npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-918/zm-java-cwe918-webclient-ssrf.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+# Source: common | Cluster: N/A
+# CWE-918: Spring WebClient (Reactive) SSRF 检测
+# 逐码 ZhuMa V4.3 — SSRF 全量 Sink 覆盖
+rules:
+# ZM-JAVA-CWE918-WEBCLIENT-001: WebClient URI 用户可控
+- id: zm-java-cwe918-webclient-001
+  severity: WARNING
+  message: |
+    Spring WebClient (Reactive) URI 由用户输入构造，可导致 SSRF。
+    WebClient 是 Spring 5+ 推荐的 HTTP 客户端，同样存在 SSRF 风险。
+    修复: 1. 使用固定 baseUrl 构建 WebClient 2. 对 path segments 使用 UriBuilder
+    3. 验证目标 host 在白名单内 4. 配置 DNS 解析后校验 IP
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $WC = WebClient.create($REQ.getParameter(...));
+    - pattern: |
+        $WC = WebClient.builder().baseUrl($REQ.getParameter(...)).build();
+    - pattern: |
+        $WC.get().uri($REQ.getParameter(...)).retrieve()
+    - pattern: |
+        $WC.post().uri($REQ.getParameter(...))
+    - pattern: |
+        $WC.get().uri(URI.create($REQ.getParameter(...)))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [ssrf, webclient, reactive]
+# ZM-JAVA-CWE918-WEBCLIENT-002: WebClient mutate() 更改 baseUrl
+- id: zm-java-cwe918-webclient-002
+  severity: WARNING
+  message: |
+    WebClient.mutate().baseUrl() 使用用户可控 URL 修改请求目标。
+    攻击者可通过控制 baseUrl 发起 SSRF 攻击。
+    修复: baseUrl 应为常量配置，不要从请求参数中获取。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $WC.mutate().baseUrl($REQ.getParameter(...))
+    - pattern: |
+        $WC.mutate().baseUrl($REQ.getHeader(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    likelihood: MEDIUM
+    impact: HIGH
+    tags: [ssrf, webclient, reactive]

package/rules/unified/cwe-918/zm-java-cwe918-webclient.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+# Source: common | Cluster: N/A
+# CWE-918: SSRF — Spring WebClient URI 参数可控检测
+# V4.1 - 单语句模式，避免跨语句 ... 导致的 PatternParseError
+rules:
+- id: zm-java-ssrf-wc-001
+  severity: WARNING
+  message: |
+    Spring WebClient get/post uri() from HTTP request param - user-controllable, can cause SSRF.
+    Fix: whitelist domain validation / DNS resolve verify non-internal IP / use UriComponentsBuilder.
+  languages:
+    - java
+  pattern-either:
+    - pattern: WebClient.create().get().uri($REQ.getParameter($PARAM))
+    - pattern: WebClient.create().post().uri($REQ.getParameter($PARAM))
+    - pattern: $WC.get().uri($REQ.getParameter($PARAM))
+    - pattern: $WC.post().uri($REQ.getParameter($PARAM))
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+- id: zm-java-ssrf-wc-002
+  severity: WARNING
+  message: |
+    WebClient baseUrl from user input - attacker controls baseUrl to redirect to malicious server.
+    Fix: hardcode domain whitelist for baseUrl / never use user input as baseUrl.
+  languages:
+    - java
+  pattern-either:
+    - pattern: WebClient.builder().baseUrl($REQ.getParameter($PARAM)).build()
+    - pattern: WebClient.builder().baseUrl($REQ.getParameter($PARAM))
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/unified/cwe-918/zm-js-cwe918-http-ssrf-concat.yaml ADDED Viewed

@@ -0,0 +1,28 @@
+# Source: common | Cluster: N/A
+# CWE-918: node-fetch/axios/got 含用户URL拼接
+# 逐码 ZhuMa V4.3 — JS/TS 通用规则库
+rules:
+- id: zm-js-http-ssrf-001
+  severity: ERROR
+  message: >
+    HTTP客户端(axios/got/node-fetch)的请求URL由用户输入拼接构造，
+    攻击者可控制完整URL发起SSRF攻击访问内网服务。
+    修复: 对目标URL做白名单域名校验，禁止用户输入决定完整URL。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $AXIOS({url: $BASE + $INPUT})
+    - pattern: $AXIOS.get($BASE + $INPUT, ...)
+    - pattern: got($BASE + $INPUT, ...)
+    - pattern: got.get($BASE + $INPUT, ...)
+    - pattern: nodeFetch($BASE + $INPUT, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: security
+    precision: medium
+    confidence: medium

