npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-918/zm-cs-cwe918-ssrf.yaml ADDED Viewed

@@ -0,0 +1,96 @@
+# Source: common | Cluster: N/A
+# CWE-918: C# SSRF 检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 .NET 中用户控制的 URL 被用于发起 HTTP 请求，
+# 可能导致服务器端请求伪造 (SSRF) 攻击。
+rules:
+# ZM-CS-CWE918-001: HttpClient URL 来自用户输入
+- id: zm-cs-cwe918-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 HttpClient 的请求 URL 来源于变量或参数。
+    如果攻击者能控制请求目标 URL，可发起 SSRF 攻击：
+    扫描内网端口、访问云元数据服务 (169.254.169.254)、
+    绕过防火墙访问内部服务。
+    修复方案：
+    - 实施 URL 白名单，仅允许访问预定义的域名
+    - 禁止访问内网 IP/保留地址 (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
+    - 禁止访问云元数据地址 (169.254.169.254)
+    - 使用 HttpClientHandler.ServerCertificateCustomValidationCallback 控制
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: $HTTP.GetAsync($URL)
+    - pattern: $HTTP.PostAsync($URL, ...)
+    - pattern: $HTTP.PutAsync($URL, ...)
+    - pattern: $HTTP.DeleteAsync($URL)
+    - pattern: $HTTP.SendAsync(new HttpRequestMessage($METHOD, $URL))
+    - pattern: $HTTP.GetStringAsync($URL)
+    - pattern: $HTTP.GetStreamAsync($URL)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/918.html"
+      - "https://learn.microsoft.com/en-us/dotnet/fundamentals/networking/HttpClient"
+# ZM-CS-CWE918-002: WebClient/HttpWebRequest 用户URL
+- id: zm-cs-cwe918-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 WebClient 或 HttpWebRequest 使用变量 URL 发起请求。
+    这些旧版 .NET HTTP 类同样易受 SSRF 攻击。
+    修复方案：
+    - 迁移至 IHttpClientFactory + HttpClient
+    - 对目标 URL 进行严格的白名单验证
+    - 在防火墙/DNS 层面阻止对内网地址的请求
+    - 使用代理隔离外部请求
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: new WebClient().DownloadString($URL)
+    - pattern: new WebClient().DownloadData($URL)
+    - pattern: $WC.DownloadString($URL)
+    - pattern: $WC.DownloadData($URL)
+    - pattern: WebRequest.Create($URL)
+    - pattern: HttpWebRequest.Create($URL)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/918.html"
+# ZM-CS-CWE918-003: RestClient/RestSharp 用户URL
+- id: zm-cs-cwe918-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 RestSharp RestClient 使用变量 URL。
+    如果攻击者能控制 API 端点 URL，可通过 SSRF 攻击内网服务。
+    修复方案：
+    - 对 BaseUrl / Resource 进行白名单验证
+    - 禁止 URL 指向内网地址
+    - 限制允许的协议为 https
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: new RestClient($URL)
+    - pattern: $RC.Execute(new RestRequest($URL))
+    - pattern: $RC.Get(new RestRequest($URL))
+    - pattern: $RC.Post(new RestRequest($URL))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/918.html"

