npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-89/zm-java-cwe89-jpa-query-concat.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-89: Spring Data JPA @Query 含拼接SQL检测
+# 逐码 ZhuMa V4.3 — Spring Data JPA 框架特化规则
+rules:
+# ZM-JAVA-CWE89-JPA-QUERY-001: @Query native SQL 拼接用户输入
+- id: zm-java-cwe89-jpa-query-001
+  severity: ERROR
+  message: |
+    Spring Data JPA @Query 注解中使用字符串拼接构造 SQL 且拼接了用户输入（@Param 映射到 request parameter），
+    存在 SQL 注入风险。
+    使用参数化查询: @Query("SELECT * FROM users WHERE name = :name") 配合 @Param("name")，
+    或使用 JPQL 而非原生 SQL。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @Query("SELECT ..." + $VAR + "...")
+    - pattern: |
+        @Query(value = "..." + $VAR + "...")
+    - pattern: |
+        @Query(value = "..." + $VAR + "...", nativeQuery = true)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+# ZM-JAVA-CWE89-JPA-QUERY-002: @Query 动态排序字段拼接
+- id: zm-java-cwe89-jpa-query-002
+  severity: WARNING
+  message: |
+    Spring Data JPA @Query 中使用字符串拼接 ORDER BY 或 GROUP BY 子句，
+    若拼接变量来自用户输入，可导致 SQL 注入。
+    修复: 对排序字段名做白名单校验，使用 Sort 参数替代字符串拼接 ORDER BY。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @Query("SELECT ... ORDER BY " + $VAR)
+    - pattern: |
+        @Query(value = "SELECT ... ORDER BY " + $VAR)
+    - pattern: |
+        @Query("SELECT ... GROUP BY " + $VAR)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    severity: WARNING
+    precision: medium
+    category: sql-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: MEDIUM
+    impact: HIGH

package/rules/unified/cwe-89/zm-java-hql-cwe89-001.yaml ADDED Viewed

@@ -0,0 +1,73 @@
+# Source: common | Cluster: N/A
+# CWE-89/564: HQL/JPQL注入 — JPA/Hibernate查询注入深度检测
+# ZhuMa V4.1 — Persistence Layer Injection
+# 覆盖: HQL字符串拼接 / JPQL TypedQuery注入 / Criteria API误用
+rules:
+# ZM-JAVA-HQL-001: HQL/JPQL字符串拼接用户输入
+- id: zm-java-hql-001
+  severity: ERROR
+  message: |
+    entityManager.createQuery() 或 session.createQuery() 使用字符串拼接构造HQL/JPQL查询 — 注入攻击。
+    HQL注入可泄露全表数据、绕过认证、修改/删除数据（不同于SQL注入，HQL不支持UNION/--注释）。
+    CVE-2023-29509: Hibernate HQL注入绕过; CVE-2020-25638: Hibernate二级缓存注入。
+    修复: 1) 使用命名参数 :paramName (占位符) 2) Criteria API 3) 参数白名单过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $EM.createQuery($STR + $REQ.getParameter(...))
+    - pattern: |
+        $SESS.createQuery($STR + $REQ.getParameter(...))
+    - pattern: |
+        $EM.createQuery(String.format(..., $REQ.getParameter(...)))
+    - pattern: |
+        $SESS.createQuery("from " + $REQ.getParameter(...))
+    - pattern: |
+        $EM.createQuery($REQ.getParameter(...) + $STR)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    severity: ERROR
+    precision: high
+    category: injection
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-29509"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25638"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html"
+# ZM-JAVA-HQL-JPQL-002: JPQL NamedQuery + 动态ORDER BY注入
+- id: zm-java-hql-jpql-002
+  severity: ERROR
+  message: |
+    JPQL ORDER BY子句使用用户可控字段名拼接 — HQL注入可泄露数据(通过ORDER BY盲注)。
+    ORDER BY无法使用参数化绑定，攻击者可通过时间盲注或排序结果差异逐字符推断数据。
+    CVE-2021-45105: Apache Log4j2 injection chain via order by manipulation。
+    修复: 1) 使用CASE WHEN白名单映射 2) CriteriaQuery.orderBy() 3) 拒绝用户控制的排序字段
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $EM.createQuery(... + "order by " + $REQ.getParameter(...) + ...)
+    - pattern: |
+        $SESS.createQuery(... + " ORDER BY " + $REQ.getParameter(...))
+    - pattern: |
+        $EM.createNativeQuery($SQL + $REQ.getParameter(...))
+    - pattern: |
+        $SESS.createNativeQuery($SQL + $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    severity: ERROR
+    precision: medium
+    category: injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-25638"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html"
+      - "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection"

