npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-416/zm-rust-cwe416-unsafe.yaml ADDED Viewed

@@ -0,0 +1,150 @@
+# Source: common | Cluster: N/A
+# CWE-416: Rust Unsafe 代码块使用检测
+# 逐码 ZhuMa V4.3 — Rust 通用规则库
+# 检测: unsafe 块、裸指针操作、transmute、MaybeUninit 误用
+rules:
+# ZM-RUST-UNSAFE-001: unsafe 代码块存在
+- id: zm-rust-cwe416-unsafe-001
+  severity: WARNING
+  message: |
+    检测到 unsafe 代码块。unsafe 块允许执行裸指针解引用、
+    调用 unsafe 函数、访问/修改可变静态变量、实现 unsafe trait。
+    不当使用可导致 Use-After-Free、缓冲区溢出、数据竞争等内存安全漏洞。
+    修复方案:
+    1. 最小化 unsafe 代码范围，仅包裹必要的 unsafe 操作
+    2. 在 unsafe 块周围添加 SAFETY 注释说明安全性前提:
+       // SAFETY: This is safe because ...
+    3. 优先使用 safe 抽象（如 vec、Box、Cell）
+    4. 使用 Miri 工具检测 UB:
+       cargo +nightly miri test
+  languages:
+    - rust
+  pattern: |
+    unsafe {
+      ...
+    }
+  metadata:
+    cwe: "CWE-416: Use After Free"
+    severity: WARNING
+    precision: low
+    category: unsafe-rust
+    likelihood: LOW
+    impact: CRITICAL
+    owasp: "A04:2021 - Insecure Design"
+    references:
+      - "https://doc.rust-lang.org/nomicon/"
+      - "https://rust-lang.github.io/unsafe-code-guidelines/"
+# ZM-RUST-UNSAFE-002: unsafe fn 定义
+- id: zm-rust-cwe416-unsafe-002
+  severity: WARNING
+  message: |
+    检测到 unsafe 函数定义。unsafe fn 表示函数具有必须由调用者
+    维护的安全契约，不正确使用可能导致未定义行为 (UB)。
+    修复方案:
+    1. 在函数文档中明确写出安全性前提条件:
+       /// # Safety
+       /// The caller must ensure that `ptr` is valid for reads of `len` bytes.
+    2. 评估是否可以用 safe 抽象替代
+    3. 使用 `#![deny(unsafe_op_in_unsafe_fn)]` 要求 unsafe fn 中的 unsafe 操作需显式标注
+  languages:
+    - rust
+  pattern: |
+    unsafe fn $FUNC(...) ...
+  metadata:
+    cwe: "CWE-416: Use After Free"
+    severity: WARNING
+    precision: very-low
+    category: unsafe-rust
+    likelihood: LOW
+    impact: CRITICAL
+    owasp: "A04:2021 - Insecure Design"
+# ZM-RUST-UNSAFE-003: std::mem::transmute 使用
+- id: zm-rust-cwe416-unsafe-003
+  severity: ERROR
+  message: |
+    检测到 std::mem::transmute 调用。transmute 是极度危险的类型转换，
+    绕过 Rust 所有类型安全检查，可导致未定义行为（UB）。
+    修复方案:
+    1. 使用 safe 的转换方法: .into(), .try_into(), From/Into trait
+    2. 字节重解释: 使用 bytemuck crate 的 safe 转换
+    3. 指针转换: 使用 .cast() 替代 transmute
+    4. 仅当所有 safe 替代方案都不可行时才使用 transmute，并加充分注释
+  languages:
+    - rust
+  pattern-either:
+    - pattern: std::mem::transmute($X)
+    - pattern: transmute($X)
+    - pattern: mem::transmute($X)
+  metadata:
+    cwe: "CWE-416: Use After Free"
+    severity: ERROR
+    precision: high
+    category: unsafe-rust
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A04:2021 - Insecure Design"
+# ZM-RUST-UNSAFE-004: 裸指针解引用 (*ptr)
+- id: zm-rust-cwe416-unsafe-004
+  severity: ERROR
+  message: |
+    检测到裸指针（*const T / *mut T）解引用操作。裸指针解引用
+    必须在 unsafe 块中进行，且需要调用者保证指针有效，否则导致 UB。
+    修复方案:
+    1. 优先使用引用 &T / &mut T
+    2. 使用 NonNull<T> 替代裸指针
+    3. 如需原始指针，使用严格的生命周期和 SAFETY 注释说明前提
+    4. 运行 Miri 检测悬垂指针
+  languages:
+    - rust
+  pattern-either:
+    - pattern: |
+        unsafe { ... *$PTR ... }
+    - pattern: |
+        unsafe { ... *$PTR.add(...) ... }
+    - pattern: |
+        unsafe { ... *$PTR.offset(...) ... }
+  metadata:
+    cwe: "CWE-416: Use After Free"
+    severity: ERROR
+    precision: medium
+    category: unsafe-rust
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A04:2021 - Insecure Design"
+# ZM-RUST-UNSAFE-005: MaybeUninit::assume_init() 误用风险
+- id: zm-rust-cwe416-unsafe-005
+  severity: ERROR
+  message: |
+    检测到 MaybeUninit::assume_init() 调用。assume_init() 在未初始化的
+    内存上调用会导致 UB。必须确保在调用前已正确初始化。
+    修复方案:
+    1. 确认 assume_init() 前已写入完整数据
+    2. 使用 MaybeUninit::write() 初始化
+    3. 考虑使用 safe 的替代方案（如 vec![0; N]）
+    4. 添加 SAFETY 文档注释说明初始化状态
+  languages:
+    - rust
+  pattern-either:
+    - pattern: $VAR.assume_init()
+    - pattern: MaybeUninit::assume_init(...)
+  metadata:
+    cwe: "CWE-416: Use After Free"
+    severity: ERROR
+    precision: medium
+    category: unsafe-rust
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A04:2021 - Insecure Design"
+    references:
+      - "https://doc.rust-lang.org/std/mem/union.MaybeUninit.html"