package/rules/unified/cwe-918/zm-go-cwe918-ssrf.yaml ADDED Viewed

@@ -0,0 +1,118 @@
+# Source: common | Cluster: N/A
+# CWE-918: Go SSRF 深度检测
+# 逐码 ZhuMa V4.1 Sprint — Go 规则库
+# 覆盖: http.Get(userInput)/http.Post/httputil.ReverseProxy/c.Param→http.Get
+rules:
+# ZM-GO-SSRF-001: net/http Get/Post/Head 用户输入URL
+- id: zm-go-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 net/http 客户端函数(http.Get / http.Post / http.Head / http.NewRequest)的URL参数
+    由用户输入(HTTP请求参数)控制，存在SSRF(服务端请求伪造)风险。
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+    修复方案:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 使用 url.Parse() 解析后校验 hostname 白名单
+    3. 解析DNS后校验目标IP是否在内网地址段
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟踪
+  languages:
+    - go
+  pattern-either:
+    - pattern: http.Get($PARAM)
+    - pattern: http.Post($PARAM, $CONTENT, $BODY)
+    - pattern: http.Head($PARAM)
+    - pattern: http.NewRequest($METHOD, $PARAM, $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, $PARAM, $BODY)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://pkg.go.dev/net/http"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+# ZM-GO-SSRF-002: Gin c.Param / c.Query 直传HTTP客户端
+- id: zm-go-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 Gin 框架的 c.Param / c.Query / c.PostForm 返回值直接作为HTTP客户端请求URL。
+    攻击者可通过控制URL参数发起SSRF攻击。
+    典型的危险模式:
+    func handler(c *gin.Context) {
+      url := c.Query("url")
+      resp, _ := http.Get(url)  // ← SSRF
+    }
+    修复方案:
+    1. 使用URL白名单映射替代用户直接输入URL
+    2. 解析URL后校验hostname白名单
+    3. 使用 http.NewRequest 后设置自定义 Dialer 过滤内网IP
+    4. 禁止用户控制完整URL，仅允许选择预定义的端点
+  languages:
+    - go
+  pattern-either:
+    - pattern: http.Get(c.Param($KEY))
+    - pattern: http.Get(c.Query($KEY))
+    - pattern: http.Post(c.Param($KEY), $TYPE, $BODY)
+    - pattern: http.Post(c.Query($KEY), $TYPE, $BODY)
+    - pattern: http.NewRequest($METHOD, c.Param($KEY), $BODY)
+    - pattern: http.NewRequest($METHOD, c.Query($KEY), $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, c.Param($KEY), $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, c.Query($KEY), $BODY)
+    - pattern: http.Head(c.Query($KEY))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+# ZM-GO-SSRF-003: httputil.ReverseProxy 用户可控目标
+- id: zm-go-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 httputil.ReverseProxy 的 Director 函数中 URL 由用户输入控制。
+    攻击者可控制反向代理的目标地址，将请求转发到内网服务。
+    典型的危险模式:
+    func handler(c *gin.Context) {
+      target := c.Query("target")
+      url, _ := url.Parse(target)
+      proxy := httputil.NewSingleHostReverseProxy(url)
+      proxy.ServeHTTP(c.Writer, c.Request)
+    }
+    修复方案:
+    1. 使用固定的反向代理目标白名单
+    2. 禁止用户输入决定代理目标
+    3. 如需动态路由，使用预定义的 target 映射表(按 path 或 header)
+    4. 修改 Director 前校验目标 URL 的白名单
+  languages:
+    - go
+  pattern-either:
+    - pattern: httputil.NewSingleHostReverseProxy(url.Parse($INPUT))
+    - pattern: httputil.ReverseProxy{...}
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://pkg.go.dev/net/http/httputil#ReverseProxy"

package/rules/unified/cwe-918/zm-java-cwe918-jsoup-ssrf.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-918: Jsoup.connect SSRF 检测
+# 逐码 ZhuMa V4.3 — SSRF 全量 Sink 覆盖
+rules:
+# ZM-JAVA-CWE918-JSOUP-001: Jsoup.connect 用户输入URL
+- id: zm-java-cwe918-jsoup-001
+  severity: WARNING
+  message: |
+    Jsoup.connect() 使用用户可控 URL 获取网页内容，可导致 SSRF。
+    Jsoup 是常用于 HTML 解析/爬虫的库，其 connect() 方法直接发起 HTTP 请求。
+    修复: 1. 对目标 URL 域名做白名单校验 2. 使用代理限制网络访问范围
+    3. DNS 解析后检查 IP 非内网地址。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Jsoup.connect($REQ.getParameter(...))
+    - pattern: Jsoup.connect($REQ.getParameter(...)).get()
+    - pattern: Jsoup.connect($REQ.getParameter(...)).post()
+    - pattern: |
+        Jsoup.connect($REQ.getParameter(...)).$METHOD()
+    - pattern: |
+        $DOC = Jsoup.connect($REQ.getParameter(...)).get();
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: very-high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [ssrf, jsoup, html-parser]
+# ZM-JAVA-CWE918-JSOUP-002: Jsoup.connect 拼接URL
+- id: zm-java-cwe918-jsoup-002
+  severity: WARNING
+  message: |
+    Jsoup.connect() URL 由用户输入拼接构造（如 "https://" + req.getParameter("host") + "/path"），
+    攻击者可通过 @ 或参数注入等技术绕过简单的域名校验。
+    修复: 使用 java.net.URI 先解析和校验 host，再传给 Jsoup.connect()。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Jsoup.connect($BASE + $REQ.getParameter(...))
+    - pattern: Jsoup.connect($BASE + $REQ.getParameter(...)).get()
+    - pattern: Jsoup.connect($BASE + $REQ.getParameter(...)).post()
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: MEDIUM
+    impact: HIGH
+    tags: [ssrf, jsoup]

