npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-639/zm-java-cwe639-idor.yaml ADDED Viewed

@@ -0,0 +1,124 @@
+# Source: common | Cluster: N/A
+# CWE-639: 不安全的直接对象引用 (IDOR) 检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+rules:
+- id: zm-java-idor-001
+  severity: WARNING
+  message: |
+    REST Controller 从 @PathVariable 获取资源 ID 直接查询，
+    未发现 @PreAuthorize 注解或资源所有权校验。
+    修复方案:
+    1. 添加 @PreAuthorize 验证用户权限
+    2. 查询时关联当前用户: WHERE id = :id AND user_id = :currentUserId
+    3. 使用 UUID 替代自增 ID
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @GetMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.findById($ID);
+              ...
+            }
+        - pattern: |
+            @PutMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.findById($ID);
+              ...
+            }
+        - pattern: |
+            @DeleteMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.deleteById($ID);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: medium
+    category: auth
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+- id: zm-java-idor-002
+  severity: WARNING
+  message: |
+    Controller 中路径变量 ID 直接传入数据访问层查询，
+    未发现将当前用户身份作为查询条件的代码。
+    修复方案:
+    1. DAO 层添加用户关联: findBy*AndUserId(id, currentUserId)
+    2. 使用 @PostAuthorize 校验返回对象所有权
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@PathVariable("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $DAO.$FINDBY($IDVAR);
+              ...
+            }
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@PathVariable("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $REPO.$FINDBY($IDVAR);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: low
+    category: auth
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+- id: zm-java-idor-003
+  severity: WARNING
+  message: |
+    Controller 从 @RequestParam 获取资源 ID 直接查询数据库，无 @PreAuthorize 保护。
+    修复方案:
+    1. 添加 @PreAuthorize 验证
+    2. 查询结果关联当前用户身份
+    3. 不一致则返回 403
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@RequestParam("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $DAO.findById($IDVAR);
+              ...
+            }
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@RequestParam("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $REPO.findById($IDVAR);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: medium
+    category: auth
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"

