npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-89/zm-php-cwe89-sqli.yaml ADDED Viewed

@@ -0,0 +1,185 @@
+# Source: common | Cluster: N/A
+# CWE-89: PHP SQL 注入检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: mysql_query / mysqli_query / DB::raw / ->whereRaw 字符串拼接构造SQL
+rules:
+# ZM-PHP-SQLI-001: mysql_query() 字符串拼接SQL注入
+- id: zm-php-cwe89-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 mysql_query() / mysqli_query() 参数包含字符串拼接或变量插值。
+    攻击者可通过用户输入注入恶意SQL（如 UNION SELECT、-- 注释符等），
+    绕过认证、窃取数据或破坏数据库。
+    修复方案:
+    1. 使用 PDO 预处理语句: $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?"); $stmt->execute([$id]);
+    2. 使用 mysqli 预处理: $stmt = $mysqli->prepare("SELECT * FROM users WHERE id = ?"); $stmt->bind_param("i", $id);
+    3. 禁止将 $_GET/$_POST/$_REQUEST 直接拼入SQL字符串
+    4. 参考 OWASP SQL 注入防御指南
+  languages:
+    - php
+  pattern-either:
+    - pattern: mysql_query("..." . $VAR)
+    - pattern: mysql_query("..." . $_GET[$X])
+    - pattern: mysql_query("..." . $_POST[$X])
+    - pattern: mysql_query("..." . $_REQUEST[$X])
+    - pattern: mysql_query($SQL . $VAR)
+    - pattern: mysqli_query($CONN, "..." . $VAR)
+    - pattern: mysqli_query($CONN, "..." . $_GET[$X])
+    - pattern: mysqli_query($CONN, "..." . $_POST[$X])
+    - pattern: mysqli_query($CONN, "..." . $_REQUEST[$X])
+    - pattern: mysqli_query($CONN, $SQL . $VAR)
+    - pattern: mysql_db_query($DB, "..." . $_GET[$X])
+    - pattern: mysql_db_query($DB, "..." . $_POST[$X])
+    - pattern: mysql_db_query($DB, "..." . $_REQUEST[$X])
+    - pattern: mysql_unbuffered_query("..." . $_GET[$X])
+    - pattern: mysql_unbuffered_query("..." . $_POST[$X])
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php"
+      - "https://owasp.org/www-community/attacks/SQL_Injection"
+# ZM-PHP-SQLI-002: 双引号字符串内直接使用 $_GET/$_POST 插值
+- id: zm-php-cwe89-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 SQL 查询字符串（双引号内）直接使用了 $_GET/$_POST 变量插值。
+    PHP 双引号字符串中 $var 会被解析，即使不使用 . 连接符也存在SQL注入。
+    修复方案:
+    使用 PDO 预处理语句替代字符串插值:
+      $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
+      $stmt->execute([$_GET['id']]);
+  languages:
+    - php
+  pattern-either:
+    - pattern: |
+        mysql_query("SELECT ... $_GET[$X] ...")
+    - pattern: |
+        mysql_query("SELECT ... $_POST[$X] ...")
+    - pattern: |
+        mysqli_query($CONN, "SELECT ... $_GET[$X] ...")
+    - pattern: |
+        mysqli_query($CONN, "SELECT ... $_POST[$X] ...")
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PHP-SQLI-003: Laravel DB::raw() 含用户输入
+- id: zm-php-cwe89-sqli-003
+  severity: CRITICAL
+  message: |
+    检测到 Laravel DB::raw() 参数包含 $_GET/$_POST/$request 用户输入。
+    DB::raw() 将字符串直接嵌入 SQL 不做转义，存在 SQL 注入风险。
+    修复方案:
+    1. 使用 Laravel 查询构建器的参数绑定:
+       DB::table('users')->where('id', $request->input('id'))->get();
+    2. 必须使用 DB::raw() 时对输入做严格白名单校验
+    3. 使用 ->selectRaw() 的参数绑定形式:
+       ->selectRaw('SUM(price) as total WHERE status = ?', [$status])
+  languages:
+    - php
+  pattern-either:
+    - pattern: DB::raw("..." . $_GET[$X])
+    - pattern: DB::raw("..." . $_POST[$X])
+    - pattern: DB::raw("..." . $_REQUEST[$X])
+    - pattern: DB::raw("..." . $request->input(...))