package/rules/unified/cwe-89/zm-js-cwe89-koa-sqli.yaml ADDED Viewed

@@ -0,0 +1,29 @@
+# Source: common | Cluster: N/A
+# CWE-89: Koa ctx.request.body 拼入 SQL 查询
+# 逐码 ZhuMa V4.3 — JS/TS Koa 规则库
+rules:
+- id: zm-js-koa-sqli-001
+  severity: ERROR
+  message: >
+    Koa 中间件中 ctx.request.body 用户输入拼接进 SQL 查询字符串，存在 SQL 注入风险。
+    修复: 使用参数化查询(如 knex.raw('?', [input]) 或 ORM 参数绑定)。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $DB.query($QUERY + $CTX.request.body.$FIELD)
+    - pattern: |
+        $DB.raw($QUERY + $CTX.request.body.$FIELD)
+    - pattern: |
+        $DB.query($QUERY + $CTX.request.body)
+    - pattern: |
+        $DB.raw($QUERY + $CTX.request.body)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    confidence: high

package/rules/unified/cwe-89/zm-js-cwe89-nestjs-typeorm.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+# Source: common | Cluster: N/A
+# CWE-89: NestJS @Body/@Param 直接拼入 TypeORM query/queryRaw
+# 逐码 ZhuMa V4.3 — JS/TS NestJS 规则库
+rules:
+- id: zm-js-nestjs-sqli-001
+  severity: ERROR
+  message: >
+    NestJS 控制器中 @Body()/@Param() 装饰器提取的用户输入直接拼接进 TypeORM
+    query()/queryRaw() SQL 查询，存在 SQL 注入风险。
+    修复: 使用 TypeORM QueryBuilder 参数化查询或 repository API 替代 raw query。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $REPO.query($QUERY + $BODY.$FIELD)
+    - pattern: |
+        $REPO.query($QUERY + $PARAM.$FIELD)
+    - pattern: |
+        $DS.query($QUERY + $BODY.$FIELD)
+    - pattern: |
+        $DS.query($QUERY + $PARAM.$FIELD)
+    - pattern: |
+        $MGR.query($QUERY + $BODY.$FIELD)
+    - pattern: |
+        $MGR.query($QUERY + $PARAM.$FIELD)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    confidence: high

