@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-502/zm-php-cwe502-unserialize.yaml

@@ -0,0 +1,94 @@
+# Source: common | Cluster: N/A
+# CWE-502: PHP 反序列化检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: unserialize() 参数来自用户输入
+
+rules:
+
+# ZM-PHP-SER-001: unserialize() 参数来自 $_GET/$_POST
+- id: zm-php-cwe502-unserialize-001
+  severity: CRITICAL
+  message: |
+    检测到 unserialize() 参数来自 $_GET/$_POST/$_REQUEST/$_COOKIE 等 HTTP 输入。
+    对用户可控数据进行反序列化可导致对象注入攻击（Object Injection），
+    通过构造恶意序列化数据触发魔术方法（__wakeup/__destruct/__toString）
+    实现任意代码执行（RCE）、文件操作、SQL 注入等。
+
+    修复方案:
+    1. **禁止反序列化用户输入**: 使用 JSON (json_decode) 替代 serialize
+    2. 必须反序列化时使用 allowed_classes 选项限制允许的类:
+       unserialize($data, ['allowed_classes' => ['SafeClass']]);
+    3. 使用 HMAC 签名验证数据完整性后再反序列化
+    4. 迁移至 JSON/JWT 等安全格式传输数据
+    5. 参考 OWASP PHP 反序列化防御
+  languages:
+    - php
+  pattern-either:
+    - pattern: unserialize($_GET[$X])
+    - pattern: unserialize($_POST[$X])
+    - pattern: unserialize($_REQUEST[$X])
+    - pattern: unserialize($_COOKIE[$X])
+    - pattern: unserialize($_SERVER[$X])
+    - pattern: unserialize(file_get_contents("php://input"))
+    - pattern: unserialize($HTTP_RAW_POST_DATA)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection"
+      - "https://www.php.net/manual/en/function.unserialize.php"
+
+# ZM-PHP-SER-002: unserialize() 变量来自 HTTP 请求链
+- id: zm-php-cwe502-unserialize-002
+  severity: ERROR
+  message: |
+    检测到变量赋值自 $_GET/$_POST/$_REQUEST 后传递给 unserialize()。
+    通过变量中转传递用户输入仍是反序列化风险。
+
+    修复方案:
+    1. 确保传递给 unserialize() 的数据不来自任何用户可控源
+    2. 使用 JSON 格式替代 PHP serialize
+    3. 使用 allowed_classes => false 完全禁止对象反序列化
+  languages:
+    - php
+  pattern: |
+    $VAR = $_GET[$X];
+    ...
+    unserialize($VAR);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PHP-SER-003: unserialize() 未使用 allowed_classes 选项
+- id: zm-php-cwe502-unserialize-003
+  severity: WARNING
+  message: |
+    检测到 unserialize() 调用未设置 allowed_classes 选项。
+    PHP 7.0+ 支持 allowed_classes 选项限制反序列化类范围，未设置时
+    允许反序列化任意类，增加对象注入攻击面。
+
+    修复方案:
+    1. 设置 allowed_classes => false 禁止所有对象反序列化
+    2. 或设为白名单: unserialize($data, ['allowed_classes' => ['SafeClass']])
+    3. 优先使用 json_decode() 替代 unserialize()
+  languages:
+    - php
+  pattern: unserialize($DATA)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: WARNING
+    precision: low
+    category: deserialization
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/unified/cwe-502/zm-py-cwe502-deser-advanced.yaml