+    - pattern: DB::raw("..." . $request->get(...))
+    - pattern: DB::raw("..." . $request->$X)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://laravel.com/docs/queries#raw-expressions"
+# ZM-PHP-SQLI-004: Laravel ->whereRaw() 含用户输入
+- id: zm-php-cwe89-sqli-004
+  severity: CRITICAL
+  message: |
+    检测到 Laravel ->whereRaw() / ->orderByRaw() / ->selectRaw() / ->groupByRaw()
+    方法参数包含 $_GET/$_POST/$request 用户输入。
+    这些 Raw 方法直接将字符串嵌入 SQL 不做参数绑定。
+    修复方案:
+    1. 使用 ->where() 等参数绑定方法替代 Raw 方法
+    2. ->orderByRaw() 务必使用白名单校验排序字段
+    3. ->selectRaw() 使用 ? 占位符传参: ->selectRaw('SUM(price) as total WHERE status = ?', [$status])
+  languages:
+    - php
+  pattern-either:
+    - pattern: $QUERY->whereRaw("..." . $_GET[$X])
+    - pattern: $QUERY->whereRaw("..." . $_POST[$X])
+    - pattern: $QUERY->whereRaw("..." . $_REQUEST[$X])
+    - pattern: $QUERY->whereRaw("..." . $request->input(...))
+    - pattern: $QUERY->whereRaw("..." . $request->get(...))
+    - pattern: $QUERY->whereRaw("..." . $request->$X)
+    - pattern: $QUERY->orderByRaw("..." . $_GET[$X])
+    - pattern: $QUERY->orderByRaw("..." . $_POST[$X])
+    - pattern: $QUERY->orderByRaw("..." . $request->input(...))
+    - pattern: $QUERY->orderByRaw("..." . $request->get(...))
+    - pattern: $QUERY->selectRaw("..." . $_GET[$X])
+    - pattern: $QUERY->selectRaw("..." . $_POST[$X])
+    - pattern: $QUERY->selectRaw("..." . $request->input(...))
+    - pattern: $QUERY->groupByRaw("..." . $_GET[$X])
+    - pattern: $QUERY->groupByRaw("..." . $request->input(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://laravel.com/docs/queries#raw-methods"
+# ZM-PHP-SQLI-005: PDO query/exec 字符串拼接
+- id: zm-php-cwe89-sqli-005
+  severity: CRITICAL
+  message: |
+    检测到 PDO->query() / ->exec() 参数存在字符串拼接。
+    虽然 PDO::query() 不直接支持参数绑定，但拼接用户输入仍存在注入风险。
+    修复方案:
+    使用 PDO::prepare() + execute() 参数绑定:
+      $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
+      $stmt->execute([$id]);
+  languages:
+    - php
+  pattern-either:
+    - pattern: $PDO->query("..." . $_GET[$X])
+    - pattern: $PDO->query("..." . $_POST[$X])
+    - pattern: $PDO->query("..." . $_REQUEST[$X])
+    - pattern: $PDO->query($SQL . $_GET[$X])
+    - pattern: $PDO->exec("..." . $_GET[$X])
+    - pattern: $PDO->exec("..." . $_POST[$X])
+    - pattern: $PDO->exec("..." . $_REQUEST[$X])
+    - pattern: $PDO->exec($SQL . $_POST[$X])
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-89/zm-py-cwe89-django-sqli.yaml ADDED Viewed

@@ -0,0 +1,75 @@
+# Source: common | Cluster: N/A
+# CWE-89: Django Raw SQL 注入检测
+# 逐码 ZhuMa V4.3 — Python 框架特化规则库
+# 检测: cursor.execute含f-string/format、.raw()、RawSQL、extra()字符串拼接
+rules:
+# ZM-PY-DJANGO-SQLI-001: cursor.execute() raw SQL含f-string/format
+- id: zm-py-django-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 Django cursor.execute() 使用f-string或.format()构造SQL语句。
+    攻击者可通过用户输入注入恶意SQL（如 UNION SELECT、-- 注释符等）。
+    修复方案:
+    1. 使用参数化查询: cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
+    2. Oracle后端用 :1 占位符，MySQL/PostgreSQL用 %s
+    3. 禁止使用f-string或format拼接用户输入到SQL
+    4. 参考 OWASP SQL 注入防御指南
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        $CURSOR.execute(f"...{$VAR}...")