package/rules/unified/cwe-918/zm-js-cwe918-nextjs-ssrf.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# Source: common | Cluster: N/A
+# CWE-918: Next.js API Route 直接拼外部 URL (fetch)
+# 逐码 ZhuMa V4.3 — JS/TS Next.js 规则库
+rules:
+- id: zm-js-nextjs-ssrf-001
+  severity: ERROR
+  message: >
+    Next.js API Route 中将 req.query/req.body 用户输入直接拼接进 fetch() URL，
+    存在 SSRF 漏洞，攻击者可控制目标URL使服务器发起对内网服务的恶意请求。
+    修复: 对目标URL做白名单域名校验，禁止用户输入决定完整URL。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        export async function $HANDLER(req, ...) {
+          ...
+          fetch($URL + $REQ.query.$FIELD, ...)
+          ...
+        }
+    - pattern: |
+        export async function $HANDLER(req, ...) {
+          ...
+          fetch($URL + $REQ.body.$FIELD, ...)
+          ...
+        }
+    - pattern: |
+        export default async function $HANDLER(req, ...) {
+          ...
+          fetch($URL + $REQ.query.$FIELD, ...)
+          ...
+        }
+    - pattern: |
+        export default async function $HANDLER(req, ...) {
+          ...
+          fetch($URL + $REQ.body.$FIELD, ...)
+          ...
+        }
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: security
+    precision: medium
+    confidence: medium

package/rules/unified/cwe-918/zm-js-cwe918-ssrf-fetch.yaml ADDED Viewed

@@ -0,0 +1,135 @@
+# Source: common | Cluster: N/A
+# CWE-918: Node.js SSRF 深度覆盖 — fetch/axios/node-fetch/got 全量sink
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: fetch() / axios({url:...}) / node-fetch / got / undici 对象式请求
+rules:
+# ZM-JS-SSRF-FETCH-001: fetch/axios/node-fetch 直接传入用户输入URL
+- id: zm-js-ssrf-fetch-001
+  severity: ERROR
+  message: |
+    检测到 fetch / axios / node-fetch / got / undici.fetch 等 HTTP 客户端直接使用用户输入作为请求URL，
+    存在SSRF（服务端请求伪造）风险。
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+    修复:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 禁止用户输入直接决定请求目标，使用URL映射表替代
+    3. 使用SSRF保护库(如 ssrf-filter / safe-request)
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟踪
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # fetch()
+    - pattern: fetch($REQ.query.$PARAM, ...)
+    - pattern: fetch($REQ.params.$PARAM, ...)
+    - pattern: fetch($REQ.body.$PARAM, ...)
+    # node-fetch
+    - pattern: nodeFetch($REQ.query.$PARAM, ...)
+    - pattern: nodeFetch($REQ.params.$PARAM, ...)
+    - pattern: nodeFetch($REQ.body.$PARAM, ...)
+    # axios object-style
+    - pattern: |
+        axios({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        axios({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        axios({url: $REQ.body.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.body.$PARAM, ...})
+    # got object-style
+    - pattern: |
+        got({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        got({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        got({url: $REQ.body.$PARAM, ...})
+    # undici.fetch
+    - pattern: undici.fetch($REQ.query.$PARAM, ...)
+    - pattern: undici.fetch($REQ.params.$PARAM, ...)
+    - pattern: undici.fetch($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+# ZM-JS-SSRF-FETCH-002: 用户输入拼接URL后传入fetch/axios
+- id: zm-js-ssrf-fetch-002
+  severity: WARNING
+  message: |
+    fetch / axios 请求URL由用户输入拼接构造，需确认拼接变量是否可直接控制完整URL。
+    若用户可控制协议+域名部分(如 http://evil.com )，存在SSRF风险。
+    修复:
+    1. 使用 new URL() 解析目标并验证 hostname 白名单
+    2. 使用URL映射表(key->URL)替代直接拼接
+    3. 限制协议仅允许 https
+    4. 使用SSRF防护库过滤内网IP
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: fetch($URL + $INPUT, ...)
+    - pattern: nodeFetch($URL + $INPUT, ...)
+    - pattern: |
+        axios({url: $URL + $INPUT, ...})
+    - pattern: got($URL + $INPUT, ...)
+    - pattern: undici.fetch($URL + $INPUT, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: low
+    confidence: medium
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+# ZM-JS-SSRF-FETCH-003: got.stream / needle / superagent 对象式URL注入
+- id: zm-js-ssrf-fetch-003
+  severity: ERROR
+  message: |
+    got / superagent / needle 等 HTTP 库的对象式请求中，hostname/href/uri 字段由用户输入控制，
+    可导致SSRF攻击。
+    修复:
+    1. 白名单限制目标域名
+    2. 使用固定的baseURL + 相对路径模式
+    3. 禁止用户输入覆盖hostname/href/uri字段
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: "got({hostname: $REQ.query.$PARAM})"
+    - pattern: "got({hostname: $REQ.params.$PARAM})"
+    - pattern: "got({hostname: $REQ.body.$PARAM})"
+    - pattern: "got({href: $REQ.query.$PARAM})"
+    - pattern: "got({href: $REQ.params.$PARAM})"
+    - pattern: "got({uri: $REQ.query.$PARAM})"
+    - pattern: "got({uri: $REQ.params.$PARAM})"
+    - pattern: superagent($METHOD, $REQ.query.$PARAM)
+    - pattern: superagent($METHOD, $REQ.params.$PARAM)
+    - pattern: superagent($METHOD, $REQ.body.$PARAM)
+    - pattern: needle($METHOD, $REQ.query.$PARAM, ...)
+    - pattern: needle($METHOD, $REQ.params.$PARAM, ...)
+    - pattern: needle($METHOD, $REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"

