@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/common/zm-py-django-cwe200-cwe798-cwe352-01.yaml

@@ -0,0 +1,80 @@
+# CWE-200/CWE-798: Django 安全配置检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: DEBUG=True 泄露 / SECRET_KEY 硬编码 / CSRF 豁免 / XFrame 缺失
+
+rules:
+
+# ZM-PY-DJANGO-01: Django DEBUG=True 生产环境泄露
+- id: zm-py-django-debug-001
+  severity: ERROR
+  message: |
+    检测到 Django settings.py 中 DEBUG = True 且未受环境变量控制。
+    生产环境开启 DEBUG 会泄露详细错误堆栈、数据库查询、配置变量等敏感信息。
+    攻击者可通过触发异常获取 Settings 配置、数据库结构乃至核心密钥，参考 CVE-2024-38828。
+    修复: 设置 DEBUG = os.environ.get("DJANGO_DEBUG", "False").lower() == "true" 通过环境变量控制。
+  languages:
+    - python
+  patterns:
+    - pattern: DEBUG = True
+    - pattern-not: DEBUG = os.environ.get(...)
+    - pattern-not: DEBUG = os.getenv(...)
+    - pattern-not: DEBUG = bool(...)
+    - pattern-not: DEBUG = env(...)
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+    cve: "CVE-2024-38828"
+
+# ZM-PY-DJANGO-02: Django SECRET_KEY 硬编码
+- id: zm-py-django-secret-key-001
+  severity: ERROR
+  message: |
+    检测到 Django settings.py 中 SECRET_KEY 硬编码为明文字符串。
+    SECRET_KEY 用于签名 Session/Cookie/CSRF Token 和加密密码重置链接，
+    泄露后攻击者可伪造 Session 以任意用户身份登录、绕过 CSRF 保护。
+    参考: 2023年Django官方安全建议 - 密钥管理最佳实践。
+    修复: 使用 os.environ.get("DJANGO_SECRET_KEY") 从环境变量读取密钥。
+  languages:
+    - python
+  patterns:
+    - pattern: $SECRET_KEY = "..."
+    - metavariable-regex:
+        metavariable: $SECRET_KEY
+        regex: ^(SECRET_KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-PY-DJANGO-03: Django csrf_exempt 全局豁免 CSRF 保护
+- id: zm-py-django-csrf-exempt-001
+  severity: ERROR
+  message: |
+    检测到 Django 视图使用 @csrf_exempt 装饰器豁免 CSRF 保护。
+    豁免 CSRF 后攻击者可构造恶意表单或 AJAX 请求以用户身份执行敏感操作
+    （如修改密码、转账、删除账户），参考 CVE-2021-3515 跨站请求伪造风险。
+    修复: 移除 @csrf_exempt；使用 CSRF Token 保护所有状态变更请求（POST/PUT/DELETE）。
+  languages:
+    - python
+  pattern-either:
+    - pattern: '@csrf_exempt'
+    - pattern: '@django.views.decorators.csrf.csrf_exempt'
+    - pattern: from django.views.decorators.csrf import csrf_exempt
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    cve: "CVE-2021-3515"

package/rules/common/zm-py-fastapi-cwe265-cwe284-01.yaml

@@ -0,0 +1,48 @@
+rules:
+  - id: zm-py-fastapi-dep-bypass-001
+    severity: ERROR
+    message: >-
+      FastAPI Depends依赖注入绕过——在handler内手动实例化服务类而非通过Depends()。
+      CVE-2022-24065。修复：始终通过Depends()注入依赖。
+    languages: [python]
+    patterns:
+      - pattern: $X = $Y()
+    metadata:
+      cwe: "CWE-284"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A01:2021"
+      category: fastapi
+      cve: "CVE-2022-24065"
+  - id: zm-py-fastapi-cors-001
+    severity: WARNING
+    message: >-
+      FastAPI CORS中间件允许所有源(allow_origins=["*"])。
+      修复：限制为可信域名白名单。
+    languages: [python]
+    patterns:
+      - pattern-regex: 'CORSMiddleware'
+      - pattern-regex: '\"\*\"'
+    metadata:
+      cwe: "CWE-942"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A01:2021"
+      category: fastapi
+  - id: zm-py-fastapi-openapi-001
+    severity: WARNING
+    message: >-
+      FastAPI OpenAPI文档在生产环境暴露。攻击者可通过/docs或/redoc探测API。
+      修复：生产环境设置docs_url=None, redoc_url=None。
+    languages: [python]
+    patterns:
+      - pattern-regex: 'FastAPI\('
+    metadata:
+      cwe: "CWE-200"
+      confidence: LOW
+      likelihood: LOW
+      impact: LOW
+      owasp: "A05:2021"
+      category: fastapi

