npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-79/zm-go-cwe79-mail-injection.yaml ADDED Viewed

@@ -0,0 +1,68 @@
+# Source: common | Cluster: N/A
+# CWE-79: Go SMTP/Mail Header注入 / Email注入
+# 逐码 ZhuMa V4.3 — Go 通用规则库
+# 检测: net/smtp/net/mail header注入
+rules:
+# ZM-GO-MAILINJ-001: net/smtp header注入
+- id: zm-go-mail-injection-001
+  severity: WARNING
+  message: |
+    检测到 net/smtp SendMail 的收件人/发件人/主题等参数来自HTTP请求。
+    攻击者可通过注入 \r\n 换行符构造额外的SMTP头或命令。
+    SMTP Header注入示例:
+    userInput = "user@example.com\r\nBcc: attacker@evil.com"
+    smtp.SendMail(addr, auth, from, []string{userInput}, msg)
+    修复方案:
+    1. 过滤用户输入中的 \r 和 \n 字符
+    2. 使用 net/mail.Address 类型解析和验证邮件地址
+    3. 使用 3rd-party 库如 gomail/v2 进行安全邮件发送
+    4. 对邮件主题/正文使用 MIME 编码
+  languages:
+    - go
+  pattern-either:
+    - pattern: smtp.SendMail($ADDR, $AUTH, $FROM, $TO, $MSG)
+    - pattern: smtp.SendMail($ADDR, $AUTH, c.Query($KEY), $TO, $MSG)
+    - pattern: smtp.SendMail($ADDR, $AUTH, $FROM, $TO, []byte($BODY))
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: mail-injection
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/net/smtp"
+# ZM-GO-MAILINJ-002: net/mail header注入
+- id: zm-go-mail-injection-002
+  severity: WARNING
+  message: |
+    检测到使用 net/mail 解析或构造邮件头时包含用户输入。
+    攻击者可通过注入CRLF构造额外头字段。
+    修复方案:
+    1. 使用 mail.Address{Name: name, Address: addr}.String() 构造安全地址
+    2. 过滤用户输入中的 \r\n
+    3. 使用 mime.QEncoding 编码非ASCII内容
+  languages:
+    - go
+  pattern-either:
+    - pattern: 'mail.Address{Name: $NAME, Address: $ADDR}'
+    - pattern: mail.ParseAddress($ADDR)
+    - pattern: mail.ParseAddressList($ADDRS)
+    - pattern: mail.ReadMessage($R)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: mail-injection
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/net/mail"

