@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-22/zm-go-cwe22-path-traversal-framework.yaml

@@ -0,0 +1,48 @@
+# Source: common | Cluster: N/A
+# CWE-22: Go ioutil.ReadFile/os.ReadFile 路径穿越 (补充变体)
+# 逐码 ZhuMa V4.3 — Go 通用规则库
+# 检测: ioutil.ReadFile含用户输入
+
+rules:
+
+# ZM-GO-PT-004: ioutil.ReadFile / os.ReadFile 动态路径来自HTTP请求
+- id: zm-go-pt-004
+  severity: HIGH
+  message: |
+    检测到 ioutil.ReadFile / os.ReadFile 的文件路径来自HTTP请求参数。
+    攻击者可通过 ../../../etc/passwd 路径穿越读取任意文件。
+
+    修复方案:
+    1. 使用 filepath.Clean + filepath.Abs 规范化后校验前缀
+    2. 使用 filepath.Base 仅提取文件名
+    3. 对用户输入做字符白名单
+    4. 使用 net/http.FileServer + http.Dir 提供安全静态文件服务
+  languages:
+    - go
+  pattern-either:
+    - pattern: ioutil.ReadFile(r.URL.Query().Get($KEY))
+    - pattern: ioutil.ReadFile(r.FormValue($KEY))
+    - pattern: ioutil.ReadFile(r.PostFormValue($KEY))
+    - pattern: os.ReadFile(r.URL.Query().Get($KEY))
+    - pattern: os.ReadFile(r.FormValue($KEY))
+    - pattern: os.ReadFile(r.PostFormValue($KEY))
+    - pattern: ioutil.ReadFile(c.Query($KEY))
+    - pattern: ioutil.ReadFile(c.Param($KEY))
+    - pattern: os.ReadFile(c.Query($KEY))
+    - pattern: os.ReadFile(c.Param($KEY))
+    - pattern: ioutil.ReadFile(ctx.QueryParam($KEY))
+    - pattern: ioutil.ReadFile(ctx.Param($KEY))
+    - pattern: os.ReadFile(ctx.QueryParam($KEY))
+    - pattern: os.ReadFile(ctx.Param($KEY))
+    - pattern: ioutil.ReadFile(mux.Vars($R)[$KEY])
+    - pattern: os.ReadFile(mux.Vars($R)[$KEY])
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/os#ReadFile"