package/rules/unified/cwe-918/zm-java-cwe918-okhttp-full.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+# Source: common | Cluster: N/A
+# CWE-918: OkHttp/HttpClient SSRF 全量覆盖
+# 逐码 ZhuMa V4.3 — SSRF 全量 Sink 覆盖
+rules:
+# ZM-JAVA-CWE918-OKHTTP-FULL-001: OkHttp Request URL 用户可控
+- id: zm-java-cwe918-okhttp-full-001
+  severity: WARNING
+  message: |
+    OkHttp Request/HttpUrl/Request.Builder URL 来自 HTTP 请求参数，可导致 SSRF。
+    OkHttp 默认跟随重定向，攻击者可绕过简单的域名校验。
+    修复: 1. 设置 client.newBuilder().followRedirects(false) 2. URL 白名单校验
+    3. 使用 interceptor 校验 DNS 解析后的 IP 非内网地址。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $REQ = new Request.Builder().url($HTTP_REQ.getParameter(...)).build();
+        ...
+        $CLIENT.newCall($REQ).execute();
+    - pattern: |
+        $REQ = new Request.Builder().url($HTTP_REQ.getParameter(...)).build();
+    - pattern: |
+        HttpUrl.parse($REQ.getParameter(...))
+    - pattern: |
+        HttpUrl.get($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [ssrf, okhttp]
+# ZM-JAVA-CWE918-OKHTTP-FULL-002: OkHttpClient followRedirects(true) + 用户输入 URL
+- id: zm-java-cwe918-okhttp-full-002
+  severity: WARNING
+  message: |
+    OkHttp 启用 followRedirects + 用户输入 URL 组合，
+    攻击者可通过 302 重定向绕过 SSRF 域名校验访问内网资源。
+    修复: 关闭自动重定向 followRedirects(false)，
+    或自定义 Redirect 拦截器校验重定向目标。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CLIENT = new OkHttpClient.Builder().followRedirects(true).build();
+        ...
+        $CLIENT.newCall(...).execute();
+    - pattern: |
+        $CLIENT = new OkHttpClient.Builder().followSslRedirects(true).build();
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: MEDIUM
+    impact: HIGH
+    tags: [ssrf, okhttp, redirect]

package/rules/unified/cwe-918/zm-java-cwe918-resttemplate.yaml ADDED Viewed

@@ -0,0 +1,68 @@
+# Source: common | Cluster: N/A
+# CWE-918: SSRF — RestTemplate URL 参数可控检测
+# 逐码 ZhuMa V4.1
+rules:
+- id: zm-java-ssrf-rt-001
+  severity: WARNING
+  message: |
+    RestTemplate.getForObject/postForObject() URL 参数来自 HTTP 请求，可导致 SSRF。
+    修复: 1.白名单域名校验 2.DNS解析后检查IP非内网 3.禁用自动重定向
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject($REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.postForObject($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+- id: zm-java-ssrf-rt-002
+  severity: WARNING
+  message: |
+    RestTemplate.exchange() URL 参数用户可控，可能导致 SSRF。
+    修复: 1.白名单域名校验 2.DNS解析验证IP 3.禁用自动重定向
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.exchange($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+- id: zm-java-ssrf-rt-003
+  severity: WARNING
+  message: |
+    RestTemplate URL 由用户输入拼接构造，可能导致 SSRF。
+    修复: 1.UriComponentsBuilder+白名单host 2.校验拼装后完整URL域名 3.对path参数严格过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject($BASE + $REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.postForObject($BASE + $REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.exchange($BASE + $REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/unified/cwe-918/zm-java-cwe918-rt-getforentity.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+# Source: common | Cluster: N/A
+# CWE-918: RestTemplate getForEntity/postForEntity SSRF 检测
+# 逐码 ZhuMa V4.3 — SSRF 全量 Sink 覆盖
+rules:
+# ZM-JAVA-CWE918-RT-ENTITY-001: RestTemplate getForEntity URL 用户可控
+- id: zm-java-cwe918-rt-entity-001
+  severity: WARNING
+  message: |
+    RestTemplate.getForEntity() URL 参数来自 HTTP 请求，可导致 SSRF。
+    与 getForObject 类似，getForEntity 也会发起 HTTP 请求至攻击者指定的 URL。
+    修复: 1.白名单域名校验 2.DNS解析后检查IP非内网 3.禁用自动重定向
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RT.getForEntity($REQ.getParameter($PARAM), ...)
+    - pattern: $RT.getForEntity($REQ.getHeader($HDR), ...)
+    - pattern: $RT.getForEntity($BASE + $REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+# ZM-JAVA-CWE918-RT-ENTITY-002: RestTemplate postForEntity URL 用户可控
+- id: zm-java-cwe918-rt-entity-002
+  severity: WARNING
+  message: |
+    RestTemplate.postForEntity() URL 参数来自 HTTP 请求参数，
+    攻击者可指定内网地址实现 SSRF 攻击。
+    修复: 对 URL 做白名单域名校验，使用 UriComponentsBuilder 构建安全的 base URL。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RT.postForEntity($REQ.getParameter($PARAM), ...)
+    - pattern: $RT.postForEntity($REQ.getHeader($HDR), ...)
+    - pattern: $RT.postForEntity($BASE + $REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH

package/rules/unified/cwe-918/zm-java-cwe918-ssrf-depth.yaml ADDED Viewed

@@ -0,0 +1,104 @@
+# Source: common | Cluster: N/A
+# CWE-918 SSRF 深度覆盖 (v2): 全量Java HTTP客户端sink
+# 补漏: 原始 cwe-918-ssrf.yaml 仅覆盖Url/HttpURLConnection/RestTemplate/WebClient
+# 本文件追加: Feign / OkHttp / Apache HttpClient 4/5 / java.net.URL 全量变体
+rules:
+# ZM-JAVA-SSRF-OKHTTP-001: OkHttp3/4 请求URL由用户输入控制
+- id: zm-java-ssrf-okhttp-001
+  severity: MEDIUM
+  message: |
+    OkHttp 请求 URL 由用户输入控制，可能导致 SSRF。
+    校验 URL 白名单或使用 DNS 解析校验（如 `InetAddress.getAllByName`）。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $REQ = $HTTP.newBuilder().url($INPUT).build();
+        $CLIENT.newCall($REQ).execute();
+    - pattern: |
+        $HTTP.url($INPUT).build();
+    - pattern: |
+        $B = new Request.Builder().url($INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, okhttp, http-client]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+# ZM-JAVA-SSRF-APACHE-HTTP: Apache HttpClient 4.x / 5.x 请求URL由用户控制
+- id: zm-java-ssrf-apache-http-001
+  severity: MEDIUM
+  message: |
+    Apache HttpClient 请求 URL 由用户输入控制，可能导致 SSRF。
+    使用 `HttpClientBuilder.setDefaultRequestConfig` 限制重定向或校验目标 IP 白名单。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CLIENT.execute(new HttpGet($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpPost($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpPut($INPUT));
+    - pattern: |
+        $HTTP = HttpClients.createDefault();
+        ...
+        $HTTP.execute(new HttpGet($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpGet($INPUT), $RESPONSE);
+    - pattern: |
+        $B = RequestBuilder.get($INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, apache-httpclient]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+# ZM-JAVA-SSRF-URL-BARE: java.net.URL openConnection/openStream 由用户控制
+- id: zm-java-ssrf-url-001
+  severity: MEDIUM
+  message: |
+    java.net.URL 对象由用户输入构造，调用 openConnection/openStream 可触发 SSRF。
+    先校验域名/IP 是否在白名单内，或限制协议仅 http/https。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new URL($INPUT).openConnection()
+    - pattern: new URL($INPUT).openStream()
+    - pattern: new URL($INPUT).getContent()
+    - pattern: $U = new URL($INPUT);
+    - pattern: URI.create($INPUT)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, java-net-url]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+# ZM-JAVA-SSRF-FEIGN: Feign Client 动态URL
+- id: zm-java-ssrf-feign-001
+  severity: MEDIUM
+  message: |
+    Feign Client @RequestLine 注解中 URL 使用字符串拼接或 @Param 传入。
+    使用固定 baseUrl + @RequestLine 相对路径，避免用户可控的完整 URL。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FEIGN.target($TARGET, $INPUT);
+    - pattern: |
+        $FEIGN = Feign.builder().target($T, $INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: medium
+    tags: [ssrf, feign]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