+    - pattern: |
+        $CURSOR.execute("...".format(...))
+    - pattern: |
+        $CURSOR.execute($STR % ...)
+    - pattern: |
+        $CURSOR.executemany(f"...{$VAR}...")
+    - pattern: |
+        $CURSOR.executemany("...".format(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: django
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.djangoproject.com/en/stable/topics/db/sql/"
+# ZM-PY-DJANGO-SQLI-002: .raw() / RawSQL / extra() 字符串拼接
+- id: zm-py-django-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 Django ORM 的 raw()、RawSQL() 或 extra() 方法使用f-string/format
+    拼接SQL。这些方法绕过ORM参数化保护，直接执行原生SQL。
+    修复方案:
+    1. raw()使用参数化: Model.objects.raw("SELECT * FROM t WHERE id = %s", [user_id])
+    2. RawSQL()使用参数化: RawSQL("LOWER(name) LIKE %s", [user_input])
+    3. extra()已弃用(Django 4.0+)，迁移到RawSQL或自定义lookup
+    4. 优先使用ORM内置方法替代原生SQL
+  languages:
+    - python
+  pattern-either:
+    - pattern: $MODEL.objects.raw(f"...{$VAR}...")
+    - pattern: $MODEL.objects.raw("...".format(...))
+    - pattern: $MODEL.objects.raw($STR % ...)
+    - pattern: RawSQL(f"...{$VAR}...")
+    - pattern: RawSQL("...".format(...))
+    - pattern: $QS.extra(where=[f"...{$VAR}..."])
+    - pattern: $QS.extra(where=["...".format(...)])
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: django
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-89/zm-py-cwe89-injection-misc.yaml ADDED Viewed

@@ -0,0 +1,94 @@
+# Source: common | Cluster: N/A
+# CWE-89: Python SMTP/LDAP/GraphQL 注入检测
+# 逐码 ZhuMa V4.3 — Python 通用规则库
+# 检测: SMTP header注入、LDAP搜索注入、GraphQL无深度限制
+rules:
+# ZM-PY-INJECTION-001: SMTP mail.sendmail header注入
+- id: zm-py-smtp-injection-001
+  severity: WARNING
+  message: |
+    检测到 SMTP sendmail() 或 send_message() 的收件人/发件人/主题等参数
+    来自HTTP请求。攻击者可通过注入换行符构造额外的SMTP命令(如BCC、附加收件人)。
+    修复方案:
+    1. 使用 email.header.Header 编码邮件头
+    2. 对用户输入做换行符过滤: str.replace('\n', '').replace('\r', '')
+    3. 使用 email.message.EmailMessage 而非手动拼接邮件字符串
+    4. 对收件人地址使用 email.utils.parseaddr() 验证格式
+  languages:
+    - python
+  pattern-either:
+    - pattern: $SMTP.sendmail(f"...{$VAR}...", ...)
+    - pattern: $SMTP.sendmail(..., f"...{$VAR}...")
+    - pattern: $SMTP.send_message($MSG, f"...{$VAR}...")
+    - pattern: $SMTP.send_message($MSG, $VAR + ...)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: WARNING
+    precision: medium
+    category: injection
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"
+# ZM-PY-INJECTION-002: LDAP ldap3搜索注入
+- id: zm-py-ldap-injection-001
+  severity: WARNING
+  message: |
+    检测到 ldap3 搜索过滤器中使用了字符串拼接。
+    攻击者可通过构造LDAP过滤器语法(*/|/&)绕过认证或提取超出预期的数据。
+    修复方案:
+    1. 使用 ldap3.utils.dn.escape_attribute_value() 转义用户输入
+    2. 使用 LDAP过滤器安全的替换方式: filter_format = '(&(uid=%s))' % safe_uid
+    3. 对用户输入过滤LDAP特殊字符: * ( ) \ NUL
+    4. 限制搜索结果数量
+  languages:
+    - python
+  pattern-either:
+    - pattern: $CONN.search($BASE, f"...{$VAR}...")