package/rules/unified/cwe-22/zm-go-cwe22-path-traversal-fs.yaml

@@ -0,0 +1,118 @@
+# Source: common | Cluster: N/A
+# CWE-22: Go 路径穿越深度检测
+# 逐码 ZhuMa V4.1 Sprint — Go 规则库
+# 覆盖: os.MkdirAll + userInput、filepath.Clean无效化、archive/zip ZipSlip
+
+rules:
+
+# ZM-GO-PT-DEPTH-001: os.MkdirAll 用户输入目录创建
+- id: zm-go-pt-depth-001
+  severity: HIGH
+  message: |
+    检测到 os.MkdirAll / os.Mkdir 使用用户可控的目录路径参数。
+    攻击者可通过 ../../ 穿越创建任意目录，可能用于植入webshell或覆盖系统文件。
+
+    修复方案:
+    1. 使用 filepath.Clean() 规范化路径后验证基础目录前缀:
+       cleaned := filepath.Clean(filepath.Join(baseDir, userInput))
+       if !strings.HasPrefix(cleaned, filepath.Clean(baseDir)) { return error }
+    2. 使用 filepath.Base() 仅提取目录名部分
+    3. 限制目录名白名单(字母数字+特定符号)
+    4. 禁止用户输入直接作为目录路径
+  languages:
+    - go
+  pattern-either:
+    - pattern: os.MkdirAll($INPUT, $PERM)
+    - pattern: os.Mkdir($INPUT, $PERM)
+    - pattern: os.MkdirTemp($DIR, $INPUT)
+    - pattern: os.MkdirTemp($INPUT, $PATTERN)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: medium
+    category: path-traversal
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/os#MkdirAll"
+
+# ZM-GO-PT-DEPTH-002: archive/zip ZipSlip 检测
+- id: zm-go-pt-depth-002
+  severity: HIGH
+  message: |
+    检测到 ZIP 解压操作中未对压缩包内文件名做路径穿越校验(ZipSlip漏洞)。
+    攻击者可构造包含 ../ 路径的恶意ZIP文件，解压时写入任意目录。
+
+    典型漏洞模式:
+    for _, f := range reader.File {
+      dst := filepath.Join(targetDir, f.Name)
+      os.MkdirAll(filepath.Dir(dst), 0755)
+      // 未校验 dst 是否在 targetDir 内!
+    }
+
+    修复方案:
+    1. 使用 filepath.Clean 规范化后校验前缀:
+       dst := filepath.Clean(filepath.Join(targetDir, f.Name))
+       if !strings.HasPrefix(dst, filepath.Clean(targetDir)+string(os.PathSeparator)) {
+         return errors.New("invalid file path")
+       }
+    2. 使用 f.FileInfo().Name() 或 filepath.Base(f.Name) 去除路径部分
+    3. 使用专门的ZipSlip防护库
+  languages:
+    - go
+  pattern-either:
+    - pattern: filepath.Join($DIR, $ZIPFILE.Name)
+    - pattern: filepath.Join($DIR, $F.Name)
+    - pattern: filepath.Join($DEST, $HEADER.Name)
+    - pattern: path.Join($DIR, $ZIPFILE.Name)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://snyk.io/research/zip-slip-vulnerability"
+      - "https://pkg.go.dev/archive/zip"
+
+# ZM-GO-PT-DEPTH-003: filepath.Clean 后未做前缀校验(无效化)
+- id: zm-go-pt-depth-003
+  severity: WARNING
+  message: |
+    检测到使用 filepath.Clean 规范化路径但未验证结果路径的基础目录前缀。
+    仅使用 filepath.Clean 不足以防止路径穿越——需要配合 HasPrefix 校验。
+
+    错误示例:
+    cleanPath := filepath.Clean(filepath.Join(baseDir, userInput))
+    os.Open(cleanPath)  // ← 未校验 cleanPath 是否在 baseDir 内
+
+    正确示例:
+    cleanPath := filepath.Clean(filepath.Join(baseDir, userInput))
+    cleanBase := filepath.Clean(baseDir)
+    if !strings.HasPrefix(cleanPath, cleanBase) {
+      return nil, errors.New("invalid path")
+    }
+    os.Open(cleanPath)
+
+    修复方案:
+    1. filepath.Clean 后添加 HasPrefix 校验
+    2. 使用 filepath.Rel 计算相对路径并检查是否以 .. 开头
+    3. 对用户输入做字符白名单过滤
+  languages:
+    - go
+  pattern-either:
+    - pattern: filepath.Clean($INPUT)
+    - pattern: path.Clean($INPUT)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: WARNING
+    precision: low
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/path/filepath#Clean"