package/rules/unified/cwe-434/cwe-434-unrestricted-file-upload.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: common | Cluster: N/A
+# CWE-434: 不受限文件上传检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-FU-001: MultipartFile 接收但未校验扩展名
+- id: zm-java-fu-001
+  severity: HIGH
+  message: |
+    检测到 MultipartFile 接收文件上传但未进行扩展名白名单校验。
+    攻击者可上传 JSP/EXE 等可执行文件获取服务器控制权。
+    必须校验文件扩展名 (白名单)、Content-Type、Magic Number。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FILE.transferTo(new File($PATH));
+    - pattern: |
+        $FILE.transferTo($PATH);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+# ZM-JAVA-FU-002: FileOutputStream 直接写入上传数据
+- id: zm-java-fu-002
+  severity: MEDIUM
+  message: |
+    检测到文件上传直接使用用户提供的文件名写入磁盘。
+    应生成随机文件名存储，使用 UUID 或 hash 值命名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        FileOutputStream $FOS = new FileOutputStream($FILENAME);
+        ...
+        $FOS.write($DATA);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: low

package/rules/unified/cwe-434/zm-php-cwe434-file-upload.yaml ADDED Viewed

@@ -0,0 +1,99 @@
+# Source: common | Cluster: N/A
+# CWE-434: PHP 无限制文件上传检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: move_uploaded_file 缺乏类型/扩展名/大小校验
+rules:
+# ZM-PHP-UPLOAD-001: move_uploaded_file() 仅使用 $_FILES 原始文件名
+- id: zm-php-cwe434-file-upload-001
+  severity: ERROR
+  message: |
+    检测到 move_uploaded_file() 使用了 $_FILES['...']['name'] 作为目标文件名。
+    攻击者可以上传恶意文件（如 .php, .phtml, .htaccess）并在服务器上执行，
+    实现任意代码执行或网站篡改。
+    修复方案:
+    1. 使用白名单扩展名: $allowed = ['jpg','png','pdf'];
+       $ext = strtolower(pathinfo($name, PATHINFO_EXTENSION));
+       if (!in_array($ext, $allowed)) die('Invalid');
+    2. 使用随机文件名: $target = uniqid() . '.' . $ext;
+    3. 检查 MIME 类型: $finfo = finfo_open(FILEINFO_MIME_TYPE);
+       $mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
+    4. 限制文件大小: if ($_FILES['file']['size'] > 2*1024*1024) die('Too large');
+    5. 上传目录设置不可执行权限，禁止直接访问 .php 文件
+    6. 将上传目录移出 web 根目录，或使用 .htaccess 禁止执行
+  languages:
+    - php
+  pattern-either:
+    - pattern: move_uploaded_file($_FILES[$X]["tmp_name"], $DIR . $_FILES[$X]["name"])
+    - pattern: move_uploaded_file($_FILES[$X]["tmp_name"], "..." . $_FILES[$X]["name"])
+    - pattern: move_uploaded_file($_FILES[$X]["tmp_name"], $_FILES[$X]["name"])
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: ERROR
+    precision: high
+    category: file-upload
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"
+      - "https://www.php.net/manual/en/features.file-upload.php"
+# ZM-PHP-UPLOAD-002: move_uploaded_file 目标路径来自用户输入
+- id: zm-php-cwe434-file-upload-002
+  severity: ERROR
+  message: |
+    检测到 move_uploaded_file() 的目标路径中 $_GET/$_POST 用户输入参与构造。
+    攻击者可操控上传路径或写入任意文件。
+    修复方案:
+    1. 上传路径由服务端固定，不接受用户输入
+    2. 使用 basename() 去除路径穿越字符
+    3. 使用 realpath() 验证最终路径在允许范围内
+  languages:
+    - php
+  pattern-either:
+    - pattern: move_uploaded_file($SRC, $_GET[$X])
+    - pattern: move_uploaded_file($SRC, $_POST[$X])
+    - pattern: move_uploaded_file($SRC, $DIR . $_GET[$X])
+    - pattern: move_uploaded_file($SRC, $DIR . $_POST[$X])
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: ERROR
+    precision: high
+    category: file-upload
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PHP-UPLOAD-003: Laravel $request->file() 直接存储
+- id: zm-php-cwe434-file-upload-003
+  severity: ERROR
+  message: |
+    检测到 Laravel 中使用 $request->file()->store() 或 ->move()
+    但未对上传文件类型进行校验。Laravel 的 store() 默认保留原始扩展名。
+    修复方案:
+    1. 使用 Laravel 验证规则限制文件类型:
+       $request->validate(['file' => 'required|file|mimes:jpg,png,pdf|max:2048']);
+    2. 使用 storeAs() 指定安全文件名
+    3. 文件系统驱动使用 local 时确保上传目录在 public 之外
+  languages:
+    - php
+  pattern-either:
+    - pattern: $request->file(...)->store(...)
+    - pattern: $request->file(...)->storeAs(...)
+    - pattern: $request->file(...)->move(...)
+    - pattern: $request->file(...)->storePublicly(...)
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: ERROR
+    precision: medium
+    category: file-upload
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://laravel.com/docs/filesystem#file-uploads"