+    - pattern: $CONN.search($BASE, $STR + $VAR)
+    - pattern: $CONN.search($BASE, $STR % ...)
+    - pattern: $CONN.search($BASE, "...".format(...))
+    - pattern: ldap3.Reader($CONN, $OBJ_CLASS, $BASE, f"...{$VAR}...")
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: WARNING
+    precision: high
+    category: injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://ldap3.readthedocs.io/en/latest/searches.html"
+# ZM-PY-INJECTION-003: GraphQL graphene无深度限制
+- id: zm-py-graphql-depth-001
+  severity: WARNING
+  message: |
+    检测到 graphene GraphQL schema 未配置查询深度限制。
+    攻击者可构造深层嵌套查询造成服务器资源耗尽(DoS)。
+    修复方案:
+    1. 使用 graphene.validation depth_limit_validator 或自定义中间件
+    2. 设置 query depth limit: 通常 3-10 层
+    3. 使用 query cost analysis 限制查询复杂度
+    4. 配置 query timeout 防止长时间运行的查询
+    5. 参考: from graphql import validate; validate(schema, query, [depth_limit_validator(10)])
+  languages:
+    - python
+  pattern-either:
+    - pattern: graphene.Schema(...)
+    - pattern: graphene.Schema(query=$QUERY, mutation=$MUTATION)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: WARNING
+    precision: medium
+    category: resource-exhaustion
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.graphene-python.org/en/latest/execution/queryvalidation/"

package/rules/unified/cwe-89/zm-py-cwe89-sqli.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+# Source: common | Cluster: N/A
+# CWE-89: Django SQL 注入检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: raw() SQL拼接 / cursor.execute() 字符串格式化注入
+rules:
+# ZM-PY-DJANGO-SQLI-01: Model.objects.raw() SQL 字符串拼接用户输入
+- id: zm-py-django-sqli-001
+  severity: ERROR
+  message: |
+    检测到 raw() 中使用格式化拼接用户输入，可导致 SQL 注入。
+    攻击者可通过构造恶意参数绕过查询逻辑或拖取数据库。
+    修复: 使用 .objects.filter(**kwargs) 或 raw() + params=[] 参数化查询。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $M.objects.raw($SQL % request)
+    - pattern: $M.objects.raw($SQL.format(request))
+    - pattern: $M.objects.raw($SQL + request)
+    - pattern: $M.objects.raw(f"...{request.$ATTR}...")
+    - pattern: $M.objects.raw("..." % request)
+    - pattern: $M.objects.raw("...".format(request))
+    - pattern: $M.objects.raw("..." + request)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PY-DJANGO-SQLI-02: cursor.execute() 字符串格式化注入
+- id: zm-py-django-sqli-002
+  severity: ERROR
+  message: |
+    检测到 cursor.execute() 使用 %s/.format()/f-string 拼接 SQL，可导致 SQL 注入。
+    攻击者可注入 UNION SELECT、--注释等绕过认证或窃取数据。
+    修复: 使用参数化查询 cursor.execute("SELECT ... WHERE id=%s", [param])。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $C.execute("..." % request)
+    - pattern: $C.execute("...".format(request))
+    - pattern: $C.execute("..." + request)
+    - pattern: $C.execute($SQL % request)
+    - pattern: $C.execute($SQL.format(request))
+    - pattern: $C.execute($SQL + request)
+    - pattern: $C.execute(f"...{request.$ATTR}...")