package/rules/common/zm-py-flask-cwe200-cwe326-01.yaml

@@ -0,0 +1,57 @@
+# CWE-200/CWE-326: Flask 安全配置检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: Flask debug=True 生产环境 / session secret_key 弱密钥
+
+rules:
+
+# ZM-PY-FLASK-01: Flask debug=True 生产环境泄露
+- id: zm-py-flask-debug-001
+  severity: ERROR
+  message: |
+    检测到 Flask app.run(debug=True) 在生产环境中开启调试模式。
+    调试模式会激活 Werkzeug Debugger 允许在浏览器中执行任意 Python 代码（RCE），
+    攻击者可通过触发异常获取交互式 Shell，参考 CVE-2024-56201 Werkzeug Debugger RCE。
+    修复: 生产环境使用 Gunicorn/uWSGI 部署；禁用 debug=True 并通过环境变量控制。
+  languages:
+    - python
+  pattern-either:
+    - pattern: app.run(debug=True)
+    - pattern: $APP.run(..., debug=True, ...)
+    - pattern: $APP.run(debug=True, ...)
+    - pattern: $APP.debug = True
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-489: Active Debug Code"
+    severity: ERROR
+    precision: very-high
+    category: flask-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+    cve: "CVE-2024-56201"
+
+# ZM-PY-FLASK-02: Flask SECRET_KEY 使用弱密钥/默认值
+- id: zm-py-flask-secret-key-weak-001
+  severity: ERROR
+  message: |
+    检测到 Flask SECRET_KEY 使用弱密钥（"secret" / "dev" / "test" / "changeme"）或默认值。
+    Flask Session 使用 SECRET_KEY 签名，弱密钥可被暴力破解后伪造 Session 任意登录。
+    参考: 2023年大规模 Flask 应用 Session 伪造攻击事件 — 弱密钥导致认证绕过。
+    修复: 使用 secrets.token_hex(32) 生成强随机密钥并通过环境变量注入。
+  languages:
+    - python
+  patterns:
+    - pattern: $APP.secret_key = $KEY
+    - metavariable-regex:
+        metavariable: $KEY
+        regex: ^(("secret")|("dev")|("test")|("changeme")|("password")|("default")|("flask")|("my-secret")|("secret-key")|("super-secret")|("development")|("change-me"))$
+    - metavariable-regex:
+        metavariable: $APP
+        regex: ^(app|application|webapp)$
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength; CWE-521: Weak Password Requirements"
+    severity: ERROR
+    precision: very-high
+    category: flask-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"