package/rules/unified/cwe-79/zm-go-cwe79-xss.yaml ADDED Viewed

@@ -0,0 +1,105 @@
+# Source: common | Cluster: N/A
+# CWE-79: Go XSS 检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: template.HTML 标记用户输入为安全 / 使用 text/template 渲染HTML
+rules:
+# ZM-GO-XSS-001: template.HTML() 转换用户可控字符串
+- id: zm-go-xss-001
+  severity: HIGH
+  message: |
+    检测到使用 html/template 的 template.HTML() 类型转换将字符串标记为
+    "安全HTML"直接输出。若该字符串包含用户输入，攻击者可注入
+    <script>、<img onerror=> 等XSS payload。
+    Go html/template 会自动转义所有字符串输出，但 template.HTML 类型
+    会绕过此保护，直接原样输出。这是Go XSS的第一大根因。
+    修复方案:
+    1. 删除 template.HTML() 转换，让 html/template 自动转义
+    2. 仅对可信的内部静态HTML片段使用 template.HTML()
+    3. 对用户输入使用 bluemonday 等HTML清洗库后再转换
+    4. 使用 template.JSStr() 替代 template.HTML() 输出到JS上下文
+  languages:
+    - go
+  pattern-either:
+    - pattern: template.HTML($INPUT)
+    - pattern: template.HTML($VAR)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: high
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/html/template#HTML"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
+# ZM-GO-XSS-002: template.JS / template.CSS / template.URL 注入
+- id: zm-go-xss-002
+  severity: HIGH
+  message: |
+    检测到 template.JS() / template.CSS() / template.URL() / template.HTMLAttr()
+    将用户输入标记为安全内容直接插入JS/CSS/URL/属性上下文。
+    各类转换绕过上下文特定的自动转义，可能导致XSS。
+    修复方案:
+    1. 使用 html/template 默认转义，不手动标记安全类型
+    2. 对JSON数据使用 template.JSStr() 替代 template.JS()
+    3. URL使用 url.QueryEscape() 编码
+    4. 绝对必要时对输入做严格的白名单校验
+  languages:
+    - go
+  pattern-either:
+    - pattern: template.JS($INPUT)
+    - pattern: template.JSStr($INPUT)
+    - pattern: template.CSS($INPUT)
+    - pattern: template.URL($INPUT)
+    - pattern: template.HTMLAttr($INPUT)
+    - pattern: template.Srcset($INPUT)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: high
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/html/template"
+# ZM-GO-XSS-003: text/template 用于HTML渲染
+- id: zm-go-xss-003
+  severity: HIGH
+  message: |
+    检测到使用 text/template 进行模板渲染（Template.Execute / Must）。
+    text/template 不提供任何HTML自动转义，所有变量直接输出到页面。
+    若模板内容中包含用户输入且输出到HTML页面，将导致XSS漏洞。
+    修复方案:
+    1. 将 "text/template" 替换为 "html/template"
+    2. html/template 会基于上下文自动选择转义策略（HTML/JS/CSS/URL）
+    3. 两个包的API完全兼容，仅需修改import路径
+  languages:
+    - go
+  pattern-either:
+    - pattern: texttemplate.Execute($W, $DATA)
+    - pattern: texttemplate.ExecuteTemplate($W, $NAME, $DATA)
+    - pattern: template.Must(...)
+    - pattern: template.New($NAME)
+    - pattern: template.ParseFiles(...)
+    - pattern: template.ParseGlob(...)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: medium
+    category: xss
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/text/template"
+      - "https://pkg.go.dev/html/template"

package/rules/unified/cwe-79/zm-java-cwe79-xss-depth.yaml ADDED Viewed

@@ -0,0 +1,99 @@
+# Source: common | Cluster: N/A
+# CWE-79 XSS 全量 sink 覆盖 (v2): Spring MVC Response 写入所有变体
+rules:
+# ZM-JAVA-XSS-RESPONSE-001: HttpServletResponse.getWriter 直接输出用户输入
+- id: zm-java-xss-response-001
+  severity: MEDIUM
+  message: |
+    HttpServletResponse.getWriter().print/write 直接输出用户输入，无 HTML 编码。
+    在输出到响应流前对用户数据进行 OWASP Encoder 或 Spring HtmlUtils.htmlEscape 编码。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RESP.getWriter().print($INPUT);
+    - pattern: $RESP.getWriter().write($INPUT);
+    - pattern: $RESP.getWriter().println($INPUT);
+    - pattern: $RESP.getOutputStream().print($INPUT);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+    tags: [xss, servlet, response]
+# ZM-JAVA-XSS-MODELANDVIEW-001: ModelAndView 中添加未转义的用户输入
+- id: zm-java-xss-mv-001
+  severity: MEDIUM
+  message: |
+    ModelAndView.addObject 添加用户输入 — 如果 JSP 模板中未使用 c:out 或 ${fn:escapeXml()}，
+    可能导致存储型 XSS。确认对应 JSP/Thymeleaf 模板有输出编码。
+  languages:
+    - java
+  pattern: |
+    $MV.addObject($KEY, $INPUT);
+    ...
+    return $MV;
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+    tags: [xss, modelandview, stored-xss]
+# ZM-JAVA-XSS-HEADER-001: 响应头注入 (CRLF 注入)
+- id: zm-java-xss-header-001
+  severity: LOW
+  message: |
+    resp.setHeader/addHeader 使用用户可控的值 — 可能导致 HTTP 响应头注入 (CRLF Injection)。
+    对用户值中的 \r\n 做过滤或编码，同时移除不可打印字符。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RESP.setHeader($NAME, $INPUT);
+    - pattern: $RESP.addHeader($NAME, $INPUT);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: low
+    tags: [xss, header-injection, crlf]
+# ZM-JAVA-XSS-FORMAT-001: String.format 拼接用户输入到HTML模板
+- id: zm-java-xss-format-001
+  severity: MEDIUM
+  message: |
+    String.format 将用户输入直接拼入 HTML 片段 — 产生 XSS。
+    使用参数化模板（Thymeleaf th:text / JSP c:out）替代 Java 字符串拼接。
+  languages:
+    - java
+  pattern-either:
+    - pattern: String.format("<$TAG>$CONTENT</$TAG>", $X, ...)
+    - pattern: |
+        String.format("...<...%s...>...", $X, ...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+    tags: [xss, string-format, html-injection]
+# ZM-JAVA-XSS-SPRING-ESCAPE-001: 显式使用 springHtmlEscape=false
+- id: zm-java-xss-escape-001
+  severity: MEDIUM
+  message: |
+    HtmlEscape 设置为 false 或 defaultHtmlEscape = false — 禁用自动 HTML 转义。
+    启用 defaultHtmlEscape 或逐页设置 `spring:htmlEscape="true"`。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        htmlEscape = false
+    - pattern: |
+        setHtmlEscape(false)
+    - pattern: |
+        defaultHtmlEscape = false
+    - pattern: |
+        setDefaultHtmlEscape(false)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: very-high
+    tags: [xss, spring, html-escape]

