npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-78/zm-rust-cwe78-cmdinj.yaml ADDED Viewed

@@ -0,0 +1,103 @@
+# Source: common | Cluster: N/A
+# CWE-78: Rust 命令注入检测
+# 逐码 ZhuMa V4.3 — Rust 通用规则库
+# 检测: Command::new / process::Command 使用用户输入构造命令
+rules:
+# ZM-RUST-CMD-001: Command::new() 参数来自用户输入
+- id: zm-rust-cwe78-cmdinj-001
+  severity: CRITICAL
+  message: |
+    检测到 std::process::Command::new() 参数来自用户可控的输入。
+    攻击者可通过用户输入篡改要执行的命令名称，实现任意命令执行。
+    修复方案:
+    1. 命令名称应从白名单获取，禁止来自用户输入
+       let cmd = match user_input {
+           "git" => "git",
+           "docker" => "docker",
+           _ => return Err("invalid command"),
+       };
+       Command::new(cmd)
+    2. 参数使用 .arg() 逐个传入，避免 shell 解析
+    3. 对参数进行严格白名单或格式校验
+    4. 参考 RustSec 命令注入防御指南
+  languages:
+    - rust
+  pattern-either:
+    - pattern: Command::new($USER_INPUT)
+    - pattern: std::process::Command::new($USER_INPUT)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: CRITICAL
+    precision: medium
+    category: command-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://doc.rust-lang.org/std/process/struct.Command.html"
+# ZM-RUST-CMD-002: Command::arg() 参数来自用户输入
+- id: zm-rust-cwe78-cmdinj-002
+  severity: CRITICAL
+  message: |
+    检测到 Command::arg() 参数直接来自用户可控输入。
+    .arg() 不会通过 shell 解析但攻击者仍可传入恶意参数（如 --exec、-c 等）
+    实现命令注入或参数注入。
+    修复方案:
+    1. 对参数做白名单或严格格式校验
+    2. 使用 .args() 传递固定参数，不混入用户输入
+    3. 对用户输入使用正则或枚举验证
+    4. 考虑使用纯 Rust 实现替代外部命令调用
+  languages:
+    - rust
+  pattern-either:
+    - pattern: |
+        Command::new(...).arg($USER_INPUT)
+    - pattern: |
+        Command::new(...).arg(format!(..., $USER_INPUT))
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: CRITICAL
+    precision: medium
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-RUST-CMD-003: Command 使用 sh -c/bash -c + 用户输入
+- id: zm-rust-cwe78-cmdinj-003
+  severity: CRITICAL
+  message: |
+    检测到使用 sh -c / cmd /c 等方式执行命令且参数含用户输入。
+    通过 shell 执行时会进行完整的 shell 解析，用户输入可注入命令分隔符
+    （; && || | ` 等）执行任意命令。
+    修复方案:
+    1. 避免使用 sh -c / cmd /c，直接调用目标命令
+    2. 若必须使用 shell，对用户输入进行严格净化
+    3. 使用 .arg() 逐个传入参数而非拼接字符串
+  languages:
+    - rust
+  pattern-either:
+    - pattern: |
+        Command::new("sh").arg("-c").arg(format!(..., $USER_INPUT))
+    - pattern: |
+        Command::new("bash").arg("-c").arg(format!(..., $USER_INPUT))
+    - pattern: |
+        Command::new("cmd").arg("/c").arg(format!(..., $USER_INPUT))
+    - pattern: |
+        Command::new("sh").arg("-c").arg($USER_INPUT)
+    - pattern: |
+        Command::new("bash").arg("-c").arg($USER_INPUT)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: CRITICAL
+    precision: high
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-78/zm-taint-78-78-go-040.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# Source: taint | Cluster: CL-78-GO-040
+# Taint-upgraded rule: zhuma-nvd-78-78-go-040
+# Original CWE: CWE-78 | Language: go
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-go-040
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-go-040
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - go
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.URL.Query().Get(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: exec.Command(...)
+      - pattern: os/exec.Command(...)

package/rules/unified/cwe-78/zm-taint-78-78-go-041.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# Source: taint | Cluster: CL-78-GO-041
+# Taint-upgraded rule: zhuma-nvd-78-78-go-041
+# Original CWE: CWE-78 | Language: go
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-go-041
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-go-041
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - go
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.URL.Query().Get(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: exec.Command(...)
+      - pattern: os/exec.Command(...)