package/rules/unified/cwe-639/zm-js-cwe639-idor.yaml ADDED Viewed

@@ -0,0 +1,123 @@
+# Source: common | Cluster: N/A
+# CWE-639: Node.js 不安全直接对象引用 (IDOR) 检测
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: req.params.id直传DB查询、express路由参数未校验所有权
+rules:
+# ZM-JS-IDOR-001: req.params.id 直接传入数据库查询无所有权校验
+- id: zm-js-idor-001
+  severity: WARNING
+  message: |
+    检测到 Express 路由中 req.params.id 直接传入数据库查询(如 findById / findOne)，
+    未发现所有权校验(如关联 currentUser.id 过滤)。
+    攻击者可通过遍历ID访问其他用户的资源(订单、文档、个人资料等):
+    GET /api/orders/123 → 修改为 GET /api/orders/124 可查看他人订单
+    修复:
+    1. 查询时关联当前用户: Model.findOne({ _id: id, userId: req.user.id })
+    2. 使用中间件校验资源所有权后再执行控制器
+    3. 使用 UUID/nanoid 替代自增ID
+    4. 在数据访问层统一添加所有权过滤
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        # Mongoose
+        - pattern: |
+            $MODEL.findById($REQ.params.$ID, ...)
+        - pattern: |
+            $MODEL.findOne({_id: $REQ.params.$ID, ...}, ...)
+        - pattern: |
+            $MODEL.findByIdAndUpdate($REQ.params.$ID, ...)
+        - pattern: |
+            $MODEL.findByIdAndDelete($REQ.params.$ID, ...)
+        # Sequelize
+        - pattern: |
+            $MODEL.findByPk($REQ.params.$ID, ...)
+        - pattern: |
+            $MODEL.findOne({where: {id: $REQ.params.$ID, ...}}, ...)
+        - pattern: |
+            $MODEL.destroy({where: {id: $REQ.params.$ID, ...}}, ...)
+        # Knex
+        - pattern: |
+            $DB($TABLE).where('id', $REQ.params.$ID)
+        - pattern: |
+            $DB($TABLE).where({id: $REQ.params.$ID})
+    - pattern-not-inside: |
+        {...userId: ..., ...}
+    - pattern-not-inside: |
+        {...user: ..., ...}
+  metadata:
+    cwe: "CWE-639: Authorization Bypass Through User-Controlled Key"
+    owasp: "A01:2021 - Broken Access Control"
+    category: idor
+    precision: medium
+    confidence: high
+    references:
+      - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References"
+# ZM-JS-IDOR-002: req.body.xxx 资源ID未校验所有权写入
+- id: zm-js-idor-002
+  severity: WARNING
+  message: |
+    检测到使用 req.body.xxx 中的资源ID进行更新/删除操作，未关联当前用户身份校验。
+    攻击者可修改请求体中的ID字段，越权操作他人的资源。
+    修复:
+    1. 从认证上下文获取当前用户ID，而非从请求体
+    2. 查询时添加所有权过滤条件
+    3. 使用 JWT token 中提取的用户身份做关联
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $MODEL.updateOne({_id: $REQ.body.$ID, ...}, ...)
+        - pattern: |
+            $MODEL.updateMany({_id: $REQ.body.$ID, ...}, ...)
+        - pattern: |
+            $MODEL.deleteOne({_id: $REQ.body.$ID, ...})
+        - pattern: |
+            $MODEL.findOneAndUpdate({_id: $REQ.body.$ID, ...}, ...)
+    - pattern-not-inside: |
+        {...userId: ..., ...}
+    - pattern-not-inside: |
+        {...user: ..., ...}
+  metadata:
+    cwe: "CWE-639: Authorization Bypass Through User-Controlled Key"
+    owasp: "A01:2021 - Broken Access Control"
+    category: idor
+    precision: medium
+    confidence: high
+# ZM-JS-IDOR-003: GraphQL resolver 直接使用 args.id 无权限校验
+- id: zm-js-idor-003
+  severity: WARNING
+  message: |
+    检测到 GraphQL resolver 中直接使用 args.id 查询数据库，无所有权校验。
+    GraphQL 查询可任意指定ID参数，需在 resolver 中校验资源所属。
+    修复:
+    1. 在 resolver 中从 context 获取当前用户并关联查询
+    2. 使用 DataLoader 批量加载时自动注入所有权过滤
+    3. 实现 GraphQL shield / 自定义 directive 做权限控制
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $MODEL.findById($ARGS.id, ...)
+    - pattern: |
+        $MODEL.findOne({_id: $ARGS.id, ...}, ...)
+    - pattern: |
+        $MODEL.findByPk($ARGS.id, ...)
+  metadata:
+    cwe: "CWE-639: Authorization Bypass Through User-Controlled Key"
+    owasp: "A01:2021 - Broken Access Control"
+    category: idor
+    precision: medium
+    confidence: high

package/rules/unified/cwe-643/zm-java-cwe643-xpath-injection.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-643: XPath 注入检测
+# 逐码 ZhuMa V4.3 — XPath 注入专项
+rules:
+# ZM-JAVA-CWE643-XPATH-001: XPath 查询拼接用户输入
+- id: zm-java-cwe643-xpath-001
+  severity: ERROR
+  message: |
+    XPath 查询表达式使用字符串拼接包含用户输入，攻击者可通过注入 XPath 语法
+    （' or '1'='1、|、//）绕过认证逻辑或提取所有 XML 数据。
+    修复: 1. 使用参数化 XPath: XPathExpression + VariableResolver
+    2. 对用户输入做 XPath 特殊字符转义（单引号、双引号、方括号）
+    3. 使用预编译 XPath 表达式: XPath.compile(expression)
+  languages:
+    - java
+  pattern-either:
+    - pattern: $XPATH.evaluate("//user[name='" + $REQ.getParameter(...) + "']", $DOC)
+    - pattern: $XPATH.evaluate("//" + $REQ.getParameter(...), $DOC)
+    - pattern: $XPATH.compile("//user[name='" + $REQ.getParameter(...) + "']")
+    - pattern: $XPATH.evaluate("//" + $REQ.getParameter(...), $DOC, $QNAME)
+    - pattern: $XPATH.evaluate($REQ.getParameter(...), $DOC)
+  metadata:
+    cwe: "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
+    severity: ERROR
+    precision: very-high
+    category: injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+# ZM-JAVA-CWE643-XPATH-002: XPathExpression 用户可控路径
+- id: zm-java-cwe643-xpath-002
+  severity: WARNING
+  message: |
+    XPathFactory 编译用户可控的 XPath 表达式，攻击者可通过 // 遍历所有节点
+    或构造布尔盲注提取数据。
+    修复: XPath 表达式应为编译时常量，不要从请求参数中获取。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY = XPathFactory.newInstance();
+        $XPATH = $FACTORY.newXPath();
+        $EXPR = $XPATH.compile($REQ.getParameter(...));
+    - pattern: |
+        XPathFactory.newInstance().newXPath().compile($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
+    severity: WARNING
+    precision: very-high
+    category: injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: HIGH

