npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-117/zm-java-cwe117-logforging.yaml ADDED Viewed

@@ -0,0 +1,154 @@
+# Source: common | Cluster: N/A
+# CWE-117: 日志注入 (Log Forging) 检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: log.info/warn/error() 参数含 request.getParameter() 未经 sanitize
+rules:
+# ZM-JAVA-LF-001: Log4j/SLF4J 日志直接输出用户输入
+- id: zm-java-lf-001
+  severity: WARNING
+  message: |
+    检测到日志方法（log.info/warn/error/debug）直接输出 HTTP 请求参数，未经任何清洗处理。
+    攻击者可构造包含换行符 (CRLF: %0d%0a) 的输入，注入伪造的日志条目或污染日志分析系统。
+    日志注入攻击可导致:
+    - 伪造日志记录，干扰攻击溯源
+    - 注入恶意日志条目误导安全监控
+    - 在 Log4j2 中触发 JNDI 查找（Log4Shell, CVE-2021-44228）
+    修复方案:
+    1. 对用户输入进行换行符过滤: input.replaceAll("[\\r\\n]", "_")
+    2. 使用日志框架的参数化占位符（如 log.info("user={}", sanitizedInput)）
+    3. 实现自定义日志 Appender 过滤 CRLF 字符
+    4. 限制日志字段长度，防止日志膨胀
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        log.info($REQ.getParameter(...))
+    - pattern: |
+        log.warn($REQ.getParameter(...))
+    - pattern: |
+        log.error($REQ.getParameter(...))
+    - pattern: |
+        log.debug($REQ.getParameter(...))
+    - pattern: |
+        LOG.info($REQ.getParameter(...))
+    - pattern: |
+        LOG.warn($REQ.getParameter(...))
+    - pattern: |
+        LOG.error($REQ.getParameter(...))
+    - pattern: |
+        LOG.debug($REQ.getParameter(...))
+    - pattern: |
+        logger.info($REQ.getParameter(...))
+    - pattern: |
+        logger.warn($REQ.getParameter(...))
+    - pattern: |
+        logger.error($REQ.getParameter(...))
+    - pattern: |
+        logger.debug($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.info($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.warn($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.error($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.debug($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: high
+    category: data-exposure
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    references:
+      - "https://cwe.mitre.org/data/definitions/117.html"
+      - "https://owasp.org/www-community/attacks/Log_Injection"
+# ZM-JAVA-LF-002: 日志拼接用户输入 (CRLF 注入)
+- id: zm-java-lf-002
+  severity: WARNING
+  message: |
+    检测到日志方法参数中拼接了 HTTP 请求参数。攻击者可在参数值中注入换行符 (%0d%0a)
+    来伪造日志条目，污染日志完整性。
+    修复方案:
+    1. 使用参数化日志: log.info("user input: {}", request.getParameter("name"))
+    2. 或先对输入做 CRLF 过滤: input.replace("\r", "").replace("\n", "")
+    3. 在日志 Appender 层统一过滤特殊字符
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        log.info(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.warn(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.error(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.debug(... + $REQ.getParameter(...) + ...)
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: medium
+    category: data-exposure
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+# ZM-JAVA-LF-003: System.out/err 直接输出用户输入
+- id: zm-java-lf-003
+  severity: WARNING
+  message: |
+    检测到 System.out.println() 或 System.err.println() 直接输出 HTTP 请求参数。
+    虽然控制台输出不一定构成日志注入，但若输出被重定向到日志文件，可被利用进行日志伪造。
+    修复方案:
+    1. 避免在生产环境使用 System.out.println()
+    2. 使用规范的日志框架（SLF4J/Log4j2）
+    3. 对输出内容进行 sanitize
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        System.out.println($REQ.getParameter(...))
+    - pattern: |
+        System.err.println($REQ.getParameter(...))
+    - pattern: |
+        System.out.print($REQ.getParameter(...))
+    - pattern: |
+        System.err.print($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: high
+    category: data-exposure
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+# ZM-JAVA-LF-004: e.printStackTrace() 泄露敏感信息
+- id: zm-java-lf-004
+  severity: WARNING
+  message: |
+    检测到 e.printStackTrace() 调用。printStackTrace() 会将完整堆栈（含敏感类路径、方法名、
+    内部逻辑）输出到 stderr，若未妥善处理可能泄露到客户端或日志，被攻击者利用。
+    修复方案:
+    1. 使用 log.error("error message", e) 替代 printStackTrace()
+    2. 确保日志系统不将堆栈信息返回给客户端
+    3. 在生产环境使用统一的异常处理机制（@ControllerAdvice）
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $E.printStackTrace()
+    - pattern: |
+        $E.printStackTrace(...);
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: very-high
+    category: data-exposure
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"