+    - pattern: $C.executemany("..." % request)
+    - pattern: $C.executemany("...".format(request))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-89/zm-py-sqlalchemy-cwe89-01.yaml ADDED Viewed

@@ -0,0 +1,66 @@
+# Source: common | Cluster: N/A
+# CWE-89: SQLAlchemy 不安全查询检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: SQLAlchemy text() 字符串拼接 / execute() 参数化缺失 / raw SQL + f-string
+rules:
+# ZM-PY-SQLALCHEMY-01: SQLAlchemy text() SQL 字符串拼接用户输入
+- id: zm-py-sqlalchemy-sqli-001
+  severity: ERROR
+  message: |
+    检测到 SQLAlchemy text()/execute() 中使用 %/.format()/f-string 拼接用户输入。
+    ORM 的 raw SQL 接口绕过参数绑定直接拼接字符串，攻击者可注入任意 SQL。
+    参考: CVE-2024-27516 — SQLAlchemy 应用中因 raw SQL 拼接导致 SQLi。
+    修复: 使用 text("SELECT ... WHERE id=:id").bindparams(id=user_input) 参数绑定；
+    或使用 ORM 查询 API: session.query(Model).filter(Model.id == user_input)。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $S.execute(text("..." % request.args.get(...)))
+    - pattern: $S.execute(text("..." % request.form.get(...)))
+    - pattern: $S.execute(text("...".format(request.args.get(...))))
+    - pattern: $S.execute(text("...".format(request.form.get(...))))
+    - pattern: $S.execute(text("..." + request.args.get(...)))
+    - pattern: $S.execute(text("..." + request.form.get(...)))
+    - pattern: $S.execute(text(f"...{request.args.get(...)}..."))
+    - pattern: $S.execute(text(f"...{request.form.get(...)}..."))
+    - pattern: $S.execute("..." % request.args.get(...))
+    - pattern: $S.execute("..." % request.form.get(...))
+    - pattern: $S.execute("...".format(request.args.get(...)))
+    - pattern: $S.execute("...".format(request.form.get(...)))
+    - pattern: $S.execute(f"...{request.args.get(...)}...")
+    - pattern: $S.execute(f"...{request.form.get(...)}...")
+    - pattern: $S.execute("..." + request.args.get(...))
+    - pattern: $S.execute("..." + request.form.get(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    cve: "CVE-2024-27516"
+# ZM-PY-SQLALCHEMY-02: SQLAlchemy text() 使用 f-string 构建查询（无用户输入直接标记）
+- id: zm-py-sqlalchemy-sqli-002
+  severity: WARNING
+  message: |
+    检测到 SQLAlchemy text() 使用 f-string 构建 SQL 查询。
+    即使 f-string 参数当前来自内部变量，后续代码变更可能引入用户输入导致 SQLi。
+    参考: 2024年SQLAlchemy官方安全建议 — 始终使用参数化查询。
+    修复: 改用 text() 的 bindparams() 参数绑定机制；或使用 ORM Query Builder。
+  languages:
+    - python
+  patterns:
+    - pattern: text(f"...")
+    - pattern: $S.execute(f"...")
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: WARNING
+    precision: medium
+    category: sql-injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-89/zm-rust-cwe89-sqli.yaml ADDED Viewed

@@ -0,0 +1,149 @@
+# Source: common | Cluster: N/A
+# CWE-89: Rust SQL 注入检测
+# 逐码 ZhuMa V4.3 — Rust 通用规则库
+# 检测: sqlx::query 含 format!、裸 SQL 拼接
+rules:
+# ZM-RUST-SQLI-001: sqlx::query() 使用 format! 构造 SQL
+- id: zm-rust-cwe89-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 sqlx::query() 使用 format!() 宏构造 SQL 查询字符串。
+    format! 将用户输入直接拼入 SQL 造成 SQL 注入漏洞。
+    修复方案:
+    1. 使用 sqlx 的参数化查询:
+       sqlx::query("SELECT * FROM users WHERE id = ?")