package/rules/unified/cwe-78/zm-taint-78-78-java-027.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: taint | Cluster: CL-78-JAVA-027
+# Taint-upgraded rule: zhuma-nvd-78-78-java-027
+# Original CWE: CWE-78 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-java-027
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-java-027
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Runtime.getRuntime().exec(...)
+      - pattern: new ProcessBuilder(...).start()
+      - pattern: ProcessBuilder(...).start()
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: Pattern.compile

package/rules/unified/cwe-78/zm-taint-78-78-java-028.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: taint | Cluster: CL-78-JAVA-028
+# Taint-upgraded rule: zhuma-nvd-78-78-java-028
+# Original CWE: CWE-78 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-java-028
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-java-028
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Runtime.getRuntime().exec(...)
+      - pattern: new ProcessBuilder(...).start()
+      - pattern: ProcessBuilder(...).start()
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: Pattern.compile

package/rules/unified/cwe-78/zm-taint-78-78-java-029.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: taint | Cluster: CL-78-JAVA-029
+# Taint-upgraded rule: zhuma-nvd-78-78-java-029
+# Original CWE: CWE-78 | Language: java
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-java-029
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-java-029
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - java
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Runtime.getRuntime().exec(...)
+      - pattern: new ProcessBuilder(...).start()
+      - pattern: ProcessBuilder(...).start()
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: Pattern.compile

package/rules/unified/cwe-78/zm-taint-78-78-python-034.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+# Source: taint | Cluster: CL-78-PYTHON-034
+# Taint-upgraded rule: zhuma-nvd-78-78-python-034
+# Original CWE: CWE-78 | Language: python
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-78-78-python-034
+  mode: taint
+  metadata:
+    category: CWE-78
+    cwe: "CWE-78"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-78-78-python-034
+  message: |
+    检测到命令注入风险。用户输入传递给系统命令执行函数。
+  severity: WARNING
+  languages:
+    - python
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.args.get(...)
+      - pattern: request.form[...]
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: os.system(...)
+      - pattern: os.popen(...)
+      - pattern: subprocess.call(...)
+      - pattern: subprocess.Popen(...)
+      - pattern: eval(...)
+      - pattern: exec(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: shlex.quote

package/rules/unified/cwe-787/cwe-787-out-of-bounds-write.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# Source: common | Cluster: N/A
+# CWE-787: 越界写入检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-OOB-001: 数组索引无边界检查
+- id: zm-java-oob-001
+  severity: MEDIUM
+  message: |
+    检测到数组访问使用变量索引但未进行边界检查。
+    可能导致 ArrayIndexOutOfBoundsException，在 native 代码中可能被利用为越界写入。
+    应检查 index >= 0 && index < array.length。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $ARR[$INDEX] = $VAL;
+  metadata:
+    cwe: "CWE-787: Out-of-bounds Write"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    precision: very-low
+# ZM-JAVA-OOB-002: ByteBuffer put 无 position 检查
+- id: zm-java-oob-002
+  severity: LOW
+  message: |
+    检测到 ByteBuffer.put() 写入字节数组但未检查 remaining() 容量。
+    可能导致 BufferOverflowException，降低服务可用性。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $BUF.put($DATA);
+  metadata:
+    cwe: "CWE-787: Out-of-bounds Write"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    precision: very-low

package/rules/unified/cwe-79/cwe-79-xss.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+# Source: common | Cluster: N/A
+# CWE-79: 跨站脚本攻击 (XSS) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-XSS-001: response.getWriter 未转义输出 request parameter
+- id: zm-java-xss-001
+  severity: HIGH
+  message: |
+    检测到 HttpServletResponse.getWriter().print/write 直接输出用户可控变量。
+    攻击者可能注入恶意脚本导致 XSS 攻击。
+    应对输出进行 HTML 实体编码 (OWASP Java Encoder / ESAPI)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RESP.getWriter().print($REQ.getParameter(...));
+    - pattern: |
+        $RESP.getWriter().write($REQ.getParameter(...));
+    - pattern: |
+        $RESP.getWriter().println($REQ.getParameter(...));
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+# ZM-JAVA-XSS-002: request.getParameter 赋值后未转义直接输出
+- id: zm-java-xss-002
+  severity: HIGH
+  message: |
+    检测到从 HttpServletRequest 获取的参数直接输出到 response，未经 HTML 转义。
+    建议对输出进行编码：Encode.forHtml(param)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().print($VAR);
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().write($VAR);
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().println($VAR);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high