package/rules/unified/cwe-434/zm-py-cwe434-django-fileupload.yaml ADDED Viewed

@@ -0,0 +1,100 @@
+# Source: common | Cluster: N/A
+# CWE-434: Django FileField无类型限制 / Model save()无验证
+# 逐码 ZhuMa V4.3 — Python 框架特化规则库
+# 检测: FileField未指定扩展名白名单、Model save()无数据验证
+rules:
+# ZM-PY-DJANGO-FILEUPLOAD-001: FileField无文件类型限制
+- id: zm-py-django-fileupload-001
+  severity: WARNING
+  message: |
+    检测到 Django FileField 未使用 FileExtensionValidator 限制文件类型。
+    攻击者可上传恶意文件(webshell、可执行文件、病毒)到服务器。
+    修复方案:
+    1. 添加FileExtensionValidator: FileField(
+         upload_to='uploads/',
+         validators=[FileExtensionValidator(allowed_extensions=['pdf', 'jpg', 'png'])]
+       )
+    2. 存储到非Web可访问目录，通过视图函数提供下载
+    3. 对上传文件做病毒扫描(ClamAV)
+    4. 限制上传文件大小(MAX_UPLOAD_SIZE)
+  languages:
+    - python
+  pattern-either:
+    - pattern: models.FileField(...)
+    - pattern: django.db.models.FileField(...)
+    - pattern: models.ImageField(...)
+    - pattern: django.db.models.ImageField(...)
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: WARNING
+    precision: medium
+    category: file-upload
+    framework: django
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.djangoproject.com/en/stable/ref/validators/#fileextensionvalidator"
+# ZM-PY-DJANGO-FILEUPLOAD-002: ModelForm无文件类型限制
+- id: zm-py-django-fileupload-002
+  severity: WARNING
+  message: |
+    检测到 Django ModelForm 包含文件字段但未在form层添加文件类型验证。
+    虽然Model层有FileExtensionValidator可保证安全，但Form层提前验证更好。
+    修复方案:
+    1. 在Form的clean方法中验证文件扩展名和MIME类型
+    2. 使用django.forms.FileField(validators=[...])限制类型
+    3. 不要仅依赖前端验证，服务端必须强制校验
+  languages:
+    - python
+  pattern-either:
+    - pattern: 'forms.FileField(...)'
+    - pattern: 'django.forms.FileField(...)'
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: WARNING
+    precision: medium
+    category: file-upload
+    framework: django
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+# ZM-PY-DJANGO-MODEL-001: Model save()无数据验证
+- id: zm-py-django-model-save-001
+  severity: WARNING
+  message: |
+    检测到 Django Model 的 save() 方法被重写但未调用 full_clean() 或
+    进行数据验证。未验证的数据可能导致存储不合法数据，如XSS payload、
+    超长字符串DoS等。
+    修复方案:
+    1. 在save()中调用self.full_clean()触发模型验证: def save(self, *args, **kwargs): self.full_clean(); super().save(*args, **kwargs)
+    2. 在Model中定义clean()方法添加自定义验证逻辑
+    3. 对用户输入做strip()和长度限制
+    4. 使用validators参数在字段级别添加约束
+  languages:
+    - python
+  pattern: |
+    def save(self, $ARGS):
+      ...
+      return super().save(...)
+  paths:
+    include:
+      - "*/models.py"
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    severity: WARNING
+    precision: medium
+    category: data-validation
+    framework: django
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.djangoproject.com/en/stable/ref/models/instances/#validating-objects"

package/rules/unified/cwe-434/zm-taint-434-434-java-130.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: taint | Cluster: CL-434-JAVA-130
+# Taint-upgraded rule: zhuma-nvd-434-434-java-130
+# Original CWE: CWE-434 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-434-434-java-130
+  mode: taint
+  metadata:
+    category: CWE-434
+    cwe: "CWE-434"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-434-434-java-130
+  message: |
+    检测到文件上传风险。用户上传文件缺乏足够的安全校验。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: $MULTIPART
+      - pattern: $X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $FILE.transferTo(...)
+      - pattern: Files.copy(...)
+      - pattern: $SINK.write(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: Files.probeContentType

package/rules/unified/cwe-434/zm-taint-434-434-java-131.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: taint | Cluster: CL-434-JAVA-131
+# Taint-upgraded rule: zhuma-nvd-434-434-java-131
+# Original CWE: CWE-434 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-434-434-java-131
+  mode: taint
+  metadata:
+    category: CWE-434
+    cwe: "CWE-434"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-434-434-java-131
+  message: |
+    检测到文件上传风险。用户上传文件缺乏足够的安全校验。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: $MULTIPART
+      - pattern: $X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $FILE.transferTo(...)
+      - pattern: Files.copy(...)
+      - pattern: $SINK.write(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: Files.probeContentType

