queryRaw(sql`SELECT ...`, ...args)
+    4. 严禁字符串拼接: $queryRaw('SELECT ... ' + userInput)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $PRISMA.$queryRaw('SELECT' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('INSERT' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('UPDATE' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('DELETE' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('SELECT' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('INSERT' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('UPDATE' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('DELETE' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw($QUERY + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw($QUERY + $INPUT, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: orm
+    precision: high
+    confidence: high
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-22899"
+      - "https://www.prisma.io/docs/orm/prisma-client/using-raw-sql/raw-queries"
+      - "https://www.prisma.io/blog/sql-injection-attack-with-raw-queries-in-prisma-client-2nd9lrr5hf"
+# ZM-JS-ORM-002: TypeORM query / manager.query 拼接
+- id: zm-js-orm-002
+  severity: ERROR
+  message: |
+    检测到 TypeORM 的 EntityManager.query() / DataSource.query() 或 Repository.query()
+    使用了字符串拼接构造SQL查询。TypeORM 的 query() 方法直接执行原始SQL字符串，
+    拼接方式会导致SQL注入。
+    CWE-89: SQL Injection。
+    TypeORM 推荐: repository.find({ where: { name } }) 或使用 QueryBuilder。
+    修复:
+    1. 使用 QueryBuilder: repository.createQueryBuilder('user').where('user.name = :name', { name })
+    2. 使用参数化: manager.query('SELECT * FROM users WHERE id = $1', [id])
+    3. 使用 repository.find / findOne / save API 代替 raw query
+    4. 如必须 raw query，使用命名参数: { replacements: { id: userId } }
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MGR.query('SELECT' + $INPUT, ...)
+    - pattern: $MGR.query('INSERT' + $INPUT, ...)
+    - pattern: $MGR.query('UPDATE' + $INPUT, ...)
+    - pattern: $MGR.query('DELETE' + $INPUT, ...)
+    - pattern: $DS.query('SELECT' + $INPUT, ...)
+    - pattern: $DS.query('INSERT' + $INPUT, ...)
+    - pattern: $DS.query('UPDATE' + $INPUT, ...)
+    - pattern: $DS.query('DELETE' + $INPUT, ...)
+    - pattern: $REPO.query('SELECT' + $INPUT, ...)
+    - pattern: $REPO.query('INSERT' + $INPUT, ...)
+    - pattern: $REPO.query('UPDATE' + $INPUT, ...)
+    - pattern: $REPO.query('DELETE' + $INPUT, ...)
+    - pattern: $MGR.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $DS.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $REPO.query(`SELECT ... ${$INPUT}`, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: orm
+    precision: high
+    confidence: high
+    references:
+      - "https://typeorm.io/entity-manager-api#query"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+# ZM-JS-ORM-003: ORM find 操作中使用动态操作符注入
+- id: zm-js-orm-003
+  severity: WARNING
+  message: |
+    检测到 Mongoose/MongoDB find / TypeORM find 操作中将 req.body / req.query
+    对象整体传入作为查询条件，攻击者可注入 MongoDB $where / $eq / $regex / $ne
+    或 TypeORM findOptionsWhere 覆盖查询逻辑。
+    CVE-2020-7774: y18n 原型污染 + MongoDB $where RCE。
+    CVE-2023-26155: node-qpdf NoSQL 注入组合。
+    CWE-943: Improper Neutralization of Special Elements in Data Query Logic。
+    修复:
+    1. Mongoose: 使用 mongo-sanitize 库过滤 $ 操作符:
+       const clean = sanitize(req.body); Model.find(clean)
+    2. TypeORM: 使用 FindOptionsWhere 显式指字段:
+       { where: { id: Equal(req.params.id) } }
+    3. 使用 allowlist: 仅提取预期字段，不将整个 req.body/query 传给 ORM
+    4. 使用 express-mongo-sanitize 中间件全局过滤
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.find($REQ.body, ...)