package/rules/unified/cwe-918/zm-js-cwe918-ssrf.yaml ADDED Viewed

@@ -0,0 +1,133 @@
+# Source: common | Cluster: N/A
+# CWE-918: Node.js SSRF 服务端请求伪造检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: http/https native、axios、fetch/node-fetch、got、superagent、needle、undici
+rules:
+# ZM-JS-SSRF-001: HTTP库直接传入 req.query/params/body 作为URL (高精度)
+- id: zm-js-ssrf-001
+  severity: ERROR
+  message: |
+    HTTP请求库直接将 req.query / req.params / req.body 的值作为URL参数传入，
+    存在SSRF（服务端请求伪造）风险。
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+    修复:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 禁止用户输入直接决定请求目标，使用URL映射表替代
+    3. 使用SSRF保护库(如 ssrf-filter / safe-request)
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟随
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # Native http/https
+    - pattern: http.get($REQ.query.$PARAM, ...)
+    - pattern: http.get($REQ.params.$PARAM, ...)
+    - pattern: http.get($REQ.body.$PARAM, ...)
+    - pattern: http.request($REQ.query.$PARAM, ...)
+    - pattern: http.request($REQ.params.$PARAM, ...)
+    - pattern: http.request($REQ.body.$PARAM, ...)
+    - pattern: https.get($REQ.query.$PARAM, ...)
+    - pattern: https.get($REQ.params.$PARAM, ...)
+    - pattern: https.get($REQ.body.$PARAM, ...)
+    - pattern: https.request($REQ.query.$PARAM, ...)
+    - pattern: https.request($REQ.params.$PARAM, ...)
+    - pattern: https.request($REQ.body.$PARAM, ...)
+    # axios
+    - pattern: axios.get($REQ.query.$PARAM, ...)
+    - pattern: axios.get($REQ.params.$PARAM, ...)
+    - pattern: axios.get($REQ.body.$PARAM, ...)
+    - pattern: axios.request($REQ.query.$PARAM, ...)
+    - pattern: axios.request($REQ.params.$PARAM, ...)
+    - pattern: axios.request($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.params.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.params.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.post($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.put($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.delete($REQ.query.$PARAM, ...)
+    # fetch / node-fetch
+    - pattern: fetch($REQ.query.$PARAM, ...)
+    - pattern: fetch($REQ.params.$PARAM, ...)
+    - pattern: fetch($REQ.body.$PARAM, ...)
+    # got
+    - pattern: got($REQ.query.$PARAM, ...)
+    - pattern: got($REQ.params.$PARAM, ...)
+    - pattern: got($REQ.body.$PARAM, ...)
+    - pattern: got.get($REQ.query.$PARAM, ...)
+    - pattern: got.get($REQ.params.$PARAM, ...)
+    - pattern: got.get($REQ.body.$PARAM, ...)
+    - pattern: got.post($REQ.query.$PARAM, ...)
+    - pattern: got.put($REQ.query.$PARAM, ...)
+    # superagent
+    - pattern: superagent.get($REQ.query.$PARAM)
+    - pattern: superagent.get($REQ.params.$PARAM)
+    - pattern: superagent.get($REQ.body.$PARAM)
+    - pattern: request.get($REQ.query.$PARAM)
+    - pattern: request.get($REQ.params.$PARAM)
+    - pattern: request.get($REQ.body.$PARAM)
+    # needle
+    - pattern: needle.get($REQ.query.$PARAM, ...)
+    - pattern: needle.get($REQ.params.$PARAM, ...)
+    - pattern: needle.get($REQ.body.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.query.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.params.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.body.$PARAM, ...)
+    # undici
+    - pattern: undici.request($REQ.query.$PARAM, ...)
+    - pattern: undici.request($REQ.params.$PARAM, ...)
+    - pattern: undici.request($REQ.body.$PARAM, ...)
+    - pattern: undici.fetch($REQ.query.$PARAM, ...)
+    - pattern: undici.fetch($REQ.params.$PARAM, ...)
+    - pattern: undici.fetch($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+# ZM-JS-SSRF-002: HTTP库URL字符串拼接 (低精度，需人工确认)
+- id: zm-js-ssrf-002
+  severity: WARNING
+  message: |
+    HTTP请求库使用了字符串拼接或模板字符串构建请求URL，需确认拼接变量是否来自用户输入。
+    若变量可控则存在SSRF风险。
+    修复:
+    1. 使用 new URL() 解析目标并验证 hostname 白名单
+    2. 使用URL映射表(key->URL)替代直接拼接
+    3. 使用SSRF防护库过滤内网IP
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: http.get($URL + $INPUT, ...)
+    - pattern: http.request($URL + $INPUT, ...)
+    - pattern: https.get($URL + $INPUT, ...)
+    - pattern: https.request($URL + $INPUT, ...)
+    - pattern: $AXIOS.get($URL + $INPUT, ...)
+    - pattern: $AXIOS.request($URL + $INPUT, ...)
+    - pattern: axios.get($URL + $INPUT, ...)
+    - pattern: fetch($URL + $INPUT, ...)
+    - pattern: got($URL + $INPUT, ...)
+    - pattern: got.get($URL + $INPUT, ...)
+    - pattern: superagent.get($URL + $INPUT)
+    - pattern: needle.get($URL + $INPUT, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: low
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"

