npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-287/zm-java-oauth-cwe287-001.yaml ADDED Viewed

@@ -0,0 +1,137 @@
+# Source: common | Cluster: N/A
+# CWE-287/352/862: OAuth2.0/OpenID Connect安全 — 授权流程缺陷检测
+# ZhuMa V4.1 — OAuth2.0深度安全规则
+# 覆盖: state CSRF / redirect_uri验证绕过 / implicit flow / PKCE缺失
+rules:
+# ZM-JAVA-OAUTH-STATE-001: OAuth2.0 state参数缺失或固定
+- id: zm-java-oauth-state-001
+  severity: ERROR
+  message: |
+    OAuth2.0 授权请求中 state 参数为固定值、null或直接使用请求参数 — CSRF攻击。
+    攻击者可绑定受害者自己的OAuth账号到攻击者身份，实施账号劫持(authorization code interception)。
+    CVE-2020-25690: 多款Spring OAuth2实现state参数可预测。
+    修复: 使用SecureRandom生成每次请求唯一的state值，存储在session中，回调时验证一致性。
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern-inside: |
+          $B = UriComponentsBuilder.fromHttpUrl(...);
+          ...
+      - pattern: |
+          $B.queryParam("state", "$STATIC")
+    - pattern: |
+        $BUILDER.queryParam("state", $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    severity: ERROR
+    precision: medium
+    category: oauth-security
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25690"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-46748"
+      - "https://datatracker.ietf.org/doc/html/rfc6749#section-10.12"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html"
+# ZM-JAVA-OAUTH-REDIRECT-001: OAuth2.0 redirect_uri未校验
+- id: zm-java-oauth-redirect-001
+  severity: CRITICAL
+  message: |
+    OAuth2.0 回调时redirect_uri未与注册的URI精确比对 — Open Redirect导致授权码泄露。
+    攻击者可构造 redirect_uri=https://evil.com/callback 诱导受害者授权，获取authorization code。
+    修复: 1) 服务端注册redirect_uri白名单 2) 回调时严格精确匹配（包括scheme/host/path）3) 禁止通配符匹配
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $TOKEN_REQUEST.setRedirectUri($REQ.getParameter("redirect_uri"))
+    - pattern: |
+        $BUILDER.redirectUri($REQ.getParameter(...))
+    - pattern: |
+        $GRANT.setRedirectUri($VAR)
+    - pattern: |
+        new AuthorizationCodeTokenRequest(...).redirectUri($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    severity: CRITICAL
+    precision: high
+    category: oauth-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-46748"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25690"
+      - "https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.7"
+# ZM-JAVA-OAUTH-IMPLICIT-001: OAuth2.0 implicit grant使用
+- id: zm-java-oauth-implicit-001
+  severity: WARNING
+  message: |
+    检测到 OAuth2.0 implicit grant流程 — access_token在URL fragment中泄露风险。
+    Implicit flow将token直接暴露在浏览器地址栏，易被referer泄露、JS读取、历史记录缓存。
+    OAuth2.1已废弃implicit grant，推荐迁移到 Authorization Code + PKCE 流程。
+    修复: 使用 authorization_code grant_type 并配合 PKCE (Proof Key for Code Exchange)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $GRANT.setGrantType("implicit")
+    - pattern: |
+        $PARAMS.add("response_type", "token")
+    - pattern: |
+        $PARAMS.put("response_type", "token")
+    - pattern: |
+        $BUILDER.queryParam("response_type", "token")
+  metadata:
+    cwe: "CWE-287: Improper Authentication"
+    severity: WARNING
+    precision: high
+    category: oauth-security
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25690"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-22258"
+      - "https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2"
+# ZM-JAVA-OAUTH-PKCE-001: Authorization Code Grant缺少PKCE
+- id: zm-java-oauth-pkce-001
+  severity: HIGH
+  message: |
+    OAuth2.0 authorization_code流程中未使用PKCE (Proof Key for Code Exchange) — 授权码注入/截获风险。
+    特别是移动应用和SPA，缺少PKCE时恶意应用可拦截redirect_uri中的code并交换token。
+    CVE-2023-46748: 多款OAuth客户端实现缺少PKCE验证导致账号接管。
+    OAuth2.1要求authorization_code grant必须使用PKCE。
+    修复: 1) 设置 code_challenge (S256) 2) 服务端验证 code_verifier 3) 使用Spring Security OAuth2的PKCE扩展
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        $GRANT.setGrantType("authorization_code");
+        ...
+    - pattern: |
+        $CLIENT.getAccessToken(...)
+    - pattern-not: |
+        $B.codeChallenge($CHALLENGE)
+    - pattern-not: |
+        $V.setCodeChallenge(...)
+  metadata:
+    cwe: "CWE-287: Improper Authentication"
+    severity: HIGH
+    precision: medium
+    category: oauth-security
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-46748"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-22258"
+      - "https://datatracker.ietf.org/doc/html/rfc7636"
+      - "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11"