+    - pattern: $MODEL.find($REQ.query, ...)
+    - pattern: $MODEL.findOne($REQ.body, ...)
+    - pattern: $MODEL.findOne($REQ.query, ...)
+    - pattern: $MODEL.find({...$REQ.body}, ...)
+    - pattern: $MODEL.findByIdAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.findOneAndUpdate($_, $REQ.body, ...)
+    - pattern: "$REPO.find({ where: $REQ.body })"
+    - pattern: "$REPO.findOne({ where: $REQ.body })"
+    - pattern: "$REPO.find({ where: $REQ.query })"
+    - pattern: "$REPO.findOne({ where: $REQ.query })"
+    - pattern: $MODEL.deleteMany($REQ.body, ...)
+    - pattern: $MODEL.deleteMany($REQ.query, ...)
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    owasp: "A03:2021 - Injection"
+    category: orm
+    precision: medium
+    confidence: medium
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-26155"
+      - "https://www.npmjs.com/package/express-mongo-sanitize"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/NoSQL_Injection_Prevention_Cheat_Sheet.html"

package/rules/common/zm-py-aiohttp-cwe295-cwe770-01.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+# CWE-918/CWE-300: asyncio/aiohttp 不安全用法检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: aiohttp 不安全会话配置 / asyncio.create_task 异常丢失 / aiohttp 无超时
+rules:
+# ZM-PY-AIOHTTP-01: aiohttp.ClientSession 禁用 SSL 验证
+- id: zm-py-aiohttp-ssl-verify-001
+  severity: ERROR
+  message: |
+    检测到 aiohttp.ClientSession 创建时设置 verify_ssl=False 禁用 SSL 证书验证。
+    禁用证书验证后中间人攻击（MITM）可截获和篡改通信内容。
+    参考: CVE-2024-30251 aiohttp 请求走私结合证书验证绕过风险。
+    修复: 移除 verify_ssl=False；生产环境必须启用 SSL 证书验证。
+  languages:
+    - python
+  pattern-either:
+    - pattern: aiohttp.ClientSession(verify_ssl=False)
+    - pattern: aiohttp.ClientSession(..., verify_ssl=False, ...)
+    - pattern: aiohttp.TCPConnector(verify_ssl=False)
+    - pattern: aiohttp.TCPConnector(..., verify_ssl=False)
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation; CWE-300: Channel Accessible by Non-Endpoint"
+    severity: ERROR
+    precision: very-high
+    category: aiohttp-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    cve: "CVE-2024-30251"
+# ZM-PY-AIOHTTP-02: aiohttp 请求无超时限制
+- id: zm-py-aiohttp-timeout-001
+  severity: WARNING
+  message: |
+    检测到 aiohttp 请求未设置 timeout 超时限制。
+    攻击者可利用慢速响应导致协程无限挂起耗尽连接池，引发拒绝服务（DoS）。
+    修复: 使用 aiohttp.ClientTimeout(total=30) 设置总超时；
+    或 ClientSession.get(url, timeout=aiohttp.ClientTimeout(total=30))。
+  languages:
+    - python
+  patterns:
+    - pattern: $SESSION.get($URL)
+    - pattern: $SESSION.post($URL)
+    - pattern: $SESSION.request($METHOD, $URL)
+    - pattern: aiohttp.ClientSession().get($URL)
+    - pattern-not: $SESSION.get($URL, timeout=...)
+    - pattern-not: $SESSION.post($URL, timeout=...)
+    - pattern-not: $SESSION.request($METHOD, $URL, timeout=...)