package/rules/unified/cwe-89/zm-js-cwe89-prisma-typeorm.yaml ADDED Viewed

@@ -0,0 +1,140 @@
+# Source: common | Cluster: N/A
+# CWE-89 / CWE-943: Prisma / TypeORM 不安全查询检测
+# 逐码 ZhuMa V4.1 Sprint 3 — JS/TS 规则库
+# 覆盖: Prisma $queryRaw/$executeRaw、TypeORM query/manager.query
+rules:
+# ZM-JS-ORM-001: Prisma $queryRaw / $executeRaw 拼接用户输入
+- id: zm-js-orm-001
+  severity: ERROR
+  message: |
+    检测到 Prisma Client 的 $queryRaw / $executeRaw 使用了字符串拼接或模板字符串构造
+    SQL查询。这些方法执行原始SQL，未使用参数化查询会造成SQL注入。
+    CVE-2023-22899: Prisma $queryRaw 若用模板字符串拼接仍存在注入。
+    Prisma 官方推荐模板字符串变量方式: prisma.$queryRaw`SELECT * FROM users WHERE id = ${id}`,
+    但仅安全当使用 Prisma 官方 tagged template 传递变量——使用普通模板字符串拼接仍不安全。
+    修复:
+    1. 使用 tagged template: prisma.$queryRaw`SELECT * FROM users WHERE id = ${id}`
+    2. 使用 Prisma Client API 替代 raw query: prisma.user.findUnique({ where: { id } })
+    3. 如必须用 raw, 确保用 Prisma 参数化: $queryRaw(sql`SELECT ...`, ...args)
+    4. 严禁字符串拼接: $queryRaw('SELECT ... ' + userInput)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $PRISMA.$queryRaw('SELECT' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('INSERT' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('UPDATE' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw('DELETE' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('SELECT' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('INSERT' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('UPDATE' + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw('DELETE' + $INPUT, ...)
+    - pattern: $PRISMA.$queryRaw($QUERY + $INPUT, ...)
+    - pattern: $PRISMA.$executeRaw($QUERY + $INPUT, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: sql-injection
+    precision: high
+    confidence: high
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-22899"
+      - "https://www.prisma.io/docs/orm/prisma-client/using-raw-sql/raw-queries"
+      - "https://www.prisma.io/blog/sql-injection-attack-with-raw-queries-in-prisma-client-2nd9lrr5hf"
+# ZM-JS-ORM-002: TypeORM query / manager.query 拼接
+- id: zm-js-orm-002
+  severity: ERROR
+  message: |
+    检测到 TypeORM 的 EntityManager.query() / DataSource.query() 或 Repository.query()
+    使用了字符串拼接构造SQL查询。TypeORM 的 query() 方法直接执行原始SQL字符串，
+    拼接方式会导致SQL注入。
+    CWE-89: SQL Injection。
+    TypeORM 推荐: repository.find({ where: { name } }) 或使用 QueryBuilder。
+    修复:
+    1. 使用 QueryBuilder: repository.createQueryBuilder('user').where('user.name = :name', { name })
+    2. 使用参数化: manager.query('SELECT * FROM users WHERE id = $1', [id])
+    3. 使用 repository.find / findOne / save API 代替 raw query
+    4. 如必须 raw query，使用命名参数: { replacements: { id: userId } }
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MGR.query('SELECT' + $INPUT, ...)
+    - pattern: $MGR.query('INSERT' + $INPUT, ...)
+    - pattern: $MGR.query('UPDATE' + $INPUT, ...)
+    - pattern: $MGR.query('DELETE' + $INPUT, ...)
+    - pattern: $DS.query('SELECT' + $INPUT, ...)
+    - pattern: $DS.query('INSERT' + $INPUT, ...)
+    - pattern: $DS.query('UPDATE' + $INPUT, ...)
+    - pattern: $DS.query('DELETE' + $INPUT, ...)
+    - pattern: $REPO.query('SELECT' + $INPUT, ...)
+    - pattern: $REPO.query('INSERT' + $INPUT, ...)
+    - pattern: $REPO.query('UPDATE' + $INPUT, ...)
+    - pattern: $REPO.query('DELETE' + $INPUT, ...)
+    - pattern: $MGR.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $DS.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $REPO.query(`SELECT ... ${$INPUT}`, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: orm
+    precision: high
+    confidence: high
+    references:
+      - "https://typeorm.io/entity-manager-api#query"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+# ZM-JS-ORM-003: ORM find 操作中使用动态操作符注入
+- id: zm-js-orm-003
+  severity: WARNING
+  message: |
+    检测到 Mongoose/MongoDB find / TypeORM find 操作中将 req.body / req.query
+    对象整体传入作为查询条件，攻击者可注入 MongoDB $where / $eq / $regex / $ne
+    或 TypeORM findOptionsWhere 覆盖查询逻辑。
+    CVE-2020-7774: y18n 原型污染 + MongoDB $where RCE。
+    CVE-2023-26155: node-qpdf NoSQL 注入组合。
+    CWE-943: Improper Neutralization of Special Elements in Data Query Logic。
+    修复:
+    1. Mongoose: 使用 mongo-sanitize 库过滤 $ 操作符:
+       const clean = sanitize(req.body); Model.find(clean)
+    2. TypeORM: 使用 FindOptionsWhere 显式指字段:
+       { where: { id: Equal(req.params.id) } }
+    3. 使用 allowlist: 仅提取预期字段，不将整个 req.body/query 传给 ORM
+    4. 使用 express-mongo-sanitize 中间件全局过滤
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.find($REQ.body, ...)
+    - pattern: $MODEL.find($REQ.query, ...)
+    - pattern: $MODEL.findOne($REQ.body, ...)
+    - pattern: $MODEL.findOne($REQ.query, ...)
+    - pattern: $MODEL.find({...$REQ.body}, ...)
+    - pattern: $MODEL.findByIdAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.findOneAndUpdate($_, $REQ.body, ...)
+    - pattern: "$REPO.find({ where: $REQ.body })"
+    - pattern: "$REPO.findOne({ where: $REQ.body })"
+    - pattern: "$REPO.find({ where: $REQ.query })"
+    - pattern: "$REPO.findOne({ where: $REQ.query })"
+    - pattern: $MODEL.deleteMany($REQ.body, ...)
+    - pattern: $MODEL.deleteMany($REQ.query, ...)
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    owasp: "A03:2021 - Injection"
+    category: orm
+    precision: medium
+    confidence: medium
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-26155"
+      - "https://www.npmjs.com/package/express-mongo-sanitize"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/NoSQL_Injection_Prevention_Cheat_Sheet.html"

