npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-601/zm-php-cwe601-open-redirect.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# Source: common | Cluster: N/A
+# CWE-601: PHP URL 重定向/转发检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: header("Location: ...") 使用用户可控 URL
+rules:
+# ZM-PHP-REDIRECT-001: header("Location:") URL 来自 $_GET/$_POST
+- id: zm-php-cwe601-open-redirect-001
+  severity: ERROR
+  message: |
+    检测到 header("Location: ...") 的重定向 URL 来自 $_GET/$_POST 等用户输入。
+    攻击者利用开放重定向进行钓鱼攻击（将用户重定向到恶意网站）、
+    OAuth 回调劫持、绕过 URL 白名单等。
+    修复方案:
+    1. 禁止使用用户输入作为重定向目标
+    2. 使用白名单映射:
+       $allowed = ['home' => '/index.php', 'profile' => '/profile.php'];
+       $target = $allowed[$_GET['redirect']] ?? '/index.php';
+       header("Location: " . $target);
+    3. 验证重定向 URL 仅允许同域或相对路径
+    4. 使用 parse_url() 检查 host 与当前域名匹配
+    5. 参考 OWASP 开放重定向防御
+  languages:
+    - php
+  pattern-either:
+    - pattern: 'header("Location: " . $_GET[$X])'
+    - pattern: 'header("Location: " . $_POST[$X])'
+    - pattern: 'header("Location: " . $_REQUEST[$X])'
+    - pattern: 'header("Location: $_GET[$X]")'
+    - pattern: 'header("Location: $_POST[$X]")'
+    - pattern: 'header("Location: $_REQUEST[$X]")'
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: ERROR
+    precision: high
+    category: open-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
+# ZM-PHP-REDIRECT-002: header("Location:") 拼接用户输入
+- id: zm-php-cwe601-open-redirect-002
+  severity: ERROR
+  message: |
+    检测到 header("Location: ...") 的重定向 URL 经过字符串拼接包含用户输入。
+    即使混合了固定路径，攻击者仍可通过 // 或 @ 符号绕过。
+    修复方案:
+    1. 使用 parse_url() 提取 path 部分并校验
+    2. 使用白名单 ID 映射到固定 URL
+    3. 仅允许以 "/" 开头的相对路径
+  languages:
+    - php
+  pattern-either:
+    - pattern: 'header("Location: " . $DOMAIN . $_GET[$X])'
+    - pattern: 'header("Location: " . $PATH . $_GET[$X])'
+    - pattern: |
+        $URL = $STR . $_GET[$X];
+        ...
+        header($LOC . $URL);
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: ERROR
+    precision: high
+    category: open-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+# ZM-PHP-REDIRECT-003: Laravel redirect() 使用用户输入
+- id: zm-php-cwe601-open-redirect-003
+  severity: ERROR
+  message: |
+    检测到 Laravel redirect()->to()/away() 使用用户请求参数作为重定向目标。
+    Laravel 的 redirect()->to() 不会自动校验 URL，存在开放重定向风险。
+    修复方案:
+    1. 使用命名路由: redirect()->route('home')
+    2. 使用 redirect()->intended() 结合用户登录
+    3. 校验 URL 为相对路径: str_starts_with($url, '/')
+    4. 使用 URL 白名单
+  languages:
+    - php
+  pattern-either:
+    - pattern: redirect()->to($request->input(...))
+    - pattern: redirect()->to($request->get(...))
+    - pattern: redirect()->away($request->input(...))
+    - pattern: redirect()->away($request->get(...))
+    - pattern: redirect()->to($_GET[$X])
+    - pattern: redirect()->to($_POST[$X])
+    - pattern: redirect($_GET[$X])
+    - pattern: redirect($_POST[$X])
+    - pattern: redirect()->back()->withInput()
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: ERROR
+    precision: high
+    category: open-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://laravel.com/docs/redirects"

package/rules/unified/cwe-601/zm-taint-601-601-go-178.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+# Source: taint | Cluster: CL-601-GO-178
+# Taint-upgraded rule: zhuma-nvd-601-601-go-178
+# Original CWE: CWE-601 | Language: go
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-601-601-go-178
+  mode: taint
+  metadata:
+    category: CWE-601
+    cwe: "CWE-601"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-601-601-go-178
+  message: |
+    检测到开放重定向风险。重定向目标URL未经验证，可能被用于钓鱼。
+  severity: WARNING
+  languages:
+    - go
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.URL.Query().Get(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: http.Redirect(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: url.Parse