+    - metavariable-regex:
+        metavariable: $SESSION
+        regex: ^(session|client|http_client|async_client)$
+  metadata:
+    cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+    severity: WARNING
+    precision: medium
+    category: aiohttp-security
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A04:2021 - Insecure Design"

package/rules/common/zm-py-crypto-cwe327-01.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+# CWE-327: Python 加密弱点深度检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: PyCryptodome ECB 模式 / 静态 IV / hashlib 弱哈希 (md4/ripemd160)
+rules:
+# ZM-PY-CRYPTO-WEAK-01: PyCryptodome 使用静态/固定 IV
+- id: zm-py-crypto-static-iv-001
+  severity: ERROR
+  message: |
+    检测到 AES/CBC 加密使用硬编码/静态 IV（初始化向量）。
+    静态 IV 使相同明文产生相同密文，攻击者可通过模式分析推断明文内容，
+    或通过已知密文反推后续加密数据。
+    参考: CVE-2023-32784 — 静态 IV 导致加密可预测攻击。
+    修复: 每次加密使用 secrets.token_bytes(16) 生成随机 IV 并与密文一起存储。
+  languages:
+    - python
+  patterns:
+    - pattern: $CIPHER.new($KEY, $MODE, iv=b"$IV")
+    - pattern: $CIPHER.new($KEY, $MODE, iv="$IV")
+    - pattern: $CIPHER.new($KEY, $MODE, $IV_CONST)
+    - metavariable-regex:
+        metavariable: $MODE
+        regex: ^.*(MODE_CBC|MODE_CFB|MODE_OFB|MODE_OPENPGP).*$
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm; CWE-330: Use of Insufficiently Random Values"
+    severity: ERROR
+    precision: high
+    category: weak-crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    cve: "CVE-2023-32784"

package/rules/common/zm-py-deser-cwe502-01.yaml ADDED Viewed

@@ -0,0 +1,66 @@
+# CWE-502: Python 反序列化深度检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: yaml.load() 无安全限制 / ruamel.yaml.load 不安全 / marshal.loads 反序列化
+rules:
+# ZM-PY-DESER-01: yaml.load() 使用默认 Loader（非 safe_load）处理用户输入
+- id: zm-py-yaml-unsafe-load-001
+  severity: ERROR
+  message: |
+    检测到 yaml.load() 未指定 Loader 或使用默认 Loader 且数据来自 HTTP 请求。
+    PyYAML 默认 yaml.load() 使用 Loader=yaml.Loader，可构造 !!python/object/apply
+    实现任意代码执行（RCE）如 CVE-2020-14343 中 PyYAML FullLoader RCE。
+    修复: 使用 yaml.safe_load() 替代 yaml.load()；仅允许标准 YAML 类型。
+  languages:
+    - python
+  pattern-either:
+    - pattern: yaml.load(request.args.get(...))
+    - pattern: yaml.load(request.form.get(...))
+    - pattern: yaml.load(request.values.get(...))
+    - pattern: yaml.load(request.data)
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.data, Loader=yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), yaml.Loader)
+    - pattern: yaml.load(request.data, yaml.Loader)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    cve: "CVE-2020-14343"
+# ZM-PY-DESER-02: marshal.loads / marshal.load 反序列化用户输入
+- id: zm-py-marshal-deser-001
+  severity: ERROR
+  message: |
+    检测到 marshal.loads() / marshal.load() 参数来自 HTTP 请求。
+    marshal 模块用于 Python 内部序列化（.pyc 文件），反序列化用户可控数据
+    可导致任意代码执行（类似 pickle RCE），参考 CVE-2022-48564 marshal 类型混淆。
+    修复: 禁止反序列化用户输入；使用 JSON/msgpack 等安全格式替代 marshal。
+  languages:
+    - python
+  pattern-either:
+    - pattern: marshal.loads(request.args.get(...))
+    - pattern: marshal.loads(request.form.get(...))
+    - pattern: marshal.loads(request.values.get(...))
+    - pattern: marshal.loads(request.data)
+    - pattern: marshal.load(request.args.get(...))
+    - pattern: marshal.load(request.form.get(...))
+    - pattern: marshal.load(request.data)
+    - pattern: marshal.loads(request.get_data())
+    - pattern: marshal.load(request.get_data())
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    cve: "CVE-2022-48564"