package/rules/unified/cwe-676/zm-cpp-cwe676-dangerous-function.yaml ADDED Viewed

@@ -0,0 +1,86 @@
+# Source: common | Cluster: N/A
+# CWE-676: C/C++ 危险函数使用检测规则
+# 逐码 ZhuMa V4.3 — C/C++ 规则库
+#
+# 检测已被标准废除或已知不安全的 C/C++ 函数使用。
+rules:
+# ZM-CPP-CWE676-001: gets() — 已废弃的极端危险函数
+- id: zm-cpp-cwe676-dangerous-function-001
+  severity: ERROR
+  message: |
+    检测到 gets() 函数调用。gets() 从标准输入读取数据但无法限制长度，
+    C11 标准已正式移除该函数。任何使用都会导致必然的缓冲区溢出漏洞。
+    修复方案：
+    - 使用 fgets(buf, sizeof(buf), stdin)
+    - C++: 使用 std::getline(std::cin, str)
+    - 绝不要在任何新代码或遗留代码中使用 gets()
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: gets(...)
+  metadata:
+    cwe: "CWE-676: Use of Potentially Dangerous Function"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: very-high
+    references:
+      - "https://cwe.mitre.org/data/definitions/676.html"
+      - "https://cwe.mitre.org/data/definitions/242.html"
+# ZM-CPP-CWE676-002: tmpnam/tempnam — 不安全的临时文件名生成
+- id: zm-cpp-cwe676-dangerous-function-002
+  severity: WARNING
+  message: |
+    检测到 tmpnam()/tempnam() 函数调用。这些函数生成可预测的临时文件名，
+    存在竞态条件漏洞（TOCTOU）：攻击者可预测文件名并提前创建符号链接
+    劫持文件操作。
+    修复方案：
+    - POSIX: 使用 mkstemp() 创建临时文件并返回文件描述符
+    - POSIX: 使用 tmpfile() 创建自动删除的匿名临时文件
+    - C11: 使用 tmpfile_s()
+    - Windows: 使用 GetTempFileName() + CREATE_NEW
+  languages:
+    - c
+    - cpp
+  pattern-either:
+    - pattern: tmpnam(...)
+    - pattern: tempnam(...)
+  metadata:
+    cwe: "CWE-676: Use of Potentially Dangerous Function"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/676.html"
+      - "https://cwe.mitre.org/data/definitions/377.html"
+# ZM-CPP-CWE676-003: mktemp — 竞态条件风险
+- id: zm-cpp-cwe676-dangerous-function-003
+  severity: WARNING
+  message: |
+    检测到 mktemp() 函数调用。mktemp() 生成可预测的临时文件名，
+    在文件名生成和文件创建之间存在竞态窗口。
+    攻击者可在该窗口内创建同名文件/符号链接，劫持后续文件操作。
+    修复方案：
+    - 使用 mkstemp() 替代（原子性地创建并打开临时文件）
+    - 使用 tmpfile() 创建匿名临时文件
+    - 如需在 shell 中使用，使用 mktemp(1) 命令而非 C 函数
+  languages:
+    - c
+    - cpp
+  patterns:
+    - pattern: mktemp(...)
+  metadata:
+    cwe: "CWE-676: Use of Potentially Dangerous Function"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/676.html"
+      - "https://cwe.mitre.org/data/definitions/377.html"

package/rules/unified/cwe-693/zm-go-cwe693-gin-middleware.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-go-gin-auth-001
+    severity: ERROR
+    message: >-
+      Gin路由组未完整覆盖认证中间件。攻击者可绕过认证访问敏感API。
+      修复：在Group上使用Use()后所有子路由通过Group注册。
+    languages: [go]
+    patterns:
+      - pattern: $R.Use($MIDDLEWARE)
+    metadata:
+      cwe: "CWE-693"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A01:2021"
+      category: gin-security
+      cve: "CVE-2023-24539"
+  - id: zm-go-gin-bind-001
+    severity: WARNING
+    message: >-
+      Gin c.ShouldBindJSON绑定结构体但缺少validate标签约束。
+      修复：添加binding标签(required/min/max/url等)。
+    languages: [go]
+    patterns:
+      - pattern: $C.ShouldBindJSON(&$OBJ)
+    metadata:
+      cwe: "CWE-20"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A03:2021"
+      category: gin-security
+  - id: zm-go-gin-next-bypass-001
+    severity: ERROR
+    message: >-
+      Gin中间件中使用c.Next()位置不当可能导致认证绕过。
+      修复：确保认证检查在c.Next()调用之前完成。
+    languages: [go]
+    patterns:
+      - pattern: $C.Next()
+    metadata:
+      cwe: "CWE-693"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A01:2021"
+      category: gin-security
+      cve: "CVE-2023-24539"