package/rules/unified/cwe-22/zm-go-cwe22-path-traversal.yaml

@@ -0,0 +1,104 @@
+# Source: common | Cluster: N/A
+# CWE-22: Go 路径穿越检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: os.Open / ioutil.ReadFile 用户输入路径、path.Join 未验证
+
+rules:
+
+# ZM-GO-PT-001: os.Open / os.ReadFile / ioutil.ReadFile 动态文件路径
+- id: zm-go-pt-001
+  severity: HIGH
+  message: |
+    检测到文件读取操作（os.Open / os.ReadFile / ioutil.ReadFile）
+    使用变量作为文件路径。若该变量来自用户输入（HTTP请求参数、
+    API输入等），攻击者可通过 ../ 穿越目录读取任意文件（如 /etc/passwd）。
+
+    修复方案:
+    1. 使用 filepath.Clean() 规范化路径后，验证是否在允许的基础目录内:
+       cleaned := filepath.Clean(userPath)
+       if !strings.HasPrefix(cleaned, baseDir) { return error }
+    2. 使用 filepath.Base() 仅提取文件名，丢弃路径部分
+    3. 对用户输入的文件名做白名单校验
+    4. 将文件存储在非Web可访问目录中
+  languages:
+    - go
+  pattern-either:
+    - pattern: os.Open($PATH)
+    - pattern: os.OpenFile($PATH, $FLAG, $PERM)
+    - pattern: os.ReadFile($PATH)
+    - pattern: ioutil.ReadFile($PATH)
+    - pattern: ioutil.ReadDir($PATH)
+    - pattern: os.ReadDir($PATH)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: medium
+    category: path-traversal
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/path/filepath#Clean"
+      - "https://owasp.org/www-community/attacks/Path_Traversal"
+
+# ZM-GO-PT-002: path.Join 未做路径前缀验证
+- id: zm-go-pt-002
+  severity: HIGH
+  message: |
+    检测到使用 path.Join 或 filepath.Join 拼接用户可控的路径组件。
+    Join 仅规范化路径分隔符，不会阻止 ../ 穿越。
+    攻击者可通过输入 ../../etc/passwd 绕过 Join 保护。
+
+    修复方案:
+    1. 在 Join 之后使用 filepath.Clean() + HasPrefix 验证:
+       fullPath := filepath.Clean(filepath.Join(baseDir, userInput))
+       if !strings.HasPrefix(fullPath, filepath.Clean(baseDir)) { return error }
+    2. 使用 filepath.Rel() 计算相对路径并检查是否以 .. 开头
+    3. 对用户输入做字符白名单（仅允许字母数字和特定符号）
+  languages:
+    - go
+  pattern-either:
+    - pattern: filepath.Join($BASE, $INPUT)
+    - pattern: path.Join($BASE, $INPUT)
+    - pattern: filepath.Join($INPUT, $SUFFIX)
+    - pattern: path.Join($INPUT, $SUFFIX)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: medium
+    category: path-traversal
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/path/filepath#Join"
+
+# ZM-GO-PT-003: http.ServeFile / http.FileServer 动态目录
+- id: zm-go-pt-003
+  severity: HIGH
+  message: |
+    检测到 http.ServeFile 或 http.FileServer 使用动态路径提供静态文件。
+    若目录路径可由用户控制，攻击者可通过路径穿越访问Web根目录之外的
+    任意文件（配置文件、源码、数据库等）。
+
+    修复方案:
+    1. 使用 http.Dir() 包装目录: http.FileServer(http.Dir("/safe/path"))
+    2. 确保 root 目录为绝对路径且不可由用户控制
+    3. 配合 http.StripPrefix 限制访问范围
+    4. 对敏感目录设置 dotfiles 访问控制
+  languages:
+    - go
+  pattern-either:
+    - pattern: http.ServeFile($W, $R, $PATH)
+    - pattern: http.FileServer(http.Dir($DIR))
+    - pattern: http.FileServer(http.Dir($VAR))
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: HIGH
+    precision: medium
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/net/http#FileServer"