+           .bind(user_id)
+           .fetch_one(&pool).await?;
+    2. 使用 sqlx::query_as! 编译期检查的宏
+    3. 禁止使用 format! 构造 SQL 字符串
+    4. 对表名/列名等动态标识符使用白名单映射
+    5. 参考 sqlx 官方文档和 OWASP SQL 注入防御
+  languages:
+    - rust
+  pattern: |
+    sqlx::query(format!(..., $USER_INPUT, ...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.rs/sqlx/latest/sqlx/"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+# ZM-RUST-SQLI-002: sqlx::query() 字符串拼接
+- id: zm-rust-cwe89-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 sqlx::query() 参数使用了 + 字符串拼接运算符。
+    字符串拼接用户输入构造 SQL 存在注入风险。
+    修复方案:
+    1. 使用 sqlx 的参数化查询和 .bind() 方法
+    2. 使用 sqlx::query_as! 编译期宏检查 SQL 语法
+    3. 使用 ORM（Diesel/SeaORM）的高层抽象
+  languages:
+    - rust
+  pattern: |
+    sqlx::query($SQL + $USER_INPUT)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-RUST-SQLI-003: sqlx 动态表名/列名 拼接
+- id: zm-rust-cwe89-sqli-003
+  severity: ERROR
+  message: |
+    检测到 sqlx::query() 中疑似动态拼接表名或列名。
+    虽然 sqlx 不支持参数化表名/列名（只能用 ? 占位符绑定值），
+    但直接拼入用户输入作为表名仍存在二阶注入或对象枚举风险。
+    修复方案:
+    1. 对表名/列名使用白名单:
+       let table = match user_input {
+           "users" => "users",
+           "orders" => "orders",
+           _ => return Err("invalid table"),
+       };
+       sqlx::query(&format!("SELECT * FROM {}", table))
+    2. 使用 sqlx 的 .bind() 处理所有 VALUES 和 WHERE 参数
+  languages:
+    - rust
+  pattern: |
+    sqlx::query(&format!("...FROM {}...", $USER_INPUT))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: medium
+    category: sql-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-RUST-SQLI-004: Diesel 裸 SQL 执行 (sql_query)
+- id: zm-rust-cwe89-sqli-004
+  severity: ERROR
+  message: |
+    检测到 Diesel 的 diesel::sql_query() 使用 format! 构造 SQL。
+    sql_query 用于执行原始 SQL，拼接用户输入存在注入风险。
+    修复方案:
+    1. 使用 Diesel 的 DSL 查询 API:
+       users.filter(name.eq(user_input)).load(&conn)?;
+    2. 或使用 sql_query 的参数绑定:
+       diesel::sql_query("SELECT * FROM users WHERE name = ?")
+           .bind::<Text, _>(user_input)
+           .load(&conn)?;
+    3. 禁止使用 format! 拼接用户输入到 sql_query
+  languages:
+    - rust
+  pattern: |
+    diesel::sql_query(format!(..., $USER_INPUT, ...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.diesel.rs/master/diesel/fn.sql_query.html"
+# ZM-RUST-SQLI-005: rusqlite execute/query 字符串拼接
+- id: zm-rust-cwe89-sqli-005
+  severity: CRITICAL
+  message: |
+    检测到 rusqlite 的 .execute()/.query_map() 使用 format! 构造 SQL。
+    字符串拼接用户输入导致 SQL 注入。
+    修复方案:
+    1. 使用 rusqlite 的参数化查询:
+       conn.execute("SELECT * FROM users WHERE id = ?1", params![user_id])?;
+    2. 使用命名参数: conn.execute("... WHERE name = :name", named_params!{":name": user_name})?;
+    3. 禁止使用 format! 或 + 拼接 SQL
+  languages:
+    - rust
+  pattern-either:
+    - pattern: $CONN.execute(format!(..., $USER_INPUT, ...), ...)
+    - pattern: $CONN.query_map(format!(..., $USER_INPUT, ...), ...)
+    - pattern: $CONN.prepare(format!(..., $USER_INPUT, ...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-89/zm-taint-89-89-go-023.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-89-GO-023
+# Taint-upgraded rule: zhuma-nvd-89-89-go-023
+# Original CWE: CWE-89 | Language: go
+# Auto-generated by L1 Taint Migration
+rules:
+- id: zhuma-taint-89-89-go-023
+  mode: taint
+  metadata:
+    category: CWE-89
+    cwe: "CWE-89"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-89-89-go-023
+  message: |
+    检测到SQL注入风险。用户输入直接拼接到SQL查询中，未使用参数化查询。
+  severity: WARNING
+  languages:
+    - go
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: r.URL.Query().Get(...)
+      - pattern: r.FormValue(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $DB.Query(...)
+      - pattern: $DB.Exec(...)
+      - pattern: $DB.QueryRow(...)