package/rules/unified/cwe-693/zm-go-cwe693-security-headers.yaml ADDED Viewed

@@ -0,0 +1,133 @@
+# Source: common | Cluster: N/A
+# CWE-693: Go HTTP 安全头缺失检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: net/http 服务缺失安全响应头 / Gin 框架未配置安全头
+rules:
+# ZM-GO-HDR-001: HTTP 响应缺失 Content-Security-Policy
+- id: zm-go-sec-header-001
+  severity: INFO
+  message: |
+    检测到 HTTP handler 中未设置 Content-Security-Policy (CSP) 响应头。
+    CSP 是防御 XSS、数据注入、Clickjacking 攻击的核心安全头。
+    缺失 CSP 意味着浏览器将执行页面中所有脚本，包括攻击者注入的恶意脚本。
+    CSP 可防御的攻击类型：
+    - XSS（跨站脚本攻击）- 限制 script-src
+    - 数据注入 - 限制 style-src/img-src/connect-src
+    - Clickjacking - frame-ancestors
+    - CSS 注入 - style-src
+    - 表单劫持 - form-action
+    CVE参考:
+    - CVE-2022-22965: 缺失CSP可加剧Spring4Shell等RCE漏洞的XSS利用
+    - CVE-2021-23358: 缺失CSP导致通过模板注入的XSS可利用性提升
+    修复方案:
+    1. 设置严格的CSP:
+       w.Header().Set("Content-Security-Policy",
+         "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'")
+    2. 使用 Gin 中间件全局设置安全头
+    3. 使用 securego/gosec 或 secure 库自动添加安全头
+    4. 使用 CSP 报告模式 (report-uri/report-to) 调试策略
+    5. 参考 OWASP CSP Cheat Sheet 配置
+  languages:
+    - go
+  paths:
+    include:
+      - "**/main.go"
+      - "**/server.go"
+      - "**/router.go"
+      - "**/handler.go"
+  pattern-either:
+    - pattern: |
+        func $HANDLER(w http.ResponseWriter, r *http.Request) {
+          ...
+          w.Write($DATA)
+        }
+    - pattern: |
+        func $HANDLER(c *gin.Context) {
+          ...
+          c.String($CODE, $DATA)
+        }
+    - pattern: |
+        func $HANDLER(c *gin.Context) {
+          ...
+          c.JSON($CODE, $DATA)
+        }
+    - pattern: |
+        func $HANDLER(c *gin.Context) {
+          ...
+          c.HTML($CODE, $NAME, $DATA)
+        }
+  metadata:
+    cwe: "CWE-693: Protection Mechanism Failure"
+    severity: INFO
+    precision: low
+    category: security-headers
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A05:2021 - Security Misconfiguration"
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
+# ZM-GO-HDR-002: HTTP 响应缺失安全头
+- id: zm-go-sec-header-002
+  severity: INFO
+  message: |
+    检测到 HTTP handler 中未设置关键安全响应头。
+    缺少的安全头使应用暴露于多种客户端攻击。
+    应设置的安全头及防御范围:
+    - Strict-Transport-Security (HSTS): 强制HTTPS，防降级攻击和Cookie劫持
+    - X-Frame-Options: 防 Clickjacking（点击劫持）
+    - X-Content-Type-Options: 防 MIME 类型嗅探攻击
+    - Referrer-Policy: 控制 Referer 信息泄露
+    - Permissions-Policy: 限制浏览器API访问（摄像头/麦克风/定位等）
+    CVE参考:
+    - CVE-2022-42889: 缺失安全头可配合 Text4Shell 漏洞进行JS注入
+    - CVE-2021-22926: HSTS缺失导致TLS剥离攻击
+    修复方案:
+    1. 设置 HSTS:
+       w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
+    2. 设置防嗅探:
+       w.Header().Set("X-Content-Type-Options", "nosniff")
+    3. 设置防点击劫持:
+       w.Header().Set("X-Frame-Options", "DENY")
+    4. 设置 Referrer-Policy:
+       w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+    5. 使用 Gin 中间件或 net/http middleware 链统一设置
+    6. 创建 SecurityHeadersMiddleware 函数复用
+  languages:
+    - go
+  paths:
+    include:
+      - "**/main.go"
+      - "**/server.go"
+      - "**/router.go"
+      - "**/handler.go"
+  pattern-either:
+    - pattern: |
+        func $HANDLER(w http.ResponseWriter, r *http.Request) {
+          ...
+        }
+    - pattern: |
+        func $HANDLER(c *gin.Context) {
+          ...
+        }
+  metadata:
+    cwe: "CWE-693: Protection Mechanism Failure"
+    severity: INFO
+    precision: low
+    category: security-headers
+    likelihood: HIGH
+    impact: MEDIUM
+    cve: "CVE-2022-42889"
+    owasp: "A05:2021 - Security Misconfiguration"
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers"
+      - "https://owasp.org/www-project-secure-headers/"