package/rules/unified/cwe-79/zm-cs-cwe79-xss.yaml ADDED Viewed

@@ -0,0 +1,84 @@
+# Source: common | Cluster: N/A
+# CWE-79: C# ASP.NET XSS 检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 ASP.NET MVC / Razor Pages 中的跨站脚本攻击 (XSS) 漏洞。
+rules:
+# ZM-CS-CWE79-001: Html.Raw() 未编码输出
+- id: zm-cs-cwe79-xss-001
+  severity: ERROR
+  message: |
+    检测到 Html.Raw() 方法使用。Html.Raw() 将字符串标记为 HTML 安全
+    并跳过 HTML 编码，如果参数包含用户输入，将导致 XSS 攻击。
+    攻击者可注入 `<script>` 标签窃取用户 Cookie/Token。
+    修复方案：
+    - 移除 Html.Raw()，使用默认 HTML 编码输出 @Model.Value
+    - 如必须渲染 HTML，使用 HTML Sanitizer 库（如 HtmlSanitizer）
+    - 对用户输入进行白名单标签过滤
+  languages:
+    - csharp
+  patterns:
+    - pattern: Html.Raw(...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/79.html"
+      - "https://owasp.org/www-community/attacks/xss/"
+# ZM-CS-CWE79-002: @Html.Raw() Razor 语法
+- id: zm-cs-cwe79-xss-002
+  severity: ERROR
+  message: |
+    在 Razor 视图 (.cshtml) 中检测到 @Html.Raw() 调用。
+    Razor 引擎默认对所有 @variable 输出进行 HTML 编码，
+    Html.Raw() 显式绕过此保护，直接输出原始 HTML。
+    如果变量来自用户输入或数据库（无编码存储），攻击者可注入 XSS payload。
+    修复方案：
+    - 使用 @variable 代替 @Html.Raw(variable)
+    - 如果需要富文本，使用 HTML Sanitizer 净化后输出
+    - 对存储在数据库中的 HTML 内容进行输入端编码
+  languages:
+    - csharp
+  patterns:
+    - pattern: Html.Raw(...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/79.html"
+      - "https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting"
+# ZM-CS-CWE79-003: Response.Write 未编码
+- id: zm-cs-cwe79-xss-003
+  severity: ERROR
+  message: |
+    检测到 Response.Write() 或 HttpContext.Current.Response.Write() 输出内容。
+    与 Razor 视图不同，Response.Write() 直接写入 HTTP 响应流，不进行 HTML 编码。
+    如果输出内容包含用户输入，将导致反射型 XSS。
+    修复方案：
+    - 使用 Server.HtmlEncode() 编码输出: Response.Write(Server.HtmlEncode(input))
+    - 在 ASP.NET Core 中使用 HtmlEncoder.Default.Encode()
+    - 尽量使用 Razor 视图框架代替 Response.Write()
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: Response.Write(...)
+    - pattern: HttpContext.Current.Response.Write(...)
+    - pattern: $RESP.Write(...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: low
+    references:
+      - "https://cwe.mitre.org/data/definitions/79.html"