package/rules/unified/cwe-89/zm-js-cwe89-prisma-unsafe.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+# Source: common | Cluster: N/A
+# CWE-89: Prisma $queryRawUnsafe/$executeRawUnsafe
+# 逐码 ZhuMa V4.3 — JS/TS Prisma 规则库
+rules:
+- id: zm-js-prisma-unsafe-001
+  severity: ERROR
+  message: >
+    Prisma 使用 $queryRawUnsafe() 或 $executeRawUnsafe() 方法，这些方法直接执行
+    未参数化的SQL字符串，存在SQL注入风险。
+    修复: 使用 $queryRaw(TEMPLATE`...`) tagged template 参数化查询替代。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $PRISMA.$queryRawUnsafe(...)
+    - pattern: $PRISMA.$executeRawUnsafe(...)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: very-high
+    confidence: very-high

package/rules/unified/cwe-89/zm-js-cwe89-sequelize-literal.yaml ADDED Viewed

@@ -0,0 +1,26 @@
+# Source: common | Cluster: N/A
+# CWE-89: Sequelize literal/query 含拼接
+# 逐码 ZhuMa V4.3 — JS/TS Sequelize 规则库
+rules:
+- id: zm-js-sequelize-sqli-001
+  severity: ERROR
+  message: >
+    Sequelize 的 Sequelize.literal() 或 sequelize.query() 使用字符串拼接构造SQL，
+    绕过 ORM 参数化保护，存在 SQL 注入风险。
+    修复: 使用 Sequelize 模型方法(findAll/findOne)替代 raw query，或使用参数绑定。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: Sequelize.literal($STR + $INPUT)
+    - pattern: Sequelize.literal(`...${$INPUT}...`)
+    - pattern: $SEQ.query($STR + $INPUT)
+    - pattern: $SEQ.query(`...${$INPUT}...`)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    confidence: high