package/rules/unified/cwe-434/zm-taint-434-434-javascript-139.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+# Source: taint | Cluster: CL-434-JAVASCRIPT-139
+# Taint-upgraded rule: zhuma-nvd-434-434-javascript-139
+# Original CWE: CWE-434 | Language: javascript
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-434-434-javascript-139
+  mode: taint
+  metadata:
+    category: CWE-434
+    cwe: "CWE-434"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-434-434-javascript-139
+  message: |
+    检测到文件上传风险。用户上传文件缺乏足够的安全校验。
+  severity: WARNING
+  languages:
+    - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.file
+      - pattern: req.files
+      - pattern: multer
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: multer(...)
+      - pattern: mv(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: file-type
+      - pattern: mime-types

package/rules/unified/cwe-434/zm-taint-434-434-python-136.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: taint | Cluster: CL-434-PYTHON-136
+# Taint-upgraded rule: zhuma-nvd-434-434-python-136
+# Original CWE: CWE-434 | Language: python
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-434-434-python-136
+  mode: taint
+  metadata:
+    category: CWE-434
+    cwe: "CWE-434"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-434-434-python-136
+  message: |
+    检测到文件上传风险。用户上传文件缺乏足够的安全校验。
+  severity: WARNING
+  languages:
+    - python
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.files[...]
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $FILE.save(...)
+      - pattern: shutil.copy(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: mimetypes.guess_type

package/rules/unified/cwe-470/zm-java-cwe470-reflection.yaml ADDED Viewed

@@ -0,0 +1,79 @@
+# Source: common | Cluster: N/A
+# CWE-470: 反射调用 (Class.forName/Method.invoke 含用户输入)
+# 逐码 ZhuMa V4.3 — 反射安全专项
+rules:
+# ZM-JAVA-CWE470-REFLECT-001: Class.forName 用户输入
+- id: zm-java-cwe470-reflect-001
+  severity: CRITICAL
+  message: |
+    Class.forName() 类名由 HTTP 请求参数控制，攻击者可加载任意类并触发其静态初始化块，
+    可能导致代码执行或 JNDI 注入。
+    修复: 1. 使用类名白名单 2. 禁止使用用户输入作为类名
+    3. 如需动态加载，使用 ClassLoader 白名单限制。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Class.forName($REQ.getParameter(...))
+    - pattern: Class.forName($REQ.getParameter(...), true, $CL)
+    - pattern: Class.forName($REQ.getHeader(...))
+  metadata:
+    cwe: "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+    severity: CRITICAL
+    precision: very-high
+    category: code-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [reflection, rce]
+# ZM-JAVA-CWE470-REFLECT-002: Method.invoke 用户输入方法名/参数
+- id: zm-java-cwe470-reflect-002
+  severity: CRITICAL
+  message: |
+    java.lang.reflect.Method.invoke() 方法名从 HTTP 请求获取，攻击者可调用任意方法。
+    结合 Class.forName 可执行任意代码（如 Runtime.getRuntime().exec()）。
+    修复: 1. 方法名白名单 2. 参数类型校验 3. 使用 SecurityManager 限制反射权限
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CLS.getMethod($REQ.getParameter(...), $PTYPES).invoke($OBJ, $ARGS)
+    - pattern: |
+        $CLS.getDeclaredMethod($REQ.getParameter(...), $PTYPES).invoke($OBJ, $ARGS)
+    - pattern: |
+        $METHOD = $CLS.getMethod($REQ.getParameter(...));
+        ...
+        $METHOD.invoke($OBJ);
+  metadata:
+    cwe: "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+    severity: CRITICAL
+    precision: very-high
+    category: code-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [reflection, rce]
+# ZM-JAVA-CWE470-REFLECT-003: newInstance 用户输入类名
+- id: zm-java-cwe470-reflect-003
+  severity: CRITICAL
+  message: |
+    Class.forName().newInstance() 类名由用户控制，攻击者可实例化任意类。
+    结合 gadget chain（如 Apache Commons Collections）可能实现 RCE。
+    修复: 使用类名白名单，禁止用户控制要实例化的类名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Class.forName($REQ.getParameter(...)).newInstance()
+    - pattern: $CLS.getDeclaredConstructor().newInstance()
+  metadata:
+    cwe: "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [reflection, rce]