package/rules/unified/cwe-287/zm-js-cwe287-jwt-no-algorithms.yaml ADDED Viewed

@@ -0,0 +1,26 @@
+# Source: common | Cluster: N/A
+# CWE-287: jwt.verify 无 algorithms 选项
+# 逐码 ZhuMa V4.3 — JS/TS 通用规则库
+rules:
+- id: zm-js-jwt-alg-001
+  severity: ERROR
+  message: >
+    jsonwebtoken jwt.verify() 调用未指定 algorithms 选项，
+    攻击者可通过设置 alg: 'none' 绕过签名验证(CVE-2015-9235)。
+    修复: 显式指定 algorithms: ['HS256'] 或 ['RS256'] 白名单。
+  languages:
+    - javascript
+    - typescript
+  pattern: |
+    jwt.verify($TOKEN, $SECRET)
+  metadata:
+    cwe: "CWE-287: Improper Authentication"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: security
+    precision: medium
+    confidence: medium
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235"
+      - "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/"

package/rules/unified/cwe-287/zm-taint-287-287-go-188.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+# Source: taint | Cluster: CL-287-GO-188
+# Taint-upgraded rule: zhuma-nvd-287-287-go-188
+# Original CWE: CWE-287 | Language: go
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-287-287-go-188
+  mode: taint
+  metadata:
+    category: CWE-287
+    cwe: "CWE-287"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-287-287-go-188
+  message: |
+    检测到认证绕过风险。身份验证逻辑存在缺陷。
+  severity: WARNING
+  languages:
+    - go
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.URL.Query().Get(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: jwt.SigningMethodHS256

package/rules/unified/cwe-287/zm-taint-287-287-javascript-184.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# Source: taint | Cluster: CL-287-JAVASCRIPT-184
+# Taint-upgraded rule: zhuma-nvd-287-287-javascript-184
+# Original CWE: CWE-287 | Language: javascript
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-287-287-javascript-184
+  mode: taint
+  metadata:
+    category: CWE-287
+    cwe: "CWE-287"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-287-287-javascript-184
+  message: |
+    检测到认证绕过风险。身份验证逻辑存在缺陷。
+  severity: WARNING
+  languages:
+    - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: jwt.sign(...)