package/rules/unified/cwe-117/zm-java-cwe117-smtp-header-injection.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+# Source: common | Cluster: N/A
+# CWE-117: SMTP Header 注入 (JavaMail) 检测
+# 逐码 ZhuMa V4.3 — 邮件头注入专项
+rules:
+# ZM-JAVA-CWE117-SMTP-001: JavaMail 设置 Subject/From 用户可控
+- id: zm-java-cwe117-smtp-001
+  severity: WARNING
+  message: |
+    JavaMail MimeMessage 的 subject、from、to 等邮件头字段由用户输入设置，
+    攻击者可通过注入 CRLF (%0d%0a) 添加额外的邮件头（如 Bcc、Reply-To），
+    实现邮件伪造或通过邮件发送垃圾信息。
+    修复: 1. 过滤用户输入中的 \r 和 \n 字符
+    2. 使用 javax.mail.internet.InternetAddress 校验地址格式
+    3. 使用 EmailValidator 校验邮件地址合法性
+  languages:
+    - java
+  pattern-either:
+    - pattern: $MSG.setSubject($REQ.getParameter(...))
+    - pattern: $MSG.setFrom(new InternetAddress($REQ.getParameter(...)))
+    - pattern: $MSG.setRecipients(Message.RecipientType.TO, $REQ.getParameter(...))
+    - pattern: $MSG.setReplyTo($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: very-high
+    category: injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [smtp, mail, header-injection]
+# ZM-JAVA-CWE117-SMTP-002: JavaMail 正文拼接 CRLF 注入
+- id: zm-java-cwe117-smtp-002
+  severity: WARNING
+  message: |
+    JavaMail MimeMessage 正文通过字符串拼接用户输入，未过滤 CRLF 字符，
+    攻击者可注入 MIME 头截断正文。
+    修复: 使用 MimeBodyPart.setText(text, "UTF-8") 设置正文，
+    对用户输入中的 \r\n 做 strip/escape 处理。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $MSG.setText($REQ.getParameter(...))
+    - pattern: $MSG.setContent($REQ.getParameter(...), "text/plain")
+    - pattern: |
+        $BODY = $TEMPLATE + $REQ.getParameter(...);
+        ...
+        $MSG.setText($BODY);
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: medium
+    category: injection
+    owasp: "A03:2021 - Injection"
+    likelihood: MEDIUM
+    impact: MEDIUM
+    tags: [smtp, mail, header-injection]