package/rules/unified/cwe-22/zm-java-cwe22-file-depth.yaml

@@ -0,0 +1,136 @@
+# Source: common | Cluster: N/A
+# CWE-22/434/73 文件操作深度覆盖: 路径遍历全量sink + 文件上传危险模式
+
+rules:
+
+# ZM-JAVA-FILE-READ-001: Files.read/readAllBytes/readString 路径由用户可控
+- id: zm-java-file-read-001
+  severity: HIGH
+  message: |
+    Files.readXXX / FileInputStream 使用用户可控路径——路径遍历/任意文件读取。
+    校验路径不以 ../ 开头，规范化后验证在允许的根目录内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.readAllBytes($PATH)
+    - pattern: Files.readString($PATH)
+    - pattern: Files.readAllLines($PATH)
+    - pattern: Files.newInputStream($PATH)
+    - pattern: new FileInputStream($PATH)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-read, nio]
+
+# ZM-JAVA-FILE-WRITE-001: Files.write 路径可控
+- id: zm-java-file-write-001
+  severity: CRITICAL
+  message: |
+    Files.write/FileOutputStream 使用用户可控路径——任意文件写入，可getshell。
+    同路径遍历规则校验路径在允许范围内，且不要接受完整文件名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.write($PATH, $CONTENT)
+    - pattern: Files.newOutputStream($PATH)
+    - pattern: new FileOutputStream($PATH)
+    - pattern: $FILE.createNewFile()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-write, rce]
+
+# ZM-JAVA-FILE-DELETE-001: Files.delete/deleteIfExists 路径可控
+- id: zm-java-file-delete-001
+  severity: MEDIUM
+  message: |
+    Files.delete/deleteIfExists 使用用户可控路径——可删除任意文件。
+    校验路径在白名单内，使用 UUID 文件名避免路径注入。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.delete($PATH)
+    - pattern: Files.deleteIfExists($PATH)
+    - pattern: $FILE.delete()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-delete]
+
+# ZM-JAVA-UPLOAD-PATH-001: MultipartFile transferTo 使用用户可控路径
+- id: zm-java-upload-path-001
+  severity: CRITICAL
+  message: |
+    MultipartFile.transferTo() 目标路径使用原始文件名 + 用户可控目录——可覆盖任意文件。
+    使用 UUID 重命名上传文件，并确保上传目录在配置的 uploads/ 根内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $FILE.transferTo(new File($PATH));
+    - pattern: $FILE.transferTo($DEST);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: high
+    tags: [file-upload, path-traversal]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+
+# ZM-JAVA-UPLOAD-EXT-001: 文件上传缺少扩展名校验
+- id: zm-java-upload-ext-001
+  severity: HIGH
+  message: |
+    MultipartFile.getOriginalFilename() 直接用于存储——未校验扩展名/Content-Type。
+    限制允许的文件类型（白名单），校验 Magic Bytes，禁止 .jsp/.exe/.sh 等可执行后缀。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $FILE.getOriginalFilename()
+    - pattern: $PART.getOriginalFilename()
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: low
+    tags: [file-upload, extension-bypass]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+
+# ZM-JAVA-ZIP-SLIP-001: ZipEntry 解压前未校验路径
+- id: zm-java-zip-slip-001
+  severity: CRITICAL
+  message: |
+    ZipEntry.getName() 直接用于 new File(outputDir, entryName) —— 可触发 Zip Slip 路径穿越。
+    规范化后再校验：new File(outputDir, entryName).getCanonicalPath().startsWith(outputDir)
+  languages:
+    - java
+  pattern-either:
+    - pattern: new File($OUTDIR, $ENTRY.getName())
+    - pattern: |
+        $ENTRY = $ZIP.getNextEntry();
+        ...
+        new File($DIR, $ENTRY);
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+    tags: [zip-slip, path-traversal, rce]
+    references:
+      - https://snyk.io/research/zip-slip-vulnerability
+
+# ZM-JAVA-TEMP-FILE-001: 临时文件使用已弃用 API
+- id: zm-java-temp-file-001
+  severity: LOW
+  message: |
+    File.createTempFile 前缀/后缀固定且无 SecureRandom — 临时文件名可预测。
+    迁移到 Files.createTempFile() 并指定 SecureRandom 前缀。
+  languages:
+    - java
+  pattern: File.createTempFile($PREFIX, $SUFFIX)
+  metadata:
+    cwe: "CWE-377: Insecure Temporary File"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+    tags: [temp-file, race-condition]

package/rules/unified/cwe-22/zm-java-cwe22-file-unnormalized.yaml

@@ -0,0 +1,58 @@
+# Source: common | Cluster: N/A
+# CWE-22: 路径穿越 — File含../未规范化
+# 逐码 ZhuMa V4.3 — 路径穿越深度覆盖
+
+rules:
+
+# ZM-JAVA-CWE22-UNNORMALIZED-001: File 构造含 ../ 或用户输入
+- id: zm-java-cwe22-unnormalized-001
+  severity: ERROR
+  message: |
+    java.io.File 构造器使用用户输入构建路径，若未调用 getCanonicalPath() 或 normalize() 进行路径规范化，
+    攻击者可通过 ../ 路径穿越读取任意文件（如 /etc/passwd）。
+    修复: 1. file.getCanonicalPath() 规范路径后再校验前缀 2. 使用 Paths.get().normalize().toRealPath()
+    3. 确保最终路径在允许的目录范围内: path.startsWith(allowedBase)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $F = new File($BASE, $REQ.getParameter(...));
+    - pattern: |
+        $F = new File($REQ.getParameter(...));
+    - pattern: |
+        $P = Paths.get($REQ.getParameter(...));
+    - pattern: |
+        $F = new File($BASE + File.separator + $REQ.getParameter(...));
+    - pattern: |
+        $F = new File($BASE + "/" + $REQ.getParameter(...));
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    severity: ERROR
+    precision: high
+    category: path-traversal
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH
+
+# ZM-JAVA-CWE22-UNNORMALIZED-002: FileOutputStream/InputStream 用户可控路径
+- id: zm-java-cwe22-unnormalized-002
+  severity: ERROR
+  message: |
+    FileInputStream/FileOutputStream 使用用户可控路径，
+    攻击者可读取系统敏感文件或覆盖关键配置文件。
+    修复: 使用 file.getCanonicalPath() 解析真实路径，校验路径前缀在允许的目录范围内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new FileInputStream($REQ.getParameter(...))
+    - pattern: new FileOutputStream($REQ.getParameter(...))
+    - pattern: new FileReader($REQ.getParameter(...))
+    - pattern: new FileWriter($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    severity: ERROR
+    precision: very-high
+    category: path-traversal
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH

package/rules/unified/cwe-22/zm-java-cwe22-path-traversal-spring.yaml

@@ -0,0 +1,82 @@
+# Source: common | Cluster: N/A
+# CWE-22: Path Traversal — Spring-specific sinks
+# ZhuMa V4.1 — complement zm-java-cwe22-file-depth.yaml
+
+rules:
+
+# ZM-JAVA-PATH-SPRING-001: ClassPathResource with user-controlled path
+- id: zm-java-path-spring-001
+  severity: MEDIUM
+  message: |
+    Spring ClassPathResource constructed with user input — path traversal into classpath resources.
+    Attacker can read application.properties or other sensitive classpath files.
+    Fix: validate path against whitelist; use ResourcePatternResolver with allowed prefix.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ClassPathResource($REQ.getParameter(...))
+    - pattern: |
+        new ClassPathResource($STR + $REQ.getParameter(...))
+    - pattern: |
+        new ClassPathResource($REQ.getParameter(...)).getInputStream()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: MEDIUM
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-PATH-SPRING-002: FileSystemResource with user-controlled path
+- id: zm-java-path-spring-002
+  severity: HIGH
+  message: |
+    Spring FileSystemResource constructed with user input — arbitrary file read/write on filesystem.
+    Attacker can traverse to read /etc/passwd or application config files.
+    Fix: normalize path and verify it stays within allowed directory root.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...))
+    - pattern: |
+        new FileSystemResource($DIR + $REQ.getParameter(...))
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...)).getFile()
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...)).getInputStream()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-PATH-SPRING-003: ServletContext.getRealPath() with user input
+- id: zm-java-path-spring-003
+  severity: HIGH
+  message: |
+    ServletContext.getRealPath() with user-controlled virtual path — discloses server filesystem layout.
+    Attackers can map internal file structure; combined with file write leads to RCE.
+    Fix: never pass user input to getRealPath(); use fixed virtual paths or config-based resource mapping.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.getRealPath($REQ.getParameter(...))
+    - pattern: |
+        $CTX.getRealPath($STR + $REQ.getParameter(...))
+    - pattern: |
+        $REQ.getServletContext().getRealPath($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"