package/rules/unified/cwe-79/zm-js-cwe79-angular-bypass.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+# Source: common | Cluster: N/A
+# CWE-79: Angular bypassSecurityTrustHtml XSS
+# 逐码 ZhuMa V4.3 — JS/TS Angular 规则库
+rules:
+- id: zm-js-angular-xss-001
+  severity: ERROR
+  message: >
+    Angular 中使用 bypassSecurityTrustHtml() 绕过内置的 HTML 安全清洗，
+    若传入用户输入则存在 XSS 跨站脚本攻击风险。
+    修复: 避免使用 bypassSecurityTrustHtml，或确保输入已经过严格清洗。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $SANITIZER.bypassSecurityTrustHtml(...)
+    - pattern: this.$SANITIZER.bypassSecurityTrustHtml(...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: very-high
+    confidence: high

package/rules/unified/cwe-79/zm-js-cwe79-domxss.yaml ADDED Viewed

@@ -0,0 +1,85 @@
+# Source: common | Cluster: N/A
+# CWE-79: DOM-based XSS 检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+rules:
+# ZM-JS-DOMXSS-001: innerHTML / outerHTML 赋值
+- id: zm-js-domxss-001
+  severity: WARNING
+  message: |
+    检测到使用 innerHTML 或 outerHTML 赋值操作，可能引入 DOM-based XSS。
+    直接向 innerHTML 设置用户输入会导致浏览器解析并执行内嵌的 <script> 标签。
+    修复建议:
+    1. 使用 textContent 替代 innerHTML 设置纯文本
+    2. 使用 document.createElement() + appendChild() 安全构建 DOM
+    3. 如必须使用 innerHTML，先用 DOMPurify 对内容消毒
+    4. 使用 Content Security Policy (CSP) 作为纵深防御
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $EL.innerHTML = $X
+    - pattern: $EL.outerHTML = $X
+    - pattern: $EL.innerHTML += $X
+    - pattern: $EL.outerHTML += $X
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp: "A03:2021 - Injection"
+    category: xss
+    precision: high
+    references:
+      - "https://owasp.org/www-community/attacks/DOM_Based_XSS"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
+# ZM-JS-DOMXSS-002: document.write / document.writeln
+- id: zm-js-domxss-002
+  severity: WARNING
+  message: |
+    检测到使用 document.write() 或 document.writeln() 写入 DOM。
+    这些 API 会直接向文档写入原始 HTML，若内容由用户控制将导致 XSS。
+    修复建议:
+    1. 禁止使用 document.write()，使用安全的 DOM API 替代
+    2. document.createElement() + textContent 安全构建内容
+    3. 使用 insertAdjacentHTML 时也需 DOMPurify 消毒
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: document.write($X)
+    - pattern: document.writeln($X)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp: "A03:2021 - Injection"
+    category: xss
+    precision: very-high
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/API/Document/write"
+      - "https://owasp.org/www-community/attacks/DOM_Based_XSS"
+# ZM-JS-DOMXSS-003: insertAdjacentHTML
+- id: zm-js-domxss-003
+  severity: WARNING
+  message: |
+    检测到使用 insertAdjacentHTML() 方法插入 HTML 内容。
+    与 innerHTML 类似，插入的 HTML 字符串会被解析，存在 DOM XSS 风险。
+    修复建议:
+    1. 使用 insertAdjacentElement() 替代 insertAdjacentHTML()
+    2. 如必须使用 HTML 插入，用 DOMPurify 消毒后操作
+    3. 优先使用 DOM 创建 API (createElement / createTextNode)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $EL.insertAdjacentHTML($POS, $X)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp: "A03:2021 - Injection"
+    category: xss
+    precision: high
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML"
+      - "https://owasp.org/www-community/attacks/DOM_Based_XSS"