package/rules/unified/cwe-601/zm-taint-601-601-python-177.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: taint | Cluster: CL-601-PYTHON-177
+# Taint-upgraded rule: zhuma-nvd-601-601-python-177
+# Original CWE: CWE-601 | Language: python
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-601-601-python-177
+  mode: taint
+  metadata:
+    category: CWE-601
+    cwe: "CWE-601"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-601-601-python-177
+  message: |
+    检测到开放重定向风险。重定向目标URL未经验证，可能被用于钓鱼。
+  severity: WARNING
+  languages:
+    - python
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.args.get(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: redirect(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: urlparse
+      - pattern: url_for

package/rules/unified/cwe-611/cwe-611-xxe.yaml ADDED Viewed

@@ -0,0 +1,71 @@
+# Source: common | Cluster: N/A
+# CWE-611: XML 外部实体注入 (XXE) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-XXE-001: DocumentBuilderFactory 未禁用外部实体
+- id: zm-java-xxe-001
+  severity: HIGH
+  message: |
+    检测到 DocumentBuilderFactory 未禁用 DTD 和外部实体解析。
+    攻击者可构造恶意 XML 触发 XXE 攻击读取任意文件、内网探测或 DoS。
+    必须设置 setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+    或 setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        DocumentBuilderFactory $DBF = DocumentBuilderFactory.newInstance();
+        ...
+        $DBF.newDocumentBuilder().parse(...);
+    - pattern: |
+        DocumentBuilderFactory $DBF = DocumentBuilderFactory.newInstance();
+        ...
+        $PARSER = $DBF.newDocumentBuilder();
+        ...
+        $PARSER.parse(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+# ZM-JAVA-XXE-002: SAXParserFactory 未禁用外部实体
+- id: zm-java-xxe-002
+  severity: HIGH
+  message: |
+    SAXParserFactory 未禁用外部实体解析，存在 XXE 攻击风险。
+    必须设置 setFeature("http://xml.org/sax/features/external-general-entities", false)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SAXParserFactory $SPF = SAXParserFactory.newInstance();
+        ...
+        $SPF.newSAXParser().parse(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+# ZM-JAVA-XXE-003: XMLInputFactory 未禁用外部实体
+- id: zm-java-xxe-003
+  severity: HIGH
+  message: |
+    XMLInputFactory 未禁用外部实体和 DTD 处理，存在 XXE 攻击风险。
+    应设置 XMLInputFactory.SUPPORT_DTD 为 false。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        XMLInputFactory $XIF = XMLInputFactory.newInstance();
+        ...
+        $XIF.createXMLEventReader(...);
+    - pattern: |
+        XMLInputFactory $XIF = XMLInputFactory.newInstance();
+        ...
+        $XIF.createXMLStreamReader(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium

package/rules/unified/cwe-611/zm-cs-cwe611-xxe.yaml ADDED Viewed

@@ -0,0 +1,87 @@
+# Source: common | Cluster: N/A
+# CWE-611: C# XXE 检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 .NET XML 解析器中未禁用 DTD/外部实体的不安全配置。
+rules:
+# ZM-CS-CWE611-001: XmlReaderSettings 未禁用 DTD
+- id: zm-cs-cwe611-xxe-001
+  severity: ERROR
+  message: |
+    检测到 XmlReaderSettings 配置但 DtdProcessing 未设置为 Prohibit。
+    默认情况下，.NET Framework 中 DtdProcessing 为 Prohibit (安全)，
+    但 .NET Core 中早期版本默认为 Parse (不安全)。
+    允许 DTD 解析会导致 XML 外部实体注入 (XXE) 攻击。
+    修复方案：
+    - 设置 DtdProcessing = DtdProcessing.Prohibit
+    - 或设置 XmlResolver = null 阻止外部实体解析
+    - 使用 XmlReader.Create() 的安全默认行为（.NET 4.5.2+）
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: new XmlReaderSettings { DtdProcessing = DtdProcessing.Parse }
+    - pattern: DtdProcessing = DtdProcessing.Parse
+    - pattern: $SETTINGS.DtdProcessing = DtdProcessing.Parse
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/611.html"
+      - "https://learn.microsoft.com/en-us/dotnet/standard/data/xml/xml-processing-options"
+# ZM-CS-CWE611-002: XmlDocument 无安全配置
+- id: zm-cs-cwe611-xxe-002
+  severity: ERROR
+  message: |
+    检测到 XmlDocument 的 Load()/LoadXml() 未预先配置 XmlReaderSettings
+    禁用 DTD 和外部实体。使用默认配置的 XmlDocument 处理不可信 XML
+    将导致 XXE 攻击，攻击者可读取本地文件、发起 SSRF 或 DoS。
+    修复方案：
+    - 创建 XmlReaderSettings 并设置 DtdProcessing.Prohibit
+    - 通过 XmlReader.Create(stream, settings) 包装后再 Load
+    - .NET 4.5.2+ 使用 XmlReader.Create() 默认禁用 DTD
+    - 设置 XmlResolver = null
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: $DOC.Load($STREAM)
+    - pattern: $DOC.LoadXml($XMLSTR)
+    - pattern: $DOC.Load($READER)
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/611.html"
+# ZM-CS-CWE611-003: XPathDocument/XslCompiledTransform 无安全配置
+- id: zm-cs-cwe611-xxe-003
+  severity: ERROR
+  message: |
+    检测到 XSLT 转换相关类使用，如果未禁用 DTD 可能成为 XXE 攻击向量。
+    XslCompiledTransform 在处理不可信 XSLT 时同样易受 XXE 影响。
+    修复方案：
+    - 使用安全的 XmlReader 设置包装输入流
+    - 启用 XSLT 脚本时需要额外安全审查（XSLT 可执行脚本代码）
+    - 设置 XmlResolver = null
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: new XPathDocument($INPUT)
+    - pattern: $XSLT.Load($INPUT)
+    - pattern: $XSLT.Transform($INPUT, ...)
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: security
+    precision: low
+    references:
+      - "https://cwe.mitre.org/data/definitions/611.html"

package/rules/unified/cwe-611/zm-java-cwe611-xxe-enhanced.yaml ADDED Viewed

@@ -0,0 +1,81 @@
+# Source: common | Cluster: N/A
+# CWE-611: XXE 增强检测 — TransformerFactory / Validator / SAXBuilder
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 覆盖 xm-java-xxe 未覆盖的 Sinks
+rules:
+# ZM-JAVA-XXE-E01: TransformerFactory.newTransformer(StreamSource) 未配置 secure-processing
+- id: zm-java-xxe-e01
+  severity: ERROR
+  message: |
+    TransformerFactory.newTransformer() 使用 StreamSource 解析 XML，
+    未设置 FEATURE_SECURE_PROCESSING 或禁用外部实体。
+    攻击者可通过外部实体注入读取本地文件、发起 SSRF。
+    修复: tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getInputStream()))
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getReader()))
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getParameter($PARAM)))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-JAVA-XXE-E02: Validator.validate(StreamSource) 用户输入
+- id: zm-java-xxe-e02
+  severity: ERROR
+  message: |
+    Validator.validate() 使用 StreamSource 且 Source 来自用户输入。
+    Validator 默认未禁用外部实体，攻击者可注入 XXE。
+    修复: 设置 XMLConstants.ACCESS_EXTERNAL_DTD/Schema 为空字符串
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getInputStream()))
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getReader()))
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getParameter($PARAM)))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-JAVA-XXE-E03: SAXBuilder (JDOM) + 用户输入
+- id: zm-java-xxe-e03
+  severity: ERROR
+  message: |
+    JDOM SAXBuilder.build() 解析用户输入 XML，未禁用外部实体。
+    SAXBuilder 默认启用 DTD 和外部实体解析。
+    修复: builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import org.jdom2.input.SAXBuilder;
+        ...
+    - pattern: |
+        $SB.build($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-611/zm-java-cwe611-xxe-transformer.yaml ADDED Viewed