package/rules/unified/cwe-918/zm-php-cwe918-ssrf.yaml ADDED Viewed

@@ -0,0 +1,144 @@
+# Source: common | Cluster: N/A
+# CWE-918: PHP SSRF 服务端请求伪造检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: file_get_contents/curl_setopt/fopen 使用用户可控 URL
+rules:
+# ZM-PHP-SSRF-001: file_get_contents() URL 来自 $_GET/$_POST
+- id: zm-php-cwe918-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 file_get_contents() 的 URL 参数来自 $_GET/$_POST/$_REQUEST 等 HTTP 输入。
+    攻击者可操控 URL 参数访问内网资源（如 http://169.254.169.254/ 云元数据、
+    http://127.0.0.1:6379/ Redis、内网服务），造成 SSRF 漏洞。
+    修复方案:
+    1. 对用户输入的 URL 做白名单域名校验
+    2. 禁止访问内网 IP: 解析 DNS 后检查 IP 范围
+    3. 使用 curl 并设置 CURLOPT_PROTOCOLS 仅允许 http/https
+    4. 禁用 URL 重定向跟随: CURLOPT_FOLLOWLOCATION => false
+    5. PHP 配置: allow_url_fopen = Off (php.ini)
+    6. 参考 OWASP SSRF 防御指南
+  languages:
+    - php
+  pattern-either:
+    - pattern: file_get_contents($_GET[$X])
+    - pattern: file_get_contents($_POST[$X])
+    - pattern: file_get_contents($_REQUEST[$X])
+    - pattern: file_get_contents("http://" . $_GET[$X])
+    - pattern: file_get_contents("https://" . $_GET[$X])
+    - pattern: file_get_contents("http://" . $_POST[$X])
+    - pattern: file_get_contents("https://" . $_POST[$X])
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+# ZM-PHP-SSRF-002: curl_setopt() CURLOPT_URL 来自用户输入
+- id: zm-php-cwe918-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 curl_setopt() 的 CURLOPT_URL 参数来自 $_GET/$_POST/$_REQUEST 等用户输入。
+    cURL 是 PHP 中最常见的 HTTP 请求库，用户可控 URL 可导致 SSRF。
+    修复方案:
+    1. 对 URL 做白名单域名校验，禁止访问内网 IP
+    2. 设置 CURLOPT_PROTOCOLS 限制协议: CURLPROTO_HTTP | CURLPROTO_HTTPS
+    3. 禁用重定向: curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false)
+    4. 设置 CURLOPT_SSL_VERIFYPEER => true 防止中间人
+    5. 使用 filter_var($url, FILTER_VALIDATE_URL) 验证 URL 格式
+  languages:
+    - php
+  pattern-either:
+    - pattern: curl_setopt($CH, CURLOPT_URL, $_GET[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, $_POST[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, $_REQUEST[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, "http://" . $_GET[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, "https://" . $_GET[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, "http://" . $_POST[$X])
+    - pattern: curl_setopt($CH, CURLOPT_URL, "https://" . $_POST[$X])
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+# ZM-PHP-SSRF-003: fopen/readfile/fopen URL 来自用户输入
+- id: zm-php-cwe918-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 fopen() / readfile() / SplFileObject 等函数使用用户提供的 URL 参数。
+    这些 PHP 文件函数支持 HTTP/HTTPS 流包装器，可用于 SSRF 攻击。
+    修复方案:
+    1. 白名单校验域名
+    2. 禁用 allow_url_fopen (php.ini) 如不需远程文件访问