package/rules/unified/cwe-79/zm-js-cwe79-electron-security.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-js-electron-001
+    severity: ERROR
+    message: >-
+      Electron BrowserWindow启用nodeIntegration或nodeIntegrationInWorker。
+      CVE-2019-5786。修复：nodeIntegration:false，preload脚本隔离。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          nodeIntegration: true
+    metadata:
+      cwe: "CWE-749"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A05:2021"
+      category: electron
+      cve: "CVE-2019-5786"
+  - id: zm-js-electron-002
+    severity: ERROR
+    message: >-
+      Electron webview标签未限制allowpopups/allowpopups或启用preload。
+      CVE-2022-21718。修复：限制webview权限，设置allowpopups:false。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          webviewTag: true
+    metadata:
+      cwe: "CWE-269"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A05:2021"
+      category: electron
+      cve: "CVE-2022-21718"

package/rules/unified/cwe-79/zm-js-cwe79-react-dangerously.yaml ADDED Viewed

@@ -0,0 +1,23 @@
+# Source: common | Cluster: N/A
+# CWE-79: React dangerouslySetInnerHTML XSS
+# 逐码 ZhuMa V4.3 — JS/TS React 规则库
+rules:
+- id: zm-js-react-xss-001
+  severity: ERROR
+  message: >
+    React 中使用 dangerouslySetInnerHTML 直接渲染 HTML 内容，若内容来自用户输入
+    则存在 XSS 跨站脚本攻击风险。
+    修复: 使用 DOMPurify.sanitize() 对 HTML 内容做清洗后再传入 dangerouslySetInnerHTML。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: dangerouslySetInnerHTML
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: very-high
+    confidence: high

package/rules/unified/cwe-79/zm-js-cwe79-react-xss-deep.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-js-react-xss-001
+    severity: ERROR
+    message: >-
+      React dangerouslySetInnerHTML直接使用未净化输入造成XSS。
+      CVE-2022-31178。修复：使用DOMPurify.sanitize()清理HTML。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern: |
+          dangerouslySetInnerHTML: { __html: $X }
+    metadata:
+      cwe: "CWE-79"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A03:2021"
+      category: react
+      cve: "CVE-2022-31178"
+  - id: zm-js-react-xss-002
+    severity: WARNING
+    message: >-
+      React href使用javascript:伪协议可导致XSS。CVE-2023-32784。
+      修复：使用isSafeUrl()白名单过滤。
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-regex: 'href\s*[:=]\s*["\x60]javascript:'
+    metadata:
+      cwe: "CWE-79"
+      confidence: HIGH
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: "A03:2021"
+      category: react
+      cve: "CVE-2023-32784"

package/rules/unified/cwe-79/zm-js-cwe79-react-xss.yaml ADDED Viewed

@@ -0,0 +1,19 @@
+# Source: common | Cluster: N/A
+# CWE-79: React dangerouslySetInnerHTML XSS 检测规则
+# 逐码 ZhuMa V4.1 Sprint 1
+rules:
+- id: zm-js-rxss-001
+  severity: WARNING
+  message: |
+    dangerouslySetInnerHTML bypasses React XSS protection — sanitize with DOMPurify first.
+  languages:
+    - javascript
+    - typescript
+  pattern: dangerouslySetInnerHTML
+  metadata:
+    cwe: "CWE-79"
+    precision: very-high
+    category: xss
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-79/zm-js-cwe79-vue-vhtml.yaml ADDED Viewed