package/rules/common/zm-py-sqlalchemy-cwe89-01.yaml

@@ -0,0 +1,65 @@
+# CWE-89: SQLAlchemy 不安全查询检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: SQLAlchemy text() 字符串拼接 / execute() 参数化缺失 / raw SQL + f-string
+
+rules:
+
+# ZM-PY-SQLALCHEMY-01: SQLAlchemy text() SQL 字符串拼接用户输入
+- id: zm-py-sqlalchemy-sqli-001
+  severity: ERROR
+  message: |
+    检测到 SQLAlchemy text()/execute() 中使用 %/.format()/f-string 拼接用户输入。
+    ORM 的 raw SQL 接口绕过参数绑定直接拼接字符串，攻击者可注入任意 SQL。
+    参考: CVE-2024-27516 — SQLAlchemy 应用中因 raw SQL 拼接导致 SQLi。
+    修复: 使用 text("SELECT ... WHERE id=:id").bindparams(id=user_input) 参数绑定；
+    或使用 ORM 查询 API: session.query(Model).filter(Model.id == user_input)。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $S.execute(text("..." % request.args.get(...)))
+    - pattern: $S.execute(text("..." % request.form.get(...)))
+    - pattern: $S.execute(text("...".format(request.args.get(...))))
+    - pattern: $S.execute(text("...".format(request.form.get(...))))
+    - pattern: $S.execute(text("..." + request.args.get(...)))
+    - pattern: $S.execute(text("..." + request.form.get(...)))
+    - pattern: $S.execute(text(f"...{request.args.get(...)}..."))
+    - pattern: $S.execute(text(f"...{request.form.get(...)}..."))
+    - pattern: $S.execute("..." % request.args.get(...))
+    - pattern: $S.execute("..." % request.form.get(...))
+    - pattern: $S.execute("...".format(request.args.get(...)))
+    - pattern: $S.execute("...".format(request.form.get(...)))
+    - pattern: $S.execute(f"...{request.args.get(...)}...")
+    - pattern: $S.execute(f"...{request.form.get(...)}...")
+    - pattern: $S.execute("..." + request.args.get(...))
+    - pattern: $S.execute("..." + request.form.get(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    cve: "CVE-2024-27516"
+
+# ZM-PY-SQLALCHEMY-02: SQLAlchemy text() 使用 f-string 构建查询（无用户输入直接标记）
+- id: zm-py-sqlalchemy-sqli-002
+  severity: WARNING
+  message: |
+    检测到 SQLAlchemy text() 使用 f-string 构建 SQL 查询。
+    即使 f-string 参数当前来自内部变量，后续代码变更可能引入用户输入导致 SQLi。
+    参考: 2024年SQLAlchemy官方安全建议 — 始终使用参数化查询。
+    修复: 改用 text() 的 bindparams() 参数绑定机制；或使用 ORM Query Builder。
+  languages:
+    - python
+  patterns:
+    - pattern: text(f"...")
+    - pattern: $S.execute(f"...")
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: WARNING
+    precision: medium
+    category: sql-injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/community-merged/cwe-1004/authtkt-cookie-httponly-unsafe-default.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: python-1004
+rules:
+- id: pyramid-authtkt-cookie-httponly-unsafe-default
+  patterns:
+      - pattern: pyramid.authentication.$FUNC($...PARAMS)
+      - metavariable-pattern:
+          metavariable: $FUNC
+          pattern-either:
+            - pattern: AuthTktCookieHelper
+            - pattern: AuthTktAuthenticationPolicy
+      - pattern-not: pyramid.authentication.$FUNC(..., httponly=$HTTPONLY, ...)
+      - pattern-not: pyramid.authentication.$FUNC(..., **$PARAMS, ...)
+      - focus-metavariable: $...PARAMS
+  fix: |
+    $...PARAMS, httponly=True
+  message: >-
+    Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid
+    cookies should be handled securely by setting httponly=True.
+    If this parameter is not properly set, your cookies are not properly protected and
+    are at risk of being stolen by an attacker.
+  metadata:
+    cwe:
+    - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    category: security
+    technology:
+    - pyramid
+    references:
+    - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-1004/authtkt-cookie-httponly-unsafe-value.yaml

@@ -0,0 +1,41 @@
+# Source: semgrep-community | Cluster: python-1004
+rules:
+- id: pyramid-authtkt-cookie-httponly-unsafe-value
+  patterns:
+  - pattern-either:
+    - patterns:
+      - pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
+      - pattern: pyramid.authentication.AuthTktCookieHelper(..., httponly=$HTTPONLY, ...)
+    - patterns:
+      - pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
+      - pattern: pyramid.authentication.AuthTktAuthenticationPolicy(..., httponly=$HTTPONLY, ...)
+  - pattern: $HTTPONLY
+  - metavariable-pattern:
+      metavariable: $HTTPONLY
+      pattern: |
+        False
+  fix: |
+    True
+  message: >-
+    Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid
+    cookies should be handled securely by setting httponly=True.
+    If this parameter is not properly set, your cookies are not properly protected and
+    are at risk of being stolen by an attacker.
+  metadata:
+    cwe:
+    - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    category: security
+    technology:
+    - pyramid
+    references:
+    - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-1004/cookie-missing-httponly.yaml