package/rules/unified/cwe-918/zm-java-cwe918-ssrf-resttemplate.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# Source: common | Cluster: N/A
+# CWE-918: SSRF — RestTemplate deeper variants
+# ZhuMa V4.1 — complement zm-java-cwe918-resttemplate.yaml and webclient.yaml
+rules:
+# ZM-JAVA-SSRF-RT-DEEP-001: RestTemplate.execute() with user-controlled URL
+- id: zm-java-ssrf-rt-deep-001
+  severity: MEDIUM
+  message: |
+    RestTemplate.execute() URL from HTTP parameter — SSRF via low-level execute method.
+    Fix: validate URL hostname against whitelist before calling execute().
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), $METHOD, $CB, $VARS)
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), HttpMethod.GET, $CB)
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), HttpMethod.POST, $CB)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+# ZM-JAVA-SSRF-RT-DEEP-002: RestTemplate URI variables from user input
+- id: zm-java-ssrf-rt-deep-002
+  severity: MEDIUM
+  message: |
+    RestTemplate String.format-ed URL + user-controlled path segment — SSRF via URI template injection.
+    Attacker may inject "../" or "@evil.com" into the path variable.
+    Fix: validate path segments; use UriComponentsBuilder for strict URI construction.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject(String.format($FMT, $REQ.getParameter(...)), ...)
+    - pattern: |
+        $RT.exchange(String.format($FMT, $REQ.getParameter(...)), ...)
+    - pattern: |
+        $RT.getForEntity(String.format($FMT, $REQ.getParameter(...)), ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: medium
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+# ZM-JAVA-SSRF-RT-DEEP-003: UriComponentsBuilder from user-controlled host
+- id: zm-java-ssrf-rt-deep-003
+  severity: MEDIUM
+  message: |
+    UriComponentsBuilder host/port/scheme from user input — attacker controls full URI authority.
+    This allows SSRF to any internal IP/service. Fix: hardcode scheme/host; only allow path/query from user.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        UriComponentsBuilder.newInstance().host($REQ.getParameter(...)).build()
+    - pattern: |
+        UriComponentsBuilder.newInstance().scheme($REQ.getParameter(...)).build()
+    - pattern: |
+        UriComponentsBuilder.fromUriString($REQ.getParameter(...)).build()
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/unified/cwe-918/zm-java-cwe918-url-openconnection.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+# Source: common | Cluster: N/A
+# CWE-918: java.net.URL.openConnection/openStream SSRF 检测
+# 逐码 ZhuMa V4.3 — SSRF 全量 Sink 覆盖
+rules:
+# ZM-JAVA-CWE918-URL-BARE-001: URL.openConnection 用户输入
+- id: zm-java-cwe918-url-bare-001
+  severity: WARNING
+  message: |
+    java.net.URL 由 HTTP 请求参数构造后调用 openConnection()，
+    可直接发起 SSRF 攻击访问内网服务。
+    修复: 1. 对 URL 的 host 做白名单校验 2. 限制协议仅 http/https
+    3. DNS 解析后检查 IP 是否为内网地址 (10.x, 172.16-31.x, 192.168.x, 127.x)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new URL($REQ.getParameter(...)).openConnection()
+    - pattern: new URL($REQ.getParameter(...)).openStream()
+    - pattern: new URL($REQ.getParameter(...)).getContent()
+    - pattern: |
+        $U = new URL($REQ.getParameter(...));
+        ...
+        $U.openConnection();
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: very-high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [ssrf, java-net-url]
+# ZM-JAVA-CWE918-URL-BARE-002: URI.toURL 用户输入
+- id: zm-java-cwe918-url-bare-002
+  severity: WARNING
+  message: |
+    URI.create/toURL 由用户输入构造后转为 URL 并发起请求。
+    与直接 new URL() 类似，存在 SSRF 风险。
+    修复: 使用 URI.getHost() 提取域名做白名单校验后再使用。
+  languages:
+    - java
+  pattern-either:
+    - pattern: URI.create($REQ.getParameter(...)).toURL()
+    - pattern: |
+        $URI = URI.create($REQ.getParameter(...));
+        ...
+        $URI.toURL().openConnection();
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [ssrf, java-net-url]