@@ -0,0 +1,86 @@
+# Source: common | Cluster: N/A
+# CWE-611: XXE — DocumentBuilderFactory / SAXParser / XMLInputFactory
+# ZhuMa V4.1 — complementary to zm-java-cwe611-xxe-enhanced.yaml
+rules:
+# ZM-JAVA-XXE-DBF-001: DocumentBuilderFactory + user XML without secure processing
+- id: zm-java-xxe-dbf-001
+  severity: ERROR
+  message: |
+    DocumentBuilderFactory.parse() receives untrusted XML input without disabling external entities.
+    Attacker can read local files (file:///etc/passwd) or perform SSRF via XXE.
+    Fix: dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) and dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($REQ.getInputStream())
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($REQ.getReader())
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($SRC);
+        ...
+        $SRC = new InputSource($REQ.getInputStream());
+    - pattern: |
+        DocumentBuilderFactory.newInstance().newDocumentBuilder().parse($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-JAVA-XXE-SAX-001: SAXParser + user XML without disabling DTD
+- id: zm-java-xxe-sax-001
+  severity: ERROR
+  message: |
+    SAXParser.parse() receives untrusted XML — DTD/external entities enabled by default.
+    Fix: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) and spf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $SAX.parse($REQ.getInputStream(), $HANDLER)
+    - pattern: |
+        $SAX.parse(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $SAX.parse(new InputSource($REQ.getReader()))
+    - pattern: |
+        SAXParserFactory.newInstance().newSAXParser().parse($REQ.getInputStream(), $H)
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-JAVA-XXE-STAX-001: XMLInputFactory + user XML without external entity restriction
+- id: zm-java-xxe-stax-001
+  severity: ERROR
+  message: |
+    StAX XMLInputFactory creates reader from user XML — external entities enabled by default.
+    Fix: factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false) and factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        $FACTORY.createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLEventReader($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-611/zm-java-xxe-cwe611-003.yaml ADDED Viewed

@@ -0,0 +1,106 @@
+# Source: common | Cluster: N/A
+# CWE-611: XXE深入 — DocumentBuilder以外的XML解析器覆盖
+# ZhuMa V4.1 — XXE全解析器深度检测
+# 覆盖: SAXParser / StAX XMLEventReader / DOM4J SAXReader
+rules:
+# ZM-JAVA-XXE-SAX-001: SAXParser解析用户输入未禁用DTD
+- id: zm-java-xxe-sax-001
+  severity: ERROR
+  message: |
+    SAXParser.parse() 直接解析HTTP请求中的XML，未设置禁用DTD和外部实体。
+    SAXParser默认启用外部实体解析，攻击者可读取服务器敏感文件(/etc/passwd)或发起SSRF。
+    修复: 设置 SAXParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+          + setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
+          + setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, "")
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SAXParserFactory.newInstance().newSAXParser().parse($REQ.getInputStream(), $DH)
+    - pattern: |
+        $SP.parse($REQ.getInputStream(), $DH)
+    - pattern: |
+        $SP.parse(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $SP.parse(new InputSource($REQ.getReader()))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-12615"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-12415"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
+# ZM-JAVA-XXE-STAX-001: StAX XMLEventReader/XMLStreamReader 解析用户XML
+- id: zm-java-xxe-stax-001
+  severity: ERROR
+  message: |
+    XMLEventReader/XMLStreamReader直接解析HTTP输入流，未禁用DTD — XXE注入。
+    尽管StAX解析器默认相对安全，但未显式设置 XMLInputFactory.SUPPORT_DTD=false
+    在部分实现中仍可能处理外部实体。CVE-2019-12415: Apache POI XSSF XXE via StAX。
+    修复: XMLInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
+          + setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        $FACTORY.createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLStreamReader($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: medium
+    category: xxe
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2019-12415"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
+      - "https://rules.sonarsource.com/java/RSPEC-2755/"
+# ZM-JAVA-XXE-DOM4J-001: DOM4J SAXReader 解析用户XML
+- id: zm-java-xxe-dom4j-001
+  severity: ERROR
+  message: |
+    DOM4J SAXReader.read() 直接解析HTTP请求输入流 — XXE注入。
+    DOM4J SAXReader默认不安全，必须显式禁用DOCTYPE声明和外部实体。
+    CVE-2021-33813: JDOM2 XXE via SAXBuilder (类似dom4j模式); CVE-2020-10683: dom4j XXE.
+    修复: reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+          + reader.setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SAXReader().read($REQ.getInputStream())
+    - pattern: |
+        $READER.read($REQ.getInputStream())
+    - pattern: |
+        new SAXReader().read(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $READER.read($REQ.getReader())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-10683"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"