@@ -0,0 +1,42 @@
+# Source: semgrep-community | Cluster: go-1004
+rules:
+- id: cookie-missing-httponly
+  patterns:
+  - pattern-not-inside: |
+      http.Cookie{
+        ...,
+        HttpOnly: true,
+        ...,
+      }
+  - pattern: |
+      http.Cookie{
+        ...,
+      }
+  message: >-
+    A session cookie was detected without setting the 'HttpOnly' flag.
+    The 'HttpOnly' flag for cookies instructs the browser to forbid
+    client-side scripts from reading the cookie which mitigates XSS
+    attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true'
+    in the Cookie.
+  metadata:
+    cwe:
+    - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    references:
+    - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go
+    - https://golang.org/src/net/http/cookie.go
+    category: security
+    technology:
+    - go
+    confidence: MEDIUM
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+  fix-regex:
+    regex: (HttpOnly\s*:\s+)false
+    replacement: \1true
+  severity: WARNING
+  languages: [go]

package/rules/community-merged/cwe-1004/session-cookie-missing-httponly.yaml

@@ -0,0 +1,41 @@
+# Source: semgrep-community | Cluster: go-1004
+rules:
+- id: session-cookie-missing-httponly
+  patterns:
+  - pattern-not-inside: |
+      &sessions.Options{
+        ...,
+        HttpOnly: true,
+        ...,
+      }
+  - pattern: |
+      &sessions.Options{
+        ...,
+      }
+  message: >-
+    A session cookie was detected without setting the 'HttpOnly' flag.
+    The 'HttpOnly' flag for cookies instructs the browser to forbid
+    client-side scripts from reading the cookie which mitigates XSS
+    attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true'
+    in the Options struct.
+  metadata:
+    cwe:
+    - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    references:
+    - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69
+    category: security
+    technology:
+    - gorilla
+    confidence: MEDIUM
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  fix-regex:
+    regex: (HttpOnly\s*:\s+)false
+    replacement: \1true
+  severity: WARNING
+  languages: [go]

package/rules/community-merged/cwe-1104/express-detect-notevil-usage.yaml

@@ -0,0 +1,56 @@
+# Source: semgrep-community | Cluster: javascript-1104
+rules:
+- id: express-detect-notevil-usage
+  message: >-
+    Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities.
+    Using any sort of `eval()` functionality can be very dangerous, but if you must,
+    the `eval` package is an up to date alternative. Be sure that only trusted input
+    reaches an `eval()` function.
+  metadata:
+    category: security
+    references:
+    - https://github.com/mmckegg/notevil
+    cwe:
+    - 'CWE-1104: Use of Unmaintained Third Party Components'
+    owasp:
+    - A06:2021 - Vulnerable and Outdated Components
+    - A03:2025 - Software Supply Chain Failures
+    technology:
+    - javascript
+    - typescript
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  patterns:
+  - pattern-either:
+    - pattern-inside: |
+        import $EVAL from 'notevil'
+        ...
+    - pattern-inside: |
+        import {$EVAL} from 'notevil'
+        ...
+    - pattern-inside: |
+        $EVAL = require('notevil')
+        ...
+  - pattern-either:
+    - patterns:
+      - pattern: $EVAL(...)
+      - pattern-not: $EVAL('...')
+    - patterns:
+      - pattern-either:
+        - pattern: $VM.runInContext("$CMD", ...)
+        - pattern: $VM.runInNewContext("$CMD", ...)
+        - pattern: $VM.runInThisContext("$CMD", ...)
+        - pattern: $VM.compileFunction("$CMD", ...)
+      - metavariable-pattern:
+          patterns:
+          - pattern: $EVAL(...)
+          - pattern-not: $EVAL('...')
+          metavariable: $CMD
+          language: typescript