package/rules/unified/cwe-79/zm-go-cwe79-framework-xss.yaml ADDED Viewed

@@ -0,0 +1,134 @@
+# Source: common | Cluster: N/A
+# CWE-79: Gin/Echo XSS 框架特化检测
+# 逐码 ZhuMa V4.3 — Go 框架特化规则库
+# 检测: c.HTML(c.String含用户输入)、c.Redirect含用户输入、template.HTMLEscape缺失
+rules:
+# ZM-GO-GIN-XSS-001: Gin c.HTML含用户输入
+- id: zm-go-gin-xss-001
+  severity: WARNING
+  message: |
+    检测到 Gin 框架的 c.HTML() / c.String() 中直接输出用户输入。
+    c.String返回纯文本无XSS风险，但c.HTML会将内容作为HTML渲染。
+    若模板中对用户输入使用 |safe 或 autoescape关闭，则存在XSS。
+    修复方案:
+    1. 使用 c.HTML() 配合模板变量(自动转义)而非直接拼HTML字符串
+    2. 对用户输入使用 html.EscapeString() 转义
+    3. 使用 template.HTML 仅对可信内容标记
+    4. 设置 Content-Security-Policy 头限制内联脚本
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        c.HTML(http.StatusOK, $TEMPLATE, gin.H{$KEY: c.Query($QKEY)})
+    - pattern: |
+        c.HTML(http.StatusOK, $TEMPLATE, gin.H{$KEY: c.Param($QKEY)})
+    - pattern: |
+        c.HTML(http.StatusOK, $TEMPLATE, gin.H{$KEY: c.PostForm($QKEY)})
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: xss
+    framework: gin
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+# ZM-GO-ECHO-XSS-001: Echo ctx.Redirect含用户输入
+- id: zm-go-echo-xss-001
+  severity: WARNING
+  message: |
+    检测到 Echo 框架的 ctx.Redirect() 参数来自用户输入。
+    攻击者可构造恶意URL实现钓鱼攻击或CRLF注入。
+    修复方案:
+    1. 对重定向URL做域名白名单校验
+    2. 使用 net/url.Parse 解析URL后校验Host
+    3. ctx.Redirect(http.StatusFound, safeURL)
+    4. 禁止用户完全控制重定向URL
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        ctx.Redirect(http.StatusFound, ctx.QueryParam($KEY))
+    - pattern: |
+        ctx.Redirect(http.StatusMovedPermanently, ctx.QueryParam($KEY))
+    - pattern: |
+        ctx.Redirect(http.StatusSeeOther, ctx.QueryParam($KEY))
+    - pattern: |
+        ctx.Redirect(http.StatusTemporaryRedirect, ctx.QueryParam($KEY))
+    - pattern: |
+        ctx.Redirect($CODE, ctx.FormValue($KEY))
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: WARNING
+    precision: high
+    category: open-redirect
+    framework: echo
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+# ZM-GO-GIN-REDIRECT-001: Gin c.Redirect含用户输入
+- id: zm-go-gin-redirect-001
+  severity: WARNING
+  message: |
+    检测到 Gin 框架的 c.Redirect() 参数来自用户输入。
+    攻击者可构造恶意URL: /redirect?url=http://evil.com/phishing
+    修复方案:
+    1. 使用 url.Parse + 检验 Host 白名单
+    2. 禁止用户传入完整URL，仅允许路径片段
+    3. c.Redirect(http.StatusFound, "/safe/path")
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        c.Redirect(http.StatusFound, c.Query($KEY))
+    - pattern: |
+        c.Redirect(http.StatusMovedPermanently, c.Query($KEY))
+    - pattern: |
+        c.Redirect(http.StatusSeeOther, c.Query($KEY))
+    - pattern: |
+        c.Redirect($CODE, c.PostForm($KEY))
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: WARNING
+    precision: high
+    category: open-redirect
+    framework: gin
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+# ZM-GO-TEMPLATE-XSS-001: net/http template.HTMLEscape缺失
+- id: zm-go-template-xss-001
+  severity: WARNING
+  message: |
+    检测到 html/template 模板中使用了用户输入但未进行上下文感知转义。
+    html/template 默认按上下文转义(HTML/JS/CSS/URL)，但若使用
+    template.HTML/template.JS等类型标记为安全，则绕过转义。
+    修复方案:
+    1. 避免使用 template.HTML(userInput)——这绕过自动转义
+    2. 使用 template.HTMLEscapeString() 或 template.HTMLEscaper() 手动转义
+    3. 仅对完全可信的静态HTML使用 template.HTML 类型
+  languages:
+    - go
+  pattern-either:
+    - pattern: template.HTML($VAR)
+    - pattern: template.JS($VAR)
+    - pattern: template.CSS($VAR)
+    - pattern: template.HTMLAttr($VAR)
+    - pattern: template.URL($VAR)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"