@@ -0,0 +1,25 @@
+# Source: common | Cluster: N/A
+# CWE-79: Vue v-html XSS
+# 逐码 ZhuMa V4.3 — JS/TS Vue 规则库
+rules:
+- id: zm-js-vue-xss-001
+  severity: ERROR
+  message: >
+    Vue 模板中使用 v-html 指令渲染原始 HTML 内容，若内容来自用户输入则存在 XSS 风险。
+    v-html 不会对HTML做转义，攻击者可注入 <script> 标签或事件处理器。
+    修复: 使用文本插值 {{ }} 替代 v-html，或对内容做 DOMPurify 清洗。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: 'v-html="$EXPR"'
+    - pattern: "v-html='$EXPR'"
+    - pattern: 'v-html=$EXPR'
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: very-high
+    confidence: high

package/rules/unified/cwe-79/zm-js-cwe79-xss-ejs.yaml ADDED Viewed

@@ -0,0 +1,71 @@
+# Source: common | Cluster: N/A
+# CWE-79: Express XSS 模板注入检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+rules:
+# ZM-JS-XSS-001: res.render 直接传入用户可控数据
+- id: zm-js-xss-001
+  severity: WARNING
+  message: |
+    检测到 res.render() 将 req.body / req.query / req.params 直接传入模板变量。
+    未经过 HTML 实体转义的用户输入在模板中渲染可能导致存储型/反射型 XSS 攻击。
+    修复建议:
+    1. 对用户输入进行 HTML 实体编码（如使用 DOMPurify / xss 库或模板引擎自动转义）
+    2. 使用 EJS 的 <%= %> 代替 <%- %>（前者自动转义）
+    3. 在模板中避免使用 raw / unescaped 输出模式
+    4. 设置 Content-Security-Policy 响应头作为纵深防御
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        res.render($TEMPLATE, {..., $KEY: $REQ.body, ...})
+    - pattern: |
+        res.render($TEMPLATE, {..., $KEY: $REQ.query, ...})
+    - pattern: |
+        res.render($TEMPLATE, {..., $KEY: $REQ.params, ...})
+    - pattern: |
+        res.render($TEMPLATE, $REQ.body)
+    - pattern: |
+        res.render($TEMPLATE, $REQ.query)
+    - pattern: |
+        res.render($TEMPLATE, $REQ.params)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp: "A03:2021 - Injection"
+    category: xss
+    precision: medium
+    references:
+      - "https://owasp.org/www-community/attacks/xss/"
+      - "https://expressjs.com/en/4x/api.html#res.render"
+# ZM-JS-XSS-002: res.send 直接输出用户输入
+- id: zm-js-xss-002
+  severity: WARNING
+  message: |
+    检测到 res.send() 直接输出 req.body / req.query / req.params 中的值。
+    若 Content-Type 为 text/html，可能导致反射型 XSS。
+    修复建议:
+    1. 避免直接输出用户输入；如需要，使用 HTML 实体编码后输出
+    2. 显式设置 Content-Type: text/plain 防止浏览器解析 HTML
+    3. 使用 res.json() 代替 res.send() 输出 JSON 数据
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: res.send($REQ.body)
+    - pattern: res.send($REQ.query)
+    - pattern: res.send($REQ.params)
+    - pattern: res.send($REQ.body.$PROP)
+    - pattern: res.send($REQ.query.$PROP)
+    - pattern: res.send($REQ.params.$PROP)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    owasp: "A03:2021 - Injection"
+    category: xss
+    precision: medium
+    references:
+      - "https://owasp.org/www-community/attacks/xss/"