package/rules/unified/cwe-22/zm-java-file-cwe22-001.yaml

@@ -0,0 +1,74 @@
+# Source: common | Cluster: N/A
+# CWE-22: 文件操作 — ZipSlip深入与符号链接攻击
+# ZhuMa V4.1 — 归档文件路径穿越 + 符号链接TOCTOU
+# 覆盖: TAR归档Slip / 符号链接检查 / Java NIO LinkOption
+
+rules:
+
+# ZM-JAVA-ZIPSLIP-TAR-001: TarArchiveEntry 路径穿越
+- id: zm-java-zipslip-tar-001
+  severity: CRITICAL
+  message: |
+    TarArchiveEntry.getName() 直接用于文件解压路径 — TarSlip路径穿越可覆盖任意系统文件。
+    攻击者构造包含 ../../../etc/crontab 路径的恶意TAR文件，写入cron job获取持久化Shell。
+    CVE-2023-32697: Apache Commons Compress TarArchiveInputStream路径穿越。
+    修复: 1) canonicalize目标路径后使用 startsWith(outputDir) 验证 2) 拒绝绝对路径
+    3) 使用 Apache Commons Compress >=1.23.0 内置验证
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new File($OUTDIR, $ENTRY.getName())
+    - pattern: |
+        $ENTRY = $TIS.getNextTarEntry()
+    - pattern: |
+        new FileOutputStream(new File($DEST, $ENTRY.getName()))
+    - pattern: |
+        $TAR_ENTRY.getName()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    severity: CRITICAL
+    precision: high
+    category: path-traversal
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-32697"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180"
+      - "https://snyk.io/research/zip-slip-vulnerability"
+
+# ZM-JAVA-SYMLINK-001: 文件操作未处理符号链接
+- id: zm-java-symlink-001
+  severity: HIGH
+  message: |
+    文件操作(创建/读取/删除)未使用LinkOption.NOFOLLOW_LINKS — 符号链接TOCTOU攻击。
+    攻击者可创建符号链接指向敏感文件，绕过路径白名单验证。如: /tmp/safelink → /etc/shadow。
+    CVE-2023-20863: Spring Framework symlink TOCTOU; CVE-2024-21634: symlink race条件。
+    修复: 1) Files.exists(p, LinkOption.NOFOLLOW_LINKS) 先检查 2) Files.isSymbolicLink() 判断
+    3) 所有文件API使用 LinkOption.NOFOLLOW_LINKS 选项
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Files.createFile($PATH)
+    - pattern: |
+        Files.createDirectory($PATH)
+    - pattern: |
+        Files.copy($SRC, $DST, StandardCopyOption.REPLACE_EXISTING)
+    - pattern: |
+        $PATH.toFile().exists()
+    - pattern: |
+        $PATH.toFile().createNewFile()
+  metadata:
+    cwe: "CWE-61: UNIX Symbolic Link (Symlink) Following"
+    severity: HIGH
+    precision: medium
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-20863"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
+      - "https://cwe.mitre.org/data/definitions/61.html"

package/rules/unified/cwe-22/zm-js-cwe22-express-path-traversal.yaml

@@ -0,0 +1,26 @@
+# Source: common | Cluster: N/A
+# CWE-22: Express res.sendFile/res.download 路径穿越
+# 逐码 ZhuMa V4.3 — JS/TS Express 规则库
+
+rules:
+
+- id: zm-js-express-path-001
+  severity: ERROR
+  message: >
+    Express res.sendFile() 或 res.download() 使用 req.query/req.params 用户输入
+    作为文件路径，存在路径穿越漏洞，攻击者可读取任意系统文件。
+    修复: 使用 path.resolve() 限制基础目录，校验路径不包含 ../。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: res.sendFile($REQ.query.$FIELD)
+    - pattern: res.sendFile($REQ.params.$FIELD)
+    - pattern: res.download($REQ.query.$FIELD)
+    - pattern: res.download($REQ.params.$FIELD)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    owasp: "A01:2021 - Broken Access Control"
+    category: security
+    precision: high
+    confidence: high

package/rules/unified/cwe-22/zm-js-cwe22-fs-path-traversal.yaml

@@ -0,0 +1,28 @@
+# Source: common | Cluster: N/A
+# CWE-22: fs.writeFile/writeFileSync 路径穿越
+# 逐码 ZhuMa V4.3 — JS/TS 通用规则库
+
+rules:
+
+- id: zm-js-fs-path-001
+  severity: ERROR
+  message: >
+    fs.writeFile() 或 fs.writeFileSync() 使用 req.query/req.params/req.body
+    用户输入作为文件路径，存在路径穿越漏洞，攻击者可覆盖任意系统文件。
+    修复: 使用 path.resolve() 限制基础目录，验证路径不包含 ../ 等穿越字符。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $FS.writeFile($REQ.query.$FIELD, ...)
+    - pattern: $FS.writeFile($REQ.params.$FIELD, ...)
+    - pattern: $FS.writeFile($REQ.body.$FIELD, ...)
+    - pattern: $FS.writeFileSync($REQ.query.$FIELD, ...)
+    - pattern: $FS.writeFileSync($REQ.params.$FIELD, ...)
+    - pattern: $FS.writeFileSync($REQ.body.$FIELD, ...)
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    category: security
+    precision: high
+    confidence: high