@@ -0,0 +1,130 @@
+# Source: common | Cluster: N/A
+# CWE-502: Python pickle反序列化扩展 (gzip+pickle组合 / protobuf无验证)
+# 逐码 ZhuMa V4.3 — Python 通用规则库
+# 检测: gzip+gzip+pandas.read_pickle、protobuf反序列化无验证
+
+rules:
+
+# ZM-PY-DESER-001: gzip+pickle组合绕过
+- id: zm-py-deser-001
+  severity: CRITICAL
+  message: |
+    检测到使用 gzip.decompress + pickle.loads 组合处理用户输入。
+    攻击者可通过将恶意pickle数据压缩后再发送，绕过仅检测 pickle.loads 的
+    静态分析规则。
+
+    修复方案:
+    1. 绝对禁止使用 pickle 反序列化不可信数据
+    2. 使用 JSON/MessagePack/Protocol Buffers 替代 pickle
+    3. 若必须使用 pickle，使用 hmac 签名校验数据完整性: 
+       actual_hmac = hmac.new(key, data, 'sha256').digest()
+    4. 限制可反序列化的类型: pickle.Unpickler(io.BytesIO(data)).find_class = safe_find_class
+  languages:
+    - python
+  pattern-either:
+    - pattern: pickle.loads(gzip.decompress(...))
+    - pattern: pickle.loads(zlib.decompress(...))
+    - pattern: pickle.loads(bz2.decompress(...))
+    - pattern: pickle.loads(lzma.decompress(...))
+    - pattern: cPickle.loads(gzip.decompress(...))
+    - pattern: pickle.loads(base64.b64decode(...))
+    - pattern: cloudpickle.loads(gzip.decompress(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://docs.python.org/3/library/pickle.html"
+
+# ZM-PY-DESER-002: pandas.read_pickle 反序列化
+- id: zm-py-deser-002
+  severity: CRITICAL
+  message: |
+    检测到 pandas.read_pickle() 反序列化操作。
+    pandas的pickle读取底层使用 pickle.loads，可执行任意代码。
+
+    修复方案:
+    1. 使用 pandas.read_csv/read_json/read_parquet 替代 read_pickle
+    2. 若必须使用pickle格式，使用 hmac 签名验证数据来源可信
+    3. 限制仅从可信来源读取pickle文件
+  languages:
+    - python
+  pattern-either:
+    - pattern: pandas.read_pickle(...)
+    - pattern: pd.read_pickle(...)
+    - pattern: $DF.to_pickle(...)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: very-high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PY-DESER-003: yaml.load 非安全加载
+- id: zm-py-deser-003
+  severity: CRITICAL
+  message: |
+    检测到使用 yaml.load() 而非 yaml.safe_load()。
+    yaml.load() 使用默认Loader可反序列化任意Python对象，攻击者可通过
+    构造恶意YAML数据实现任意代码执行 (参考 CVE-2017-18342)。
+
+    修复方案:
+    1. 始终使用 yaml.safe_load() 替代 yaml.load()
+    2. 若需要自定义类型，使用 yaml.YAMLObject 并启用白名单
+    3. 使用 SafeLoader: yaml.load(data, Loader=yaml.SafeLoader)
+    4. 参考 PyYAML 安全文档
+  languages:
+    - python
+  pattern-either:
+    - pattern: yaml.load($DATA)
+    - pattern: yaml.load($DATA, Loader=yaml.Loader)
+    - pattern: yaml.load($DATA, Loader=yaml.FullLoader)
+    - pattern: yaml.load($DATA, Loader=yaml.UnsafeLoader)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://pyyaml.org/wiki/PyYAMLDocumentation"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-18342"
+
+# ZM-PY-DESER-004: protobuf反序列化无验证
+- id: zm-py-deser-004
+  severity: WARNING
+  message: |
+    检测到 protobuf 反序列化操作(ParseFromString/MergeFromString)，
+    但未配合数据完整性校验。虽然protobuf本身不执行代码，但恶意构造的
+    protobuf数据可触发超大字段分配导致OOM，或利用业务逻辑缺陷。
+
+    修复方案:
+    1. 对输入数据做大小限制，拒绝超大消息(如 > 1MB)
+    2. 使用 ParseFromString 配合 max_recursion_depth 限制嵌套深度
+    3. 对关键业务消息使用 HMAC 签名验证数据完整性
+    4. 使用 protobuf unknown_fields 不应被忽略
+  languages:
+    - python
+  pattern-either:
+    - pattern: $MSG.ParseFromString(...)
+    - pattern: $MSG.MergeFromString(...)
+    - pattern: $MSG.ParseFromString(request.data)
+    - pattern: $MSG.ParseFromString(request.get_data())
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: WARNING
+    precision: medium
+    category: deserialization
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://developers.google.com/protocol-buffers/docs/pythontutorial"