package/rules/unified/cwe-295/cwe-295-ssl-bypass.yaml ADDED Viewed

@@ -0,0 +1,218 @@
+# Source: common | Cluster: N/A
+# CWE-295: SSL/TLS 证书验证绕过
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+#
+# 禁用或绕过 SSL/TLS 证书验证使应用完全暴露于中间人攻击（MITM）。
+# 攻击者可拦截并篡改所有传输的数据——包括凭证、会话令牌和加密密钥。
+# 任何时候都不应在生产代码中绕过证书验证。
+rules:
+# ZM-JAVA-SSLVERIFY-001: 全信任 TrustManager（空校验）
+- id: zm-java-sslverify-001
+  severity: CRITICAL
+  message: |
+    检测到 X509TrustManager 实现但 checkServerTrusted / checkClientTrusted 方法体为空。
+    这相当于完全信任任何证书，攻击者可通过 MITM 攻击拦截所有 TLS 流量。
+    移除此自定义 TrustManager，使用系统默认证书链验证。
+    修复示例：
+      // 删除自定义空 TrustManager
+      // 使用默认 TrustManagerFactory:
+      TrustManagerFactory tmf = TrustManagerFactory.getInstance(
+          TrustManagerFactory.getDefaultAlgorithm());
+      tmf.init((KeyStore) null);
+      SSLContext ctx = SSLContext.getInstance("TLS");
+      ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
+    参考：
+    - CWE-295: https://cwe.mitre.org/data/definitions/295.html
+    - Android Security: Network Security Configuration: https://developer.android.com/training/articles/security-config
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkServerTrusted(...) {}
+          ...
+          public void checkClientTrusted(...) {}
+          ...
+        }
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkClientTrusted(...) {}
+          ...
+          public void checkServerTrusted(...) {}
+          ...
+        }
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkServerTrusted(...) { }
+          ...
+        }
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkClientTrusted(...) { }
+          ...
+        }
+    - pattern: |
+        class $CLASS implements X509TrustManager {
+          ...
+          public void checkServerTrusted(...) { }
+          ...
+        }
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    industries: ["common"]
+    tags:
+      - crypto
+      - tls
+      - ssl
+      - certificate-validation
+      - mitm
+    references:
+      - https://cwe.mitre.org/data/definitions/295.html
+      - https://developer.android.com/training/articles/security-config
+# ZM-JAVA-SSLVERIFY-002: HostnameVerifier 全部接受
+- id: zm-java-sslverify-002
+  severity: HIGH
+  message: |
+    检测到 HostnameVerifier 实现始终返回 true，或使用 ALLOW_ALL_HOSTNAME_VERIFIER。
+    这会绕过主机名验证，使得 MITM 攻击者可以通过任意证书伪装成合法服务器。
+    生产代码不得使用此类验证器；仅在测试环境中临时使用。
+    修复示例：
+      // 删除自定义 HostnameVerifier
+      // 使用默认 hostname 验证即可：
+      HttpsURLConnection.setDefaultHostnameVerifier(
+          HttpsURLConnection.getDefaultHostnameVerifier());
+    参考：
+    - CWE-295: https://cwe.mitre.org/data/definitions/295.html
+    - Android HostnameVerifier: https://developer.android.com/reference/javax/net/ssl/HostnameVerifier
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new HostnameVerifier() {
+          ...
+          public boolean verify(...) {
+            ...
+            return true;
+          }
+          ...
+        }
+    - pattern: |
+        public boolean verify(...) {
+          ...
+          return true;
+          ...
+        }
+    - pattern: |
+        SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
+    - pattern: |
+        $CONN.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    industries: ["common"]
+    tags:
+      - crypto
+      - tls
+      - ssl
+      - hostname-verification
+      - mitm
+    references:
+      - https://cwe.mitre.org/data/definitions/295.html
+      - https://developer.android.com/reference/javax/net/ssl/HostnameVerifier
+# ZM-JAVA-SSLVERIFY-003: allowAllHostnames() 调用
+- id: zm-java-sslverify-003
+  severity: HIGH
+  message: |
+    检测到 Apache HttpClient 的 allowAllHostnames() 调用，绕过主机名验证。
+    这使得 MITM 攻击者可使用任意证书伪装为合法服务器。
+    删除此调用以使用默认主机名验证。
+    修复示例：
+      // 删除 .allowAllHostnames() 调用
+      // HttpClient 4.3+ 默认执行严格主机名验证
+    参考：
+    - CWE-295: https://cwe.mitre.org/data/definitions/295.html
+    - Apache HttpClient SSL Guide: https://hc.apache.org/httpcomponents-client-4.5.x/ssl-tls.html
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $BUILDER.allowAllHostnames()
+    - pattern: |
+        $B.allowAllHostnames()
+    - pattern: |
+        $HTTP.allowAllHostnames()
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: high
+    industries: ["common"]
+    tags:
+      - crypto
+      - tls
+      - ssl
+      - apache-httpclient
+      - hostname-verification
+    references:
+      - https://cwe.mitre.org/data/definitions/295.html
+      - https://hc.apache.org/httpcomponents-client-4.5.x/ssl-tls.html
+# ZM-JAVA-SSLVERIFY-004: SSLContext.init 空 TrustManager
+- id: zm-java-sslverify-004
+  severity: CRITICAL
+  message: |
+    检测到 SSLContext.init() 传入包含空 TrustManager 的数组。
+    空 TrustManager 意味着不验证服务器证书链，完全暴露于 MITM 攻击。
+    使用 TrustManagerFactory 从系统信任库加载默认 TrustManager。
+    修复示例：
+      TrustManagerFactory tmf = TrustManagerFactory.getInstance(
+          TrustManagerFactory.getDefaultAlgorithm());
+      tmf.init((KeyStore) null);
+      SSLContext ctx = SSLContext.getInstance("TLS");
+      ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+    参考：
+    - CWE-295: https://cwe.mitre.org/data/definitions/295.html
+    - OWASP TLS Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SSLContext.getInstance("$TLS").init($KM, new TrustManager[]{$NULL_TM}, $RANDOM)
+    - pattern: |
+        $CTX.init($KM, new TrustManager[]{$NULL_TM}, $RANDOM)
+    - pattern: |
+        $CTX.init($KM, new TrustManager[] {$NULL_TM}, $RANDOM)
+    - pattern: |
+        $CTX.init($KM, new TrustManager[]{new X509TrustManager(), ...}, $RANDOM)
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    industries: ["common"]
+    tags:
+      - crypto
+      - tls
+      - ssl
+      - trust-manager
+      - mitm
+    references:
+      - https://cwe.mitre.org/data/definitions/295.html
+      - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html

