npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-502/zm-java-cwe502-shiro.yaml ADDED Viewed

@@ -0,0 +1,109 @@
+# Source: common | Cluster: N/A
+# CWE-502: Apache Shiro RememberMe 反序列化检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: CookieRememberMeManager 且 AES 密钥硬编码 / 使用默认密钥
+rules:
+# ZM-JAVA-SHIRO-001: Shiro RememberMe 硬编码 AES 密钥
+- id: zm-java-shiro-001
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro CookieRememberMeManager 使用了硬编码的 AES 加密密钥。
+    若使用已知的默认密钥（如 kPH+bIxk5D2deZiIxcaaaA==），攻击者可伪造 RememberMe Cookie
+    实现反序列化 RCE（如 CommonsBeanutils + TemplatesImpl gadget 链）。
+    攻击链: 伪造 RememberMe Cookie → Base64解码 → AES解密 → 反序列化 → RCE
+    修复方案:
+    1. 使用随机生成的强 AES 密钥: KeyGenerator.getInstance("AES").generateKey()
+    2. 不要从配置文件/代码中硬编码密钥，使用环境变量或密钥管理服务
+    3. 升级 Shiro 至 1.13.0+ (默认启用更安全的反序列化过滤)
+    4. 替换默认密钥，确保每个部署实例使用不同密钥
+    参考:
+    - CVE-2016-4437 (Shiro RememberMe 反序列化 RCE)
+    - Shiro 默认密钥: kPH+bIxk5D2deZiIxcaaaA==
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new CookieRememberMeManager().setCipherKey(Base64.decode($KEY));
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode($KEY));
+    - pattern: |
+        CookieRememberMeManager $MGR = new CookieRememberMeManager();
+        ...
+        $MGR.setCipherKey($KEY);
+    - pattern: |
+        new CookieRememberMeManager()
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"
+      - "https://shiro.apache.org/security-reports.html"
+# ZM-JAVA-SHIRO-002: Shiro 默认 AES 密钥检测
+- id: zm-java-shiro-002
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro 使用了已知的默认 AES 密钥（Base64 编码字符串）。
+    该密钥为 Shiro 硬编码默认值，广泛公开，攻击者可直接用于伪造 RememberMe Cookie。
+    修复方案:
+    1. 立即替换为随机生成的密钥
+    2. 使用 KeyGenerator 生成新密钥，通过环境变量/密钥管理服务注入
+    3. 每个部署环境使用独立密钥
+    4. 如不需要 RememberMe 功能，禁用 CookieRememberMeManager
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="))
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="));
+    - pattern: |
+        $MGR.setCipherKey("kPH+bIxk5D2deZiIxcaaaA==".getBytes())
+    - pattern: |
+        setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: very-high
+    category: deserialization
+    likelihood: VERY_HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"
+# ZM-JAVA-SHIRO-003: Shiro RememberMeManager 无 re-encryption 密钥
+- id: zm-java-shiro-003
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro CookieRememberMeManager 实例化但未设置自定义密钥。
+    若使用默认密钥，攻击者可伪造 RememberMe Cookie 实现反序列化 RCE。
+    修复方案:
+    1. 显式设置随机 AES 密钥: setCipherKey(KeyGenerator.getInstance("AES").generateKey().getEncoded())
+    2. 密钥从安全配置源加载，禁止硬编码
+    3. 部署时自动生成实例级密钥并持久化
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import org.apache.shiro.mgt.AbstractRememberMeManager;
+        ...
+    - pattern: |
+        new CookieRememberMeManager()
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"