package/rules/unified/cwe-121/zm-cpp-cwe121-buffer-overflow.yaml ADDED Viewed

@@ -0,0 +1,137 @@
+# Source: common | Cluster: N/A
+# CWE-121/122: C/C++ 栈/堆缓冲区溢出检测规则
+# 逐码 ZhuMa V4.3 — C/C++ 规则库
+#
+# 检测不安全的内存复制函数使用，包括 strcpy、strcat、sprintf 等
+# 不进行边界检查的字符串操作函数。
+rules:
+# ZM-CPP-CWE121-001: strcpy — 无边界检查的字符串复制 (栈溢出)
+- id: zm-cpp-cwe121-buffer-overflow-001
+  severity: ERROR
+  message: |
+    检测到 strcpy() 函数调用。该函数不检查目标缓冲区大小，
+    源字符串超长时将导致栈缓冲区溢出，可能被利用为任意代码执行。
+    修复方案：
+    - C: 使用 strncpy() 并显式指定目标缓冲区大小
+    - C: 使用 strlcpy() (BSD/macOS) 或 strcpy_s() (C11 Annex K / Windows)
+    - C++: 使用 std::string 完全避免 C 风格字符串操作
+    - C++: 使用 std::copy_n / std::strcpy (with bounds)
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: strcpy(...)
+  metadata:
+    cwe: "CWE-121: Stack-based Buffer Overflow"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/121.html"
+      - "https://owasp.org/www-community/vulnerabilities/Buffer_Overflow"
+# ZM-CPP-CWE121-002: strcat — 危险字符串拼接
+- id: zm-cpp-cwe121-buffer-overflow-002
+  severity: ERROR
+  message: |
+    检测到 strcat() 函数调用。该函数在目标缓冲区末尾追加字符串但不检查剩余空间，
+    源字符串过长将导致栈缓冲区溢出。strcat 不会检查写入是否超出目标缓冲区边界。
+    修复方案：
+    - 使用 strncat() 并传递剩余缓冲区大小
+    - 使用 strlcat() (BSD/macOS) 或 strcat_s() (C11 Annex K)
+    - C++: 使用 std::string::append() 替代
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: strcat(...)
+  metadata:
+    cwe: "CWE-121: Stack-based Buffer Overflow"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/121.html"
+# ZM-CPP-CWE122-003: gets — 极度危险的输入函数 (CWE-122堆溢出)
+- id: zm-cpp-cwe121-buffer-overflow-003
+  severity: ERROR
+  message: |
+    检测到 gets() 函数调用。gets() 从 stdin 读取数据直到换行符，
+    但不检查目标缓冲区大小，任何超过缓冲区大小的输入必然导致缓冲区溢出。
+    C11 标准已移除 gets() 函数，任何使用均视为严重安全漏洞。
+    修复方案：
+    - 使用 fgets(buf, sizeof(buf), stdin) 替代
+    - C++: 使用 std::getline(std::cin, str) 替代
+    - C++: 使用 std::cin.getline(buf, sizeof(buf)) 替代
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: gets(...)
+  metadata:
+    cwe: "CWE-122: Heap-based Buffer Overflow"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: very-high
+    references:
+      - "https://cwe.mitre.org/data/definitions/122.html"
+      - "https://cwe.mitre.org/data/definitions/242.html"
+# ZM-CPP-CWE121-004: sprintf — 无边界检查的格式化输出 (栈溢出)
+- id: zm-cpp-cwe121-buffer-overflow-004
+  severity: ERROR
+  message: |
+    检测到 sprintf() 函数调用。sprintf() 不检查输出字符串长度是否超出目标缓冲区，
+    当格式化后的字符串超过缓冲区大小时将导致栈缓冲区溢出。
+    修复方案：
+    - 使用 snprintf(buf, sizeof(buf), fmt, ...) 替代
+    - C++: 使用 std::ostringstream 替代
+    - C++20: 使用 std::format / std::format_to_n
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: sprintf(...)
+    - pattern-not: snprintf(...)
+  metadata:
+    cwe: "CWE-121: Stack-based Buffer Overflow"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/121.html"
+      - "https://wiki.sei.cmu.edu/confluence/display/c/STR07-C.+Use+the+bounds-checking+interfaces+for+string+manipulation"
+# ZM-CPP-CWE121-005: scanf 族无宽度限制
+- id: zm-cpp-cwe121-buffer-overflow-005
+  severity: ERROR
+  message: |
+    检测到 scanf() 族函数使用 %s 格式说明符但未指定最大字段宽度。
+    固定大小的目标缓冲区可能被超长输入溢出。
+    修复方案：
+    - 使用 %Ns 格式说明符指定最大长度，如 scanf("%99s", buf) (缓冲区100字节)
+    - 使用 fgets() + sscanf() 组合先限制输入长度
+    - C++: 使用 std::cin 配合 std::string 自动管理内存
+  languages:
+    - c
+    - cpp
+  pattern-either:
+    - pattern: scanf("...%s...", ...)
+    - pattern: fscanf($FP, "...%s...", ...)
+    - pattern: sscanf($BUF, "...%s...", ...)
+    - pattern: scanf_s("...%s...", ...)
+  metadata:
+    cwe: "CWE-121: Stack-based Buffer Overflow"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/121.html"