+    3. 使用 curl 并实施严格的 SSRF 防御控制
+  languages:
+    - php
+  pattern-either:
+    - pattern: fopen($_GET[$X], ...)
+    - pattern: fopen($_POST[$X], ...)
+    - pattern: fopen("http://" . $_GET[$X], ...)
+    - pattern: fopen("https://" . $_GET[$X], ...)
+    - pattern: readfile($_GET[$X])
+    - pattern: readfile($_POST[$X])
+    - pattern: file($_GET[$X])
+    - pattern: file($_POST[$X])
+    - pattern: new SplFileObject($_GET[$X])
+    - pattern: new SplFileObject($_POST[$X])
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+# ZM-PHP-SSRF-004: Laravel HTTP Client URL 来自用户输入
+- id: zm-php-cwe918-ssrf-004
+  severity: ERROR
+  message: |
+    检测到 Laravel HTTP Client (Http::get/post/...) 的 URL 参数来自用户输入。
+    Laravel 的 Http Facade 底层使用 Guzzle，用户可控 URL 存在 SSRF 风险。
+    修复方案:
+    1. 对 URL 做白名单域名校验
+    2. 使用 Laravel URL 验证: filter_var($url, FILTER_VALIDATE_URL)
+    3. 解析 DNS 后检查 IP 不属内网范围
+    4. 配置 Guzzle 中间件限制请求目标
+  languages:
+    - php
+  pattern-either:
+    - pattern: Http::get($_GET[$X])
+    - pattern: Http::get($_POST[$X])
+    - pattern: Http::get($request->input(...))
+    - pattern: Http::post($_GET[$X], ...)
+    - pattern: Http::post($_POST[$X], ...)
+    - pattern: Http::post($request->input(...), ...)
+    - pattern: Http::withOptions(...)->get($_GET[$X])
+    - pattern: Http::withOptions(...)->get($_POST[$X])
+    - pattern: Http::withOptions(...)->post($_GET[$X], ...)
+    - pattern: Http::withOptions(...)->post($_POST[$X], ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://laravel.com/docs/http-client"

package/rules/unified/cwe-918/zm-py-cwe918-flask-ssrf.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: common | Cluster: N/A
+# CWE-918: Flask url_for 动态构造 SSRF
+# 逐码 ZhuMa V4.3 — Python 框架特化规则库
+# 检测: url_for参数来自request
+rules:
+# ZM-PY-FLASK-SSRF-001: url_for动态构造SSRF
+- id: zm-py-flask-ssrf-001
+  severity: WARNING
+  message: |
+    检测到 Flask url_for() 参数来自 HTTP 请求。若攻击者控制端点名称，
+    可能构造指向内部服务的URL，实现SSRF攻击。
+    修复方案:
+    1. url_for 端点名使用字面量字符串: url_for('user_profile', id=user_id)
+    2. 对必须动态选择的端点使用白名单映射
+    3. 校验生成的URL域名是否在允许范围内
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.url_for(request.args.get(...))
+    - pattern: flask.url_for(request.form.get(...))
+    - pattern: flask.url_for(request.values.get(...))
+    - pattern: url_for(request.args.get(...))
+    - pattern: url_for(request.form.get(...))
+    - pattern: url_for(request.values.get(...))
+    - pattern: flask.url_for($ENDPOINT, **request.args)
+    - pattern: url_for($ENDPOINT, **request.args)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    framework: flask
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://flask.palletsprojects.com/en/stable/api/#flask.url_for"