package/rules/unified/cwe-502/zm-java-cwe502-snakeyaml-load.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-502: SnakeYAML load() 不安全反序列化
+# 逐码 ZhuMa V4.3 — 反序列化深度覆盖
+rules:
+# ZM-JAVA-CWE502-YAML-001: SnakeYAML Yaml.load() 替代 loadAs()
+- id: zm-java-cwe502-yaml-001
+  severity: CRITICAL
+  message: |
+    SnakeYAML Yaml.load() 方法可反序列化任意 Java 对象（包括构造器调用），
+    攻击者可通过 YAML 中的 !!javax.script.ScriptEngineManager 标签执行任意代码。
+    修复: 使用 Yaml.loadAs(yaml, TargetClass.class) 限制只能反序列化指定类型，
+    或使用 SafeConstructor: new Yaml(new SafeConstructor())。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new Yaml().load($INPUT)
+    - pattern: $YAML.load($INPUT)
+    - pattern: $YAML.load($REQ.getInputStream())
+    - pattern: $YAML.load($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, snakeyaml, rce]
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
+# ZM-JAVA-CWE502-YAML-002: Yaml 构造器未指定 SafeConstructor
+- id: zm-java-cwe502-yaml-002
+  severity: CRITICAL
+  message: |
+    SnakeYAML Yaml 使用默认 Constructor（非 SafeConstructor），
+    允许通过 YAML 标签实例化任意 Java 对象。
+    修复: new Yaml(new SafeConstructor()) 禁止非标准 Java 对象的创建，
+    同时使用 Constructor(TargetClass.class) 限制允许的类型。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new Yaml()
+    - pattern: new Yaml(new Constructor())
+    - pattern: new Yaml(new Constructor($CLS))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, snakeyaml, rce]

package/rules/unified/cwe-502/zm-java-cwe502-xstream-nosecurity.yaml ADDED Viewed

@@ -0,0 +1,65 @@
+# Source: common | Cluster: N/A
+# CWE-502: XStream 无安全框架反序列化检测
+# 逐码 ZhuMa V4.3 — 反序列化深度覆盖
+rules:
+# ZM-JAVA-CWE502-XSTREAM-001: XStream 无安全框架
+- id: zm-java-cwe502-xstream-001
+  severity: CRITICAL
+  message: |
+    XStream 实例化未设置安全框架（未调用 setupDefaultSecurity 或 addPermission），
+    默认允许反序列化任意类，攻击者可通过 XML 中的 <dynamic-proxy> 等标签触发 gadget chain RCE。
+    修复: 在 XStream 实例化后立即调用:
+      XStream xstream = new XStream();
+      XStream.setupDefaultSecurity(xstream);
+      xstream.allowTypesByWildcard(new String[] { "com.yourcompany.**" });
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $XS = new XStream();
+        ...
+        $XS.fromXML($INPUT);
+    - pattern: |
+        $XS = new XStream(new $DRIVER());
+        ...
+        $XS.fromXML($INPUT);
+    - pattern: |
+        new XStream().fromXML($INPUT)
+    - pattern: |
+        $XSTREAM.fromXML($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, xstream, rce, xml]
+    references:
+      - "https://x-stream.github.io/security.html"
+# ZM-JAVA-CWE502-XSTREAM-002: XStream allowTypesByWildcard("*")
+- id: zm-java-cwe502-xstream-002
+  severity: CRITICAL
+  message: |
+    XStream allowTypesByWildcard("*") 允许反序列化所有类，等同于未设置安全框架。
+    攻击者可通过 XML 注入任意类实现代码执行。
+    修复: 使用 allowTypesByWildcard("com.yourcompany.**") 限制仅允许业务包下的类。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $XSTREAM.allowTypesByWildcard(new String[] { "*" })
+    - pattern: $XSTREAM.addPermission(AnyTypePermission.ANY)
+    - pattern: $XSTREAM.allowTypes(new Class[] {})
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [deserialization, xstream, rce]