package/rules/unified/cwe-1321/zm-js-cwe1321-prototype-pollution.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+# Source: common | Cluster: N/A
+# CWE-1321: 原型链污染检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+rules:
+- id: zm-js-pp-001
+  severity: ERROR
+  message: |
+    检测到将用户可控数据（req.body / req.query / req.params）通过动态键赋值
+    到对象嵌套属性，可能导致原型链污染。
+    修复: 1.Object.create(null)创建无原型对象 2.过滤__proto__/constructor/prototype键名
+    3.使用Map替代普通对象 4.检查lodash.merge版本(<4.17.12存在漏洞)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $OBJ[$REQ.body] = $VAL
+    - pattern: |
+        $OBJ[$REQ.query] = $VAL
+    - pattern: |
+        $OBJ[$REQ.params] = $VAL
+    - pattern: |
+        $OBJ[$KEY] = $REQ.body
+    - pattern: |
+        $OBJ[$KEY] = $REQ.query
+    - pattern: |
+        $OBJ[$KEY] = $REQ.params
+  metadata:
+    cwe: "CWE-1321"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+- id: zm-js-pp-002
+  severity: ERROR
+  message: |
+    检测到对 __proto__ 或 constructor.prototype 的直接赋值操作。
+    这是原型链污染的典型模式。
+    修复: 1.禁止对__proto__和constructor.prototype赋值 2.冻结原型: Object.freeze(Object.prototype)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $OBJ.__proto__ = $VAL
+    - pattern: |
+        $OBJ['__proto__'] = $VAL
+    - pattern: |
+        $OBJ.constructor.prototype = $VAL
+    - pattern: |
+        $OBJ.constructor.prototype.$PROP = $VAL
+    - pattern: |
+        $OBJ.__proto__.$PROP = $VAL
+  metadata:
+    cwe: "CWE-1321"
+    severity: ERROR
+    precision: very-high
+    category: code-injection
+    owasp: "A08:2021"

package/rules/unified/cwe-1336/zm-go-cwe1336-template-injection.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-go-template-injection-001
+    severity: ERROR
+    message: >-
+      使用text/template处理HTML内容。text/template不做HTML转义，用户输入直接注入HTML造成XSS。
+      必须用html/template替代。CVE-2019-11888。
+      修复：import "text/template" → import "html/template"。
+    languages:
+      - go
+    patterns:
+      - pattern-either:
+          - pattern: $T.Execute($W, $DATA)
+          - pattern: $T.ExecuteTemplate($W, $NAME, $DATA)
+    metadata:
+      cwe: "CWE-1336"
+      confidence: MEDIUM
+      likelihood: HIGH
+      impact: CRITICAL
+      owasp: "A03:2021"
+      cve: "CVE-2019-11888"
+      category: template-injection
+  - id: zm-go-template-injection-002
+    severity: ERROR
+    message: >-
+      文件同时导入text/template和net/http。Web应用可能用text/template处理HTTP响应存在XSS。
+      修复：改用html/template。
+    languages:
+      - go
+    patterns:
+      - pattern-regex: '"text/template"'
+    metadata:
+      cwe: "CWE-1336"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: CRITICAL
+      owasp: "A03:2021"
+      cve: "CVE-2019-11888"
+      category: template-injection