package/rules/community-merged/cwe-113/http-response-splitting.yaml

@@ -0,0 +1,45 @@
+# Source: semgrep-community | Cluster: java-113
+rules:
+- id: http-response-splitting
+  metadata:
+    cwe:
+    - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING
+    references:
+    - https://www.owasp.org/index.php/HTTP_Response_Splitting
+    category: security
+    technology:
+    - java
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  message: >-
+    Older Java application servers are vulnerable to HTTP response splitting, which
+    may occur if an HTTP
+    request can be injected with CRLF characters. This finding is reported for completeness;
+    it is recommended
+    to ensure your environment is not affected by testing this yourself.
+  severity: INFO
+  languages:
+  - java
+  pattern-either:
+  - pattern: |
+      $VAR = $REQ.getParameter(...);
+      ...
+      $COOKIE = new Cookie(..., $VAR, ...);
+      ...
+      $RESP.addCookie($COOKIE, ...);
+  - patterns:
+    - pattern-inside: |
+        $RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {
+          ...
+        }
+    - pattern: |
+        $COOKIE = new Cookie(..., $VAR, ...);
+        ...
+        $RESP.addCookie($COOKIE, ...);

package/rules/community-merged/cwe-115/reverseproxy-director.yaml

@@ -0,0 +1,34 @@
+# Source: semgrep-community | Cluster: go-115
+rules:
+- id: reverseproxy-director
+  message: >-
+    ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite
+    instead of ReverseProxy.Director.
+  languages: [go]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      import "net/http/httputil"
+      ...
+  - pattern-either:
+      - pattern: $PROXY.Director = $FUNC
+      - patterns:
+          - pattern-inside: |
+              httputil.ReverseProxy{
+                  ...
+              }
+          - pattern: |
+              Director: $FUNC
+  metadata:
+    cwe:
+    - "CWE-115: Misinterpretation of Input"
+    category: security
+    subcategory:
+    - audit
+    technology:
+      - go
+    confidence: MEDIUM
+    likelihood: LOW
+    impact: LOW
+    references:
+      - https://github.com/golang/go/issues/50580

package/rules/community-merged/cwe-116/autoescape-disabled-false.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: python-116
+rules:
+- id: incorrect-autoescape-disabled
+  patterns:
+  - pattern: jinja2.Environment(... , autoescape=$VAL, ...)
+  - pattern-not: jinja2.Environment(... , autoescape=True, ...)
+  - pattern-not: jinja2.Environment(... , autoescape=jinja2.select_autoescape(...), ...)
+  - focus-metavariable: $VAL
+  fix: |
+    True
+  message: >-
+    Detected a Jinja2 environment with 'autoescaping' disabled.
+    This is dangerous if you are rendering to a browser because this allows for cross-site
+    scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting
+    'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable
+    automatic escaping for certain file extensions.
+  metadata:
+    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
+    category: security
+    technology:
+    - jinja2
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-116/detect-disable-mustache-escape.yaml

@@ -0,0 +1,28 @@
+# Source: semgrep-community | Cluster: javascript-116
+rules:
+- id: detect-disable-mustache-escape
+  message: >-
+    Markup escaping disabled. This can be used with some template engines to escape
+    disabling of HTML entities, which can lead to XSS attacks.
+  metadata:
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js
+    category: security
+    technology:
+    - mustache
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  pattern: $OBJ.escapeMarkup = false

package/rules/community-merged/cwe-116/incomplete-sanitization.yaml

@@ -0,0 +1,33 @@
+# Source: semgrep-community | Cluster: javascript-116
+rules:
+- id: incomplete-sanitization
+  message: >-
+    `$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR).
+    If this method is used for escaping of dangerous data then there is a possibility for a bypass.
+    Try to use sanitization library instead or use a Regex with a global flag.
+  metadata:
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    category: security
+    technology:
+    - javascript
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  patterns:
+  - pattern: |
+      $STR.replace(($CHAR: string), ...)
+  - metavariable-regex:
+      metavariable: $CHAR
+      regex: ^[\"\']([\'\"\<\>\*\|\{\}\[\]\%\$]{1}|\\n|\\r|\\t|\\&)[\"\']$