package/rules/unified/cwe-502/zm-java-deserial-cwe502-001.yaml ADDED Viewed

@@ -0,0 +1,73 @@
+# Source: common | Cluster: N/A
+# CWE-502/94: Jackson/Jython反序列化 — 多态反序列化RCE深入
+# ZhuMa V4.1 — Jackson Polymorphic Deserialization + Jython ScriptEngine
+# 覆盖: Jackson enableDefaultTyping深入 / Jython PythonInterpreter注入
+rules:
+# ZM-JAVA-JACKSON-POLY-001: Jackson PolymorphicTypeValidator绕过
+- id: zm-java-jackson-poly-001
+  severity: CRITICAL
+  message: |
+    ObjectMapper 启用 enableDefaultTyping() 配合 PolymorphicTypeValidator 但不充分 — 反序列化RCE。
+    Jackson多态反序列化允许通过 @class 字段指定任意类，即使有PTV验证，绕过案例层出不穷。
+    CVE-2020-25649: Jackson FasterXML 多态类型处理RCE；CVE-2020-36518: 嵌套类型绕过。
+    修复: 1) 完全禁用defaultTyping 2) 使用显式 @JsonTypeInfo + @JsonSubTypes 3) 升级jackson-databind >=2.12.6.1
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $MAPPER.activateDefaultTyping($PTV, ObjectMapper.DefaultTyping.$MODE)
+    - pattern: |
+        $MAPPER.activateDefaultTyping($PTV)
+    - pattern: |
+        $MAPPER.setDefaultTyping($TI)
+    - pattern: |
+        ObjectMapper $OM = new ObjectMapper();
+        ...
+        $OM.enableDefaultTyping();
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25649"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
+      - "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
+# ZM-JAVA-JYTHON-001: Jython PythonInterpreter.exec() 用户输入执行
+- id: zm-java-jython-001
+  severity: CRITICAL
+  message: |
+    Jython PythonInterpreter.exec()/eval() 使用HTTP请求参数 — 任意Python代码执行(RCE)。
+    攻击者可通过传入恶意Python脚本执行系统命令、反弹shell、部署后门。
+    CVE-2016-4000: Jython <=2.7.0 sandbox bypass; PythonInterpreter未限制危险函数调用。
+    修复: 1) 禁止用户输入传入PythonInterpreter 2) 使用安全管理器限制exec权限
+    3) 替换为受限模板引擎(如Velocity with sandbox)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new PythonInterpreter().exec($REQ.getParameter(...))
+    - pattern: |
+        $PI.exec($REQ.getParameter(...))
+    - pattern: |
+        new PythonInterpreter().eval($REQ.getParameter(...))
+    - pattern: |
+        $PI.eval($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4000"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-17566"
+      - "https://www.jython.org/latest-vulnerabilities/"

package/rules/unified/cwe-502/zm-java-jndi-cwe502-001.yaml ADDED Viewed

@@ -0,0 +1,108 @@
+# Source: common | Cluster: N/A
+# CWE-502: JNDI注入深入 — LDAP/RMI绕过变体
+# ZhuMa V4.1 — JNDI高级绕过检测
+# 覆盖: LDAP属性注入 / RMI引用绕过 / JNDI Reference注入链
+rules:
+# ZM-JAVA-JNDI-LDAP-001: LDAP SearchControls控制注入
+- id: zm-java-jndi-ldap-001
+  severity: ERROR
+  message: |
+    DirContext.search() 的 LDAP 过滤器(filter)参数由 HTTP 请求参数直接拼接 — LDAP 注入。
+    攻击者可构造特殊过滤器绕过认证、提取敏感目录信息，或配合 JNDI Reference 实现 RCE。
+    修复: 1) 使用 LdapEncoder.filterEncode() 过滤特殊字符 2) 使用参数化查询方式 3) 白名单限制 LDAP 属性名
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.search($BASE, $FILTER + $REQ.getParameter(...), $SC)
+    - pattern: |
+        $CTX.search($BASE, $REQ.getParameter(...), $SC)
+    - pattern: |
+        $CTX.search($BASE, $FILTER, new SearchControls());
+        ...
+        $FILTER = $REQ.getParameter(...);
+  metadata:
+    cwe: "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+    severity: ERROR
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
+      - "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection"
+# ZM-JAVA-JNDI-RMI-001: JNDI RMI注册表lookup绕过
+- id: zm-java-jndi-rmi-001
+  severity: CRITICAL
+  message: |
+    检测到 JNDI lookup() 使用 rmi:// 协议或 NamingManager.getObjectInstance() 从RMI加载对象。
+    即使高版本JDK禁用了ldap远程codebase，rmi:// 协议在未配置安全管理器时仍可被利用。
+    修复: 1) JDK >= 8u191 启用 trustSerialData 限制 2) 禁用 RMI Registry 外部引用 3) 使用 ObjectInputFilter
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.lookup("rmi://" + ...)
+    - pattern: |
+        $CTX.lookup("rmi://$HOST/$OBJ")
+    - pattern: |
+        NamingManager.getObjectInstance($REF, $NAME, $CTX, $ENV)
+    - pattern: |
+        new InitialContext().lookup($RMI_URL)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: medium
+    category: jndi-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-0638"
+      - "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
+# ZM-JAVA-JNDI-ENV-001: JNDI环境属性绕过(JAVA_NAMING_FACTORY)
+- id: zm-java-jndi-env-001
+  severity: CRITICAL
+  message: |
+    检测到 JNDI InitialContext 环境变量中包含用户可控值 — 可注入恶意 Context.PROVIDER_URL
+    或 Context.INITIAL_CONTEXT_FACTORY 属性，劫持JNDI命名服务指向攻击者控制的LDAP/RMI服务器。
+    修复: 1) JNDI环境Hashtable中的provider属性必须硬编码 2) 禁止从用户输入获取 Context.PROVIDER_URL
+    3) 设置 com.sun.jndi.ldap.object.trustURLCodebase=false
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern-inside: |
+          $ENV.put($KEY, $REQ.getParameter(...));
+          ...
+      - pattern: |
+          new InitialContext($ENV)
+    - patterns:
+      - pattern-inside: |
+          $ENV.put($KEY, $VAL);
+          ...
+      - pattern: |
+          new InitialContext($ENV)
+    - pattern: |
+        $HASH.put("java.naming.provider.url", $REQ.getParameter(...))
+    - pattern: |
+        $HASH.put("java.naming.factory.initial", $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-21496"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://www.oracle.com/java/technologies/javase/8u191-relnotes.html"