package/rules/unified/cwe-295/cwe-295-ssl-verification-disabled.yaml ADDED Viewed

@@ -0,0 +1,65 @@
+# Source: common | Cluster: N/A
+# CWE-295: SSL 证书验证禁用检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-SSL-001: 信任所有证书 TrustManager
+- id: zm-java-ssl-001
+  severity: HIGH
+  message: |
+    检测到 X509TrustManager 实现中信任所有证书 (checkClientTrusted/checkServerTrusted 为空)。
+    这将导致 SSL/TLS 中间人攻击 (MITM)。
+    必须正确验证证书链和主机名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkClientTrusted(...) {}
+          public void checkServerTrusted(...) {}
+          ...
+        };
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+# ZM-JAVA-SSL-002: HostnameVerifier 返回 true
+- id: zm-java-ssl-002
+  severity: HIGH
+  message: |
+    检测到 HostnameVerifier 总是返回 true，绕过主机名验证。
+    应使用默认的浏览器兼容主机名验证器。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new HostnameVerifier() {
+          ...
+          public boolean verify(...) {
+            return true;
+          }
+          ...
+        };
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+# ZM-JAVA-SSL-003: SSLContext 使用 ALLOW_ALL_HOSTNAME_VERIFIER
+- id: zm-java-ssl-003
+  severity: HIGH
+  message: |
+    检测到使用 ALLOW_ALL_HOSTNAME_VERIFIER 禁用主机名验证。
+    中间人攻击者可伪造证书劫持加密通信。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high