package/rules/unified/cwe-1336/zm-taint-1336-1336-java-196.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: taint | Cluster: CL-1336-JAVA-196
+# Taint-upgraded rule: zhuma-nvd-1336-1336-java-196
+# Original CWE: CWE-1336 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-1336-1336-java-196
+  mode: taint
+  metadata:
+    category: CWE-1336
+    cwe: "CWE-1336"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-1336-1336-java-196
+  message: |
+    检测到模板注入(SSTI)风险。用户输入被拼接到模板引擎渲染上下文。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $TEMPLATE.process(...)
+      - pattern: $ENGINE.evaluate(...)
+      - pattern: $ENGINE.evaluate(...)
+      - pattern: Velocity.evaluate(...)
+      - pattern: FreeMarker

package/rules/unified/cwe-1336/zm-taint-1336-1336-java-197.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: taint | Cluster: CL-1336-JAVA-197
+# Taint-upgraded rule: zhuma-nvd-1336-1336-java-197
+# Original CWE: CWE-1336 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-1336-1336-java-197
+  mode: taint
+  metadata:
+    category: CWE-1336
+    cwe: "CWE-1336"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-1336-1336-java-197
+  message: |
+    检测到模板注入(SSTI)风险。用户输入被拼接到模板引擎渲染上下文。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $TEMPLATE.process(...)
+      - pattern: $ENGINE.evaluate(...)
+      - pattern: $ENGINE.evaluate(...)
+      - pattern: Velocity.evaluate(...)
+      - pattern: FreeMarker

package/rules/unified/cwe-1336/zm-taint-1336-1336-javascript-201.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+# Source: taint | Cluster: CL-1336-JAVASCRIPT-201
+# Taint-upgraded rule: zhuma-nvd-1336-1336-javascript-201
+# Original CWE: CWE-1336 | Language: javascript
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-1336-1336-javascript-201
+  mode: taint
+  metadata:
+    category: CWE-1336
+    cwe: "CWE-1336"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-1336-1336-javascript-201
+  message: |
+    检测到模板注入(SSTI)风险。用户输入被拼接到模板引擎渲染上下文。
+  severity: WARNING
+  languages:
+    - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Handlebars.compile(...)
+      - pattern: ejs.render(...)
+      - pattern: _.template(...)
+      - pattern: pug.compile(...)

package/rules/unified/cwe-1336/zm-taint-1336-1336-javascript-202.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+# Source: taint | Cluster: CL-1336-JAVASCRIPT-202
+# Taint-upgraded rule: zhuma-nvd-1336-1336-javascript-202
+# Original CWE: CWE-1336 | Language: javascript
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-1336-1336-javascript-202
+  mode: taint
+  metadata:
+    category: CWE-1336
+    cwe: "CWE-1336"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-1336-1336-javascript-202
+  message: |
+    检测到模板注入(SSTI)风险。用户输入被拼接到模板引擎渲染上下文。
+  severity: WARNING
+  languages:
+    - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Handlebars.compile(...)
+      - pattern: ejs.render(...)
+      - pattern: _.template(...)
+      - pattern: pug.compile(...)

package/rules/unified/cwe-1336/zm-taint-1336-1336-javascript-203.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+# Source: taint | Cluster: CL-1336-JAVASCRIPT-203
+# Taint-upgraded rule: zhuma-nvd-1336-1336-javascript-203
+# Original CWE: CWE-1336 | Language: javascript
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-1336-1336-javascript-203
+  mode: taint
+  metadata:
+    category: CWE-1336
+    cwe: "CWE-1336"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-1336-1336-javascript-203
+  message: |
+    检测到模板注入(SSTI)风险。用户输入被拼接到模板引擎渲染上下文。
+  severity: WARNING
+  languages:
+    - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Handlebars.compile(...)
+      - pattern: ejs.render(...)
+      - pattern: _.template(...)
+      - pattern: pug.compile(...)