package/rules/unified/cwe-502/zm-py-cwe502-pickle.yaml

@@ -0,0 +1,93 @@
+# Source: common | Cluster: N/A
+# CWE-502: Python Pickle/UnsafeLoader 反序列化 RCE 检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: pickle.loads / yaml.load(UnsafeLoader) / cPickle 用户输入反序列化
+
+rules:
+
+# ZM-PY-PICKLE-01: pickle.loads() 参数来自 request
+- id: zm-py-pickle-001
+  severity: ERROR
+  message: |
+    检测到 pickle.loads() 参数来自 HTTP 请求。
+    pickle 反序列化用户可控数据可触发任意代码执行（RCE）。
+    修复: 禁止反序列化用户输入；使用 JSON 等安全格式替代 pickle。
+  languages:
+    - python
+  pattern-either:
+    - pattern: pickle.loads(request.args.get(...))
+    - pattern: pickle.loads(request.form.get(...))
+    - pattern: pickle.loads(request.values.get(...))
+    - pattern: pickle.loads(request.data)
+    - pattern: pickle.loads(request.get_json().get(...))
+    - pattern: pickle.loads(request.json.get(...))
+    - pattern: pickle.loads(request.get_data())
+    - pattern: pickle.load(request.args.get(...))
+    - pattern: pickle.load(request.form.get(...))
+    - pattern: pickle.load(request.data)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PY-PICKLE-02: yaml.load() 使用 UnsafeLoader
+- id: zm-py-pickle-002
+  severity: ERROR
+  message: |
+    检测到 yaml.load() 使用 UnsafeLoader/Loader 且数据来自 HTTP 请求。
+    PyYAML 的 Loader 可构造 !!python/object 标签实现 RCE。
+    修复: 使用 yaml.safe_load() 替代 yaml.load()；或使用 FullLoader 仅限标准类型。
+  languages:
+    - python
+  pattern-either:
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.values.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.data, Loader=yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), yaml.Loader)
+    - pattern: yaml.load(request.data, yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.UnsafeLoader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.UnsafeLoader)
+    - pattern: yaml.load(request.data, Loader=yaml.UnsafeLoader)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PY-PICKLE-03: cPickle/_pickle 反序列化用户输入
+- id: zm-py-pickle-003
+  severity: ERROR
+  message: |
+    检测到 cPickle/_pickle.loads() 参数来自 HTTP 请求。
+    cPickle 是 C 实现的 pickle 模块，反序列化用户数据可导致 RCE。
+    修复: 使用 JSON/MessagePack 替代；禁止反序列化用户输入。
+  languages:
+    - python
+  pattern-either:
+    - pattern: cPickle.loads(request.args.get(...))
+    - pattern: cPickle.loads(request.form.get(...))
+    - pattern: cPickle.loads(request.values.get(...))
+    - pattern: cPickle.loads(request.data)
+    - pattern: cPickle.load(request.args.get(...))
+    - pattern: cPickle.load(request.form.get(...))
+    - pattern: cPickle.load(request.data)
+    - pattern: _pickle.loads(request.args.get(...))
+    - pattern: _pickle.loads(request.form.get(...))
+    - pattern: _pickle.loads(request.data)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/unified/cwe-502/zm-py-deser-cwe502-01.yaml

@@ -0,0 +1,67 @@
+# Source: common | Cluster: N/A
+# CWE-502: Python 反序列化深度检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: yaml.load() 无安全限制 / ruamel.yaml.load 不安全 / marshal.loads 反序列化
+
+rules:
+
+# ZM-PY-DESER-01: yaml.load() 使用默认 Loader（非 safe_load）处理用户输入
+- id: zm-py-yaml-unsafe-load-001
+  severity: ERROR
+  message: |
+    检测到 yaml.load() 未指定 Loader 或使用默认 Loader 且数据来自 HTTP 请求。
+    PyYAML 默认 yaml.load() 使用 Loader=yaml.Loader，可构造 !!python/object/apply
+    实现任意代码执行（RCE）如 CVE-2020-14343 中 PyYAML FullLoader RCE。
+    修复: 使用 yaml.safe_load() 替代 yaml.load()；仅允许标准 YAML 类型。
+  languages:
+    - python
+  pattern-either:
+    - pattern: yaml.load(request.args.get(...))
+    - pattern: yaml.load(request.form.get(...))
+    - pattern: yaml.load(request.values.get(...))
+    - pattern: yaml.load(request.data)
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.data, Loader=yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), yaml.Loader)
+    - pattern: yaml.load(request.data, yaml.Loader)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    cve: "CVE-2020-14343"
+
+# ZM-PY-DESER-02: marshal.loads / marshal.load 反序列化用户输入
+- id: zm-py-marshal-deser-001
+  severity: ERROR
+  message: |
+    检测到 marshal.loads() / marshal.load() 参数来自 HTTP 请求。
+    marshal 模块用于 Python 内部序列化（.pyc 文件），反序列化用户可控数据
+    可导致任意代码执行（类似 pickle RCE），参考 CVE-2022-48564 marshal 类型混淆。
+    修复: 禁止反序列化用户输入；使用 JSON/msgpack 等安全格式替代 marshal。
+  languages:
+    - python
+  pattern-either:
+    - pattern: marshal.loads(request.args.get(...))
+    - pattern: marshal.loads(request.form.get(...))
+    - pattern: marshal.loads(request.values.get(...))
+    - pattern: marshal.loads(request.data)
+    - pattern: marshal.load(request.args.get(...))
+    - pattern: marshal.load(request.form.get(...))
+    - pattern: marshal.load(request.data)
+    - pattern: marshal.loads(request.get_data())
+    - pattern: marshal.load(request.get_data())
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    cve: "CVE-2022-48564"