package/rules/unified/cwe-502/zm-java-xstream-cwe502-001.yaml ADDED Viewed

@@ -0,0 +1,74 @@
+# Source: common | Cluster: N/A
+# CWE-502: XStream反序列化 — 不安全配置与绕过检测
+# ZhuMa V4.1 — XStream deserialization RCE
+# 覆盖: XStream.fromXML() / setupDefaultSecurity缺失 / 黑名单绕过
+rules:
+# ZM-JAVA-XSTREAM-001: XStream.fromXML() 未设置安全框架
+- id: zm-java-xstream-001
+  severity: CRITICAL
+  message: |
+    XStream.fromXML() 直接反序列化用户输入，未调用 XStream.setupDefaultSecurity() 未启用白名单。
+    默认XStream允许反序列化任意类，攻击者可利用多种gadget chain(如ImageIO/JNDI/Runtime)实现RCE。
+    CVE-2021-43859: XStream <=1.4.18 高危反序列化链(CVE-2021-21344至CVE-2021-39154共14个CVE)。
+    修复: 1) 必须调用 xstream.setupDefaultSecurity() 2) 显式 allowTypesByWildcard 白名单
+    3) 升级到 XStream >=1.4.19
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new XStream().fromXML($REQ.getParameter(...))
+    - pattern: |
+        $XSTREAM.fromXML($REQ.getInputStream())
+    - pattern: |
+        $XSTREAM.fromXML($REQ.getReader())
+    - pattern: |
+        XStream $X = new XStream();
+        ...
+        $X.fromXML($INPUT);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-43859"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39144"
+      - "https://x-stream.github.io/security.html"
+# ZM-JAVA-XSTREAM-002: XStream自定义Converter绕过
+- id: zm-java-xstream-002
+  severity: CRITICAL
+  message: |
+    检测到XStream使用自定义Converter或registerConverter() — 可能引入新的gadget chain.
+    自定义Converter如果调用反射API(如Method.invoke/Class.forName)可能被恶意XML触发RCE。
+    攻击者通过构造特殊XML字符串利用Converter逻辑执行任意代码。
+    CVE-2021-39145: XStream DynamicProxyConverter导致任意代码执行。
+    修复: 1) Converter中禁止使用反射 2) 对所有输入类严格校验 3) 在Converter中实现类型白名单
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern-inside: |
+          $XS = new XStream(new $D());
+          ...
+      - pattern: |
+          $XS.registerConverter(...)
+    - pattern: |
+        $XSTREAM.registerConverter($CONVERTER)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39145"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-39147"
+      - "https://x-stream.github.io/CVE-2021-39145.html"