package/rules/unified/cwe-693/zm-js-cwe693-helmet-missing.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+# Source: common | Cluster: N/A
+# CWE-693: Express Helmet 安全头缺失检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+rules:
+# ZM-JS-SECHEADER-001: Express 应用未使用 helmet 中间件
+- id: zm-js-secheader-001
+  severity: INFO
+  message: |
+    检测到 Express 应用中未发现 helmet() 中间件的使用。
+    helmet 可自动设置多个安全相关 HTTP 响应头（X-Content-Type-Options、
+    X-Frame-Options、Content-Security-Policy 等），缺少这些头部降低了
+    应用的纵深防御能力。
+    修复建议:
+    1. 安装并全局使用 helmet: app.use(helmet())
+    2. 按需配置各中间件（如 helmet.contentSecurityPolicy()）
+    3. 至少设置以下头部:
+       - X-Content-Type-Options: nosniff
+       - X-Frame-Options: DENY
+       - Strict-Transport-Security: max-age=31536000
+  languages:
+    - javascript
+    - typescript
+  paths:
+    include:
+      - "**/app.js"
+      - "**/server.js"
+      - "**/index.js"
+      - "**/main.js"
+      - "**/app.ts"
+      - "**/server.ts"
+      - "**/index.ts"
+      - "**/main.ts"
+  patterns:
+    - pattern-either:
+        - pattern: |
+            const $APP = express();
+            ...
+        - pattern: |
+            const $APP = express();
+            ...
+            $APP.use(...);
+            ...
+    - pattern-not-inside: |
+        ...
+        $APP.use(helmet(...));
+        ...
+  metadata:
+    cwe: "CWE-693: Protection Mechanism Failure"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: config
+    precision: low
+    references:
+      - "https://helmetjs.github.io/"
+      - "https://owasp.org/www-project-secure-headers/"

package/rules/unified/cwe-732/cwe-732-incorrect-permission.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+# Source: common | Cluster: N/A
+# CWE-732: 不正确的权限分配检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-IP-001: setWritable 设置过宽权限
+- id: zm-java-ip-001
+  severity: MEDIUM
+  message: |
+    检测到 setWritable/readable/executable 设置过宽的权限 (true, false 即全局可写)。
+    可能导致敏感文件被非授权用户修改。
+    生产环境应限制文件权限为所有者读写 (600)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FILE.setWritable(true, false);
+    - pattern: |
+        $FILE.setReadable(true, false);
+    - pattern: |
+        $FILE.setExecutable(true, false);
+    - pattern: |
+        $FILE.setWritable(true);
+    - pattern: |
+        $FILE.setReadable(true);
+    - pattern: |
+        $FILE.setExecutable(true);
+  metadata:
+    cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+# ZM-JAVA-IP-002: chmod 777
+- id: zm-java-ip-002
+  severity: HIGH
+  message: |
+    检测到 Runtime.exec 执行 chmod 777 命令，授予所有用户完全读写执行权限。
+    严重违反最小权限原则，可能导致任意用户篡改文件。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Runtime.getRuntime().exec("chmod 777 ...");
+    - pattern: |
+        Runtime.getRuntime().exec("chmod -R 777 ...");
+  metadata:
+    cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: very-high