package/rules/unified/cwe-502/zm-taint-502-502-go-109.yaml

@@ -0,0 +1,39 @@
+# Source: taint | Cluster: CL-502-GO-109
+# Taint-upgraded rule: zhuma-nvd-502-502-go-109
+# Original CWE: CWE-502 | Language: go
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-go-109
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-go-109
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - go
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.Body
+      - pattern: r.ParseForm
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: gob.NewDecoder(...).Decode(...)
+      - pattern: json.Unmarshal(...)

package/rules/unified/cwe-502/zm-taint-502-502-go-110.yaml

@@ -0,0 +1,39 @@
+# Source: taint | Cluster: CL-502-GO-110
+# Taint-upgraded rule: zhuma-nvd-502-502-go-110
+# Original CWE: CWE-502 | Language: go
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-go-110
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-go-110
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - go
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.Body
+      - pattern: r.ParseForm
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: gob.NewDecoder(...).Decode(...)
+      - pattern: json.Unmarshal(...)

package/rules/unified/cwe-502/zm-taint-502-502-java-092.yaml

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-502-JAVA-092
+# Taint-upgraded rule: zhuma-nvd-502-502-java-092
+# Original CWE: CWE-502 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-java-092
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-java-092
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: ERROR
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestBody $T $X"
+      - pattern: request.getInputStream()
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OIS.readObject()
+      - pattern: new ObjectInputStream(...)

package/rules/unified/cwe-502/zm-taint-502-502-java-093.yaml

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-502-JAVA-093
+# Taint-upgraded rule: zhuma-nvd-502-502-java-093
+# Original CWE: CWE-502 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-java-093
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-java-093
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestBody $T $X"
+      - pattern: request.getInputStream()
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OIS.readObject()
+      - pattern: new ObjectInputStream(...)

package/rules/unified/cwe-502/zm-taint-502-502-java-094.yaml

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-502-JAVA-094
+# Taint-upgraded rule: zhuma-nvd-502-502-java-094
+# Original CWE: CWE-502 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-java-094
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-java-094
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestBody $T $X"
+      - pattern: request.getInputStream()
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OIS.readObject()
+      - pattern: new ObjectInputStream(...)

package/rules/unified/cwe-502/zm-taint-502-502-java-095.yaml

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-502-JAVA-095
+# Taint-upgraded rule: zhuma-nvd-502-502-java-095
+# Original CWE: CWE-502 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-java-095
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-java-095
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestBody $T $X"
+      - pattern: request.getInputStream()
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OIS.readObject()
+      - pattern: new ObjectInputStream(...)

package/rules/unified/cwe-502/zm-taint-502-502-java-097.yaml

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-502-JAVA-097
+# Taint-upgraded rule: zhuma-nvd-502-502-java-097
+# Original CWE: CWE-502 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-502-502-java-097
+  mode: taint
+  metadata:
+    category: CWE-502
+    cwe: "CWE-502"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-502-502-java-097
+
+  message: |
+    检测到不安全反序列化风险。从不可信来源反序列化对象数据。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestBody $T $X"
+      - pattern: request.getInputStream()
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OIS.readObject()
+      - pattern: new ObjectInputStream(...)