package/rules/unified/cwe-502/zm-js-cwe502-deserialization.yaml ADDED Viewed

@@ -0,0 +1,120 @@
+# Source: common | Cluster: N/A
+# CWE-502: Node.js 不安全反序列化检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: node-serialize、serialize-javascript、js-yaml.load、JSON.parse prototype injection
+rules:
+# ZM-JS-DSER-001: node-serialize / serialize-javascript / js-yaml.load 不安全反序列化
+- id: zm-js-dser-001
+  severity: ERROR
+  message: |
+    检测到使用 node-serialize.unserialize() / serialize-javascript(eval) / js-yaml.load()
+    进行不安全反序列化，可能导致远程代码执行(RCE)。
+    node-serialize.unserialize() 支持IIFE，攻击者可注入恶意函数体执行任意代码。
+    js-yaml.load() 默认使用 !!js/undefined 等危险类型，可触发代码执行。
+    serialize-javascript 需配合 eval 使用，存在RCE风险。
+    修复:
+    1. node-serialize => 使用 JSON.parse() 替代，或 v8.deserialize() + v8.serialize()
+    2. js-yaml.load(input) => js-yaml.load(input, { schema: yaml.FAILSAFE_SCHEMA }) 或 yaml.safeLoad()
+    3. serialize-javascript => 禁止配合 eval() 使用
+    4. 对所有反序列化输入做完整性校验(HMAC/Signature)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: nodeSerialize.unserialize(...)
+    - pattern: $NS.unserialize(...)
+    - pattern: $SJ.serialize(...)
+    - pattern: eval(serializeJavascript(...))
+    - pattern: eval(serialize(...))
+    - pattern: jsYaml.load(...)
+    - pattern: yaml.load(...)
+    - pattern: $YAML.load(...)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    category: deserialization
+    precision: medium
+    references:
+      - "https://github.com/luin/serialize#security-issue"
+      - "https://github.com/nodeca/js-yaml#security"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
+# ZM-JS-DSER-002: js-yaml.load 无 safeLoad / schema 参数
+- id: zm-js-dser-002
+  severity: WARNING
+  message: |
+    js-yaml.load() 未指定 { schema: FAULT_SAFE_SCHEMA } 安全选项。
+    默认schema支持 !!js/undefined / !!js/regexp 等危险类型，可能导致原型污染或RCE。
+    修复:
+    1. js-yaml.safeLoad(input) 替代 js-yaml.load(input)
+    2. 或 yaml.load(input, { schema: yaml.FAILSAFE_SCHEMA })
+    3. 升级 js-yaml 到最新版本(>=4.1.0)
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: $YAML.load(...)
+    - pattern-not: $YAML.load(..., ...)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    category: deserialization
+    precision: low
+    references:
+      - "https://github.com/nodeca/js-yaml#safe-load"
+# ZM-JS-DSER-003: JSON.parse 后直接访问嵌套属性(可能的prototype injection)
+- id: zm-js-dser-003
+  severity: WARNING
+  message: |
+    JSON.parse(userInput) 后对结果对象进行属性赋值或 __proto__ 路径访问。
+    JSON.parse 本身安全，但若不验证输入直接合并到其他对象中，攻击者可利用
+    {"__proto__": {"isAdmin": true}} 进行原型污染。
+    修复:
+    1. 检查并过滤 __proto__ / constructor / prototype 键名
+    2. 使用 Object.create(null) 创建目标对象
+    3. 使用 Map 替代普通对象存储数据
+    4. 使用 joi / zod Schema 验证输入结构，禁止额外属性
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $PARSED = JSON.parse($REQ.body, ...)
+            ...
+            $OBJ[$PARSED] = $VAL
+        - pattern: |
+            $PARSED = JSON.parse($REQ.query, ...)
+            ...
+            $OBJ[$PARSED] = $VAL
+        - pattern: |
+            $PARSED = JSON.parse($REQ.params, ...)
+            ...
+            $OBJ[$PARSED] = $VAL
+        - pattern: |
+            $PARSED = JSON.parse($REQ.body, ...)
+            ...
+            Object.assign($TARGET, $PARSED)
+        - pattern: |
+            $PARSED = JSON.parse($REQ.body, ...)
+            ...
+            lodash.merge($TARGET, $PARSED)
+        - pattern: |
+            $PARSED = JSON.parse($REQ.body, ...)
+            ...
+            _.merge($TARGET, $PARSED)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    category: deserialization
+    precision: low
+    references:
+      - "https://www.npmjs.com/advisories/1065"