package/rules/unified/cwe-89/zm-js-cwe89-sqli.yaml ADDED Viewed

@@ -0,0 +1,154 @@
+# Source: common | Cluster: N/A
+# CWE-89: Node.js SQL注入检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: mysql2.query、sequelize.query(raw)、knex.raw、pg.query、sqlite3
+rules:
+# ZM-JS-SQLI-001: SQL驱动字符串拼接查询（高精度）
+- id: zm-js-sqli-001
+  severity: ERROR
+  message: |
+    检测到SQL查询使用了字符串拼接或模板字符串构造SQL语句，存在SQL注入风险。
+    攻击者可通过控制拼接变量注入SQL命令，实现数据库脱库、篡改或RCE。
+    修复:
+    1. 使用参数化查询(Parameterized Query)替代字符串拼接
+    2. mysql2: connection.execute('SELECT * FROM users WHERE id = ?', [userId])
+    3. pg: client.query('SELECT * FROM users WHERE id = $1', [userId])
+    4. 如确实需要动态表名/列名，使用白名单校验
+    5. 禁止 ORDER BY / GROUP BY / LIMIT 使用用户输入直接拼接
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # mysql2 query/execute 拼接
+    - pattern: $CONN.query('SELECT' + $INPUT, ...)
+    - pattern: $CONN.query('INSERT' + $INPUT, ...)
+    - pattern: $CONN.query('UPDATE' + $INPUT, ...)
+    - pattern: $CONN.query('DELETE' + $INPUT, ...)
+    - pattern: $CONN.execute('SELECT' + $INPUT, ...)
+    - pattern: $CONN.execute('INSERT' + $INPUT, ...)
+    - pattern: $CONN.execute('UPDATE' + $INPUT, ...)
+    - pattern: $CONN.query($QUERY + $INPUT, ...)
+    - pattern: $CONN.execute($QUERY + $INPUT, ...)
+    # pg query 拼接
+    - pattern: $POOL.query('SELECT' + $INPUT, ...)
+    - pattern: $CLIENT.query('SELECT' + $INPUT, ...)
+    - pattern: $POOL.query('INSERT' + $INPUT, ...)
+    - pattern: $CLIENT.query('INSERT' + $INPUT, ...)
+    - pattern: $POOL.query('UPDATE' + $INPUT, ...)
+    - pattern: $CLIENT.query('UPDATE' + $INPUT, ...)
+    - pattern: $POOL.query('DELETE' + $INPUT, ...)
+    - pattern: $CLIENT.query('DELETE' + $INPUT, ...)
+    # sqlite3 拼接
+    - pattern: $DB.run('SELECT' + $INPUT, ...)
+    - pattern: $DB.run('INSERT' + $INPUT, ...)
+    - pattern: $DB.run('UPDATE' + $INPUT, ...)
+    - pattern: $DB.run('DELETE' + $INPUT, ...)
+    - pattern: $DB.get('SELECT' + $INPUT, ...)
+    - pattern: $DB.all('SELECT' + $INPUT, ...)
+    - pattern: $DB.exec('SELECT' + $INPUT, ...)
+    # 模板字符串拼接
+    - pattern: $CONN.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $CLIENT.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $POOL.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $DB.run(`SELECT ... ${$INPUT}`, ...)
+    - pattern: $DB.all(`SELECT ... ${$INPUT}`, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: sql-injection
+    precision: medium
+    references:
+      - "https://owasp.org/www-community/attacks/SQL_Injection"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+# ZM-JS-SQLI-002: Sequelize.query raw / knex.raw 拼接
+- id: zm-js-sqli-002
+  severity: ERROR
+  message: |
+    检测到 Sequelize.query(raw: true) 或 knex.raw() 使用了字符串拼接构造SQL。
+    这些方法会直接将字符串作为原始SQL执行，绕过ORM的参数化保护。
+    修复:
+    1. Sequelize: sequelize.query('SELECT * FROM users WHERE id = ?', { replacements: [userId] })
+    2. Sequelize: sequelize.query('SELECT * FROM users WHERE id = :id', { replacements: { id: userId } })
+    3. Knex: knex.raw('SELECT * FROM users WHERE id = ?', [userId])
+    4. 尽量避免使用 raw query，优先使用 ORM 的链式API
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $SEQ.query($QUERY + $INPUT, ...)
+    - pattern: $SEQ.query('SELECT' + $INPUT, ...)
+    - pattern: $SEQ.query('INSERT' + $INPUT, ...)
+    - pattern: $SEQ.query('UPDATE' + $INPUT, ...)
+    - pattern: $SEQ.query('DELETE' + $INPUT, ...)
+    - pattern: knex.raw($QUERY + $INPUT, ...)
+    - pattern: knex.raw('SELECT' + $INPUT, ...)
+    - pattern: knex.raw('INSERT' + $INPUT, ...)
+    - pattern: knex.raw('UPDATE' + $INPUT, ...)
+    - pattern: knex.raw('DELETE' + $INPUT, ...)
+    - pattern: $KNEX.raw('SELECT' + $INPUT, ...)
+    - pattern: $KNEX.raw('INSERT' + $INPUT, ...)
+    - pattern: $KNEX.raw('UPDATE' + $INPUT, ...)
+    - pattern: $KNEX.raw('DELETE' + $INPUT, ...)
+    - pattern: $SEQ.query(`SELECT ... ${$INPUT}`, ...)
+    - pattern: knex.raw(`SELECT ... ${$INPUT}`, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: sql-injection
+    precision: high
+    references:
+      - "https://sequelize.org/docs/v6/core-concepts/raw-queries/"
+      - "https://knexjs.org/guide/raw.html"
+# ZM-JS-SQLI-003: SQL查询中使用 req.query/params/body 拼接
+- id: zm-js-sqli-003
+  severity: ERROR
+  message: |
+    检测到SQL查询中直接拼接了 req.query / req.params / req.body 的用户输入。
+    这是SQL注入的最高风险模式。
+    修复:
+    1. 立即替换为参数化查询:
+       db.query('SELECT * FROM users WHERE name = ?', [req.query.name])
+    2. 使用查询构建器: knex.select().from('users').where('name', req.query.name)
+    3. 永远不要将用户输入拼接到SQL字符串中
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $CONN.query($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $CONN.query($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $CONN.query($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $CLIENT.query($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $CLIENT.query($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $CLIENT.query($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $POOL.query($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $POOL.query($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $POOL.query($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $DB.run($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $DB.run($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $DB.run($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $DB.all($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $DB.all($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $DB.all($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $DB.get($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $DB.get($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $DB.get($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: knex.raw($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: knex.raw($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: knex.raw($QUERY + $REQ.body.$FIELD, ...)
+    - pattern: $SEQ.query($QUERY + $REQ.query.$FIELD, ...)
+    - pattern: $SEQ.query($QUERY + $REQ.params.$FIELD, ...)
+    - pattern: $SEQ.query($QUERY + $REQ.body.$FIELD, ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp: "A03:2021 - Injection"
+    category: sql-injection
+    precision: high
+    references:
+      - "https://owasp.org/www-community/attacks/SQL_Injection"