package/rules/unified/cwe-295/zm-cs-cwe295-cert-validation.yaml ADDED Viewed

@@ -0,0 +1,67 @@
+# Source: common | Cluster: N/A
+# CWE-295: C# 证书验证缺陷检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 .NET 中绕过 SSL/TLS 证书验证的不安全配置。
+rules:
+# ZM-CS-CWE295-001: ServicePointManager 证书验证绕过
+- id: zm-cs-cwe295-cert-validation-001
+  severity: ERROR
+  message: |
+    检测到 ServicePointManager.ServerCertificateValidationCallback
+    设置为始终返回 true 的委托/匿名方法。这会完全绕过所有 SSL/TLS
+    证书验证，使应用暴露于中间人攻击 (MITM)。
+    修复方案：
+    - 删除此回调，使用系统默认证书验证
+    - 仅在开发/测试环境中使用，生产环境必须移除
+    - 如需自定义验证，实现实际的证书链检查而非 return true
+    - 使用 #if DEBUG 条件编译限制仅调试模式使用
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, errors) => true
+    - pattern: ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, errors) => { return true; }
+    - pattern: ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }
+    - pattern: ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true
+    - pattern: ServicePointManager.ServerCertificateValidationCallback = ...
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/295.html"
+      - "https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.servercertificatevalidationcallback"
+# ZM-CS-CWE295-002: HttpClientHandler 证书验证绕过
+- id: zm-cs-cwe295-cert-validation-002
+  severity: ERROR
+  message: |
+    检测到 HttpClientHandler.ServerCertificateCustomValidationCallback
+    设置为始终返回 true，绕过服务器证书验证。
+    这将使所有通过该 HttpClient 的 HTTPS 通信暴露于 MITM 攻击。
+    修复方案：
+    - 删除 ServerCertificateCustomValidationCallback 配置
+    - 使用默认 HttpClientHandler 行为（严格验证）
+    - 仅在测试代码中使用，通过条件编译隔离
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: |
+        new HttpClientHandler {
+          ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true
+        }
+    - pattern: $HANDLER.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true
+    - pattern: $HANDLER.ServerCertificateCustomValidationCallback = delegate { return true; }
+    - pattern: $HANDLER.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    owasp: "A02:2021 - Cryptographic Failures"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/295.html"

package/rules/unified/cwe-295/zm-py-aiohttp-cwe295-cwe770-01.yaml ADDED Viewed

@@ -0,0 +1,61 @@
+# Source: common | Cluster: N/A
+# CWE-918/CWE-300: asyncio/aiohttp 不安全用法检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: aiohttp 不安全会话配置 / asyncio.create_task 异常丢失 / aiohttp 无超时
+rules:
+# ZM-PY-AIOHTTP-01: aiohttp.ClientSession 禁用 SSL 验证
+- id: zm-py-aiohttp-ssl-verify-001
+  severity: ERROR
+  message: |
+    检测到 aiohttp.ClientSession 创建时设置 verify_ssl=False 禁用 SSL 证书验证。
+    禁用证书验证后中间人攻击（MITM）可截获和篡改通信内容。
+    参考: CVE-2024-30251 aiohttp 请求走私结合证书验证绕过风险。
+    修复: 移除 verify_ssl=False；生产环境必须启用 SSL 证书验证。
+  languages:
+    - python
+  pattern-either:
+    - pattern: aiohttp.ClientSession(verify_ssl=False)
+    - pattern: aiohttp.ClientSession(..., verify_ssl=False, ...)
+    - pattern: aiohttp.TCPConnector(verify_ssl=False)
+    - pattern: aiohttp.TCPConnector(..., verify_ssl=False)
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation; CWE-300: Channel Accessible by Non-Endpoint"
+    severity: ERROR
+    precision: very-high
+    category: aiohttp-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    cve: "CVE-2024-30251"
+# ZM-PY-AIOHTTP-02: aiohttp 请求无超时限制
+- id: zm-py-aiohttp-timeout-001
+  severity: WARNING
+  message: |
+    检测到 aiohttp 请求未设置 timeout 超时限制。
+    攻击者可利用慢速响应导致协程无限挂起耗尽连接池，引发拒绝服务（DoS）。
+    修复: 使用 aiohttp.ClientTimeout(total=30) 设置总超时；
+    或 ClientSession.get(url, timeout=aiohttp.ClientTimeout(total=30))。
+  languages:
+    - python
+  patterns:
+    - pattern: $SESSION.get($URL)
+    - pattern: $SESSION.post($URL)
+    - pattern: $SESSION.request($METHOD, $URL)
+    - pattern: aiohttp.ClientSession().get($URL)
+    - pattern-not: $SESSION.get($URL, timeout=...)
+    - pattern-not: $SESSION.post($URL, timeout=...)
+    - pattern-not: $SESSION.request($METHOD, $URL, timeout=...)
+    - metavariable-regex:
+        metavariable: $SESSION
+        regex: ^(session|client|http_client|async_client)$
+  metadata:
+    cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+    severity: WARNING
+    precision: medium
+    category: aiohttp-security
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A04:2021 - Insecure Design"