@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-918/zm-py-cwe918-ssrf-advanced.yaml

@@ -0,0 +1,105 @@
+# Source: common | Cluster: N/A
+# CWE-918: Python SSRF扩展检测 (socket/http.client/httpx/requests)
+# 逐码 ZhuMa V4.3 — Python 通用规则库
+# 检测: socket构造HTTP请求、httpx/requests URL来自request
+
+rules:
+
+# ZM-PY-SSRF-001: socket直接构造HTTP请求
+- id: zm-py-ssrf-001
+  severity: ERROR
+  message: |
+    检测到使用 socket 直接构造 HTTP 请求，且URL来自用户输入。
+    攻击者可控制目标地址发起SSRF攻击，访问内网服务或云元数据。
+
+    修复方案:
+    1. 使用 requests/httpx 库替代手写HTTP，利用其URL解析和重定向控制
+    2. 解析目标URL后校验hostname不在内网地址段
+    3. 使用 iptables/nftables 禁止服务器访问内网
+    4. 使用 urlparse 验证scheme仅允许 http/https
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        s = socket.socket(...)
+        s.connect(($HOST, $PORT))
+        s.send(b"GET " + $PATH + ...)
+    - pattern: |
+        $SOCK.connect(($HOST, $PORT))
+        $SOCK.send(b"GET " + ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+
+# ZM-PY-SSRF-002: httpx HTTP请求URL来自用户输入
+- id: zm-py-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 httpx.get/post/request 的URL参数来自HTTP请求参数。
+    攻击者可构造URL访问内网服务(http://localhost:6379/ Redis未授权访问)。
+
+    修复方案:
+    1. 对传入URL做hostname白名单校验
+    2. 使用 httpx.URL() 解析后检查 host 是否在内网范围
+    3. 配置 httpx 的 transport 使用自定义 DNS 解析器过滤内网IP
+    4. 使用 httpx.Client(base_url=...) 限制基础URL
+  languages:
+    - python
+  pattern-either:
+    - pattern: httpx.get(request.args.get(...))
+    - pattern: httpx.get(request.form.get(...))
+    - pattern: httpx.get(request.values.get(...))
+    - pattern: httpx.post(request.args.get(...))
+    - pattern: httpx.post(request.form.get(...))
+    - pattern: httpx.request($METHOD, request.args.get(...))
+    - pattern: httpx.request($METHOD, request.form.get(...))
+    - pattern: httpx.AsyncClient().get(request.args.get(...))
+    - pattern: httpx.AsyncClient().post(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://www.python-httpx.org/advanced/#custom-transports"
+
+# ZM-PY-SSRF-003: requests库 URL来自用户输入
+- id: zm-py-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 requests.get/post 的URL参数来自HTTP请求参数。
+    这是最常见的SSRF模式，攻击者可传入内网URL。
+
+    修复方案:
+    1. 对URL做hostname白名单: from urllib.parse import urlparse; hostname = urlparse(url).hostname
+    2. 校验hostname不在内网地址段(10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x)
+    3. 使用 requests.Session() 配置自定义适配器过滤内网IP
+    4. 禁止用户控制完整URL，使用端点白名单映射
+  languages:
+    - python
+  pattern-either:
+    - pattern: requests.get(request.args.get(...))
+    - pattern: requests.get(request.form.get(...))
+    - pattern: requests.get(request.values.get(...))
+    - pattern: requests.post(request.args.get(...))
+    - pattern: requests.post(request.form.get(...))
+    - pattern: requests.request($METHOD, request.args.get(...))
+    - pattern: requests.request($METHOD, request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"

package/rules/unified/cwe-918/zm-py-cwe918-ssrf.yaml

@@ -0,0 +1,124 @@
+# Source: common | Cluster: N/A
+# CWE-918: Python SSRF 服务端请求伪造检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: requests.get(userInput) / urllib.request.urlopen(userInput) / httpx.get(userInput)
+
+rules:
+
+# ZM-PY-SSRF-01: requests.get/post/put/head 参数来自 request
+- id: zm-py-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 requests.get/post/put/head 等方法的 URL 参数来自 HTTP 请求。
+    攻击者可构造内网地址（如 http://169.254.169.254/latest/meta-data/）访问云元数据服务或内网服务。
+    修复: 对用户输入的 URL 做白名单校验（协议/域名/IP）；禁用内网 IP 段（10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16）。
+  languages:
+    - python
+  pattern-either:
+    - pattern: requests.get(request.args.get(...))
+    - pattern: requests.get(request.form.get(...))
+    - pattern: requests.get(request.values.get(...))
+    - pattern: requests.get(request.data)
+    - pattern: requests.get(request.json.get(...))
+    - pattern: requests.post(request.args.get(...))
+    - pattern: requests.post(request.form.get(...))
+    - pattern: requests.post(request.values.get(...))
+    - pattern: requests.post(request.data)
+    - pattern: requests.put(request.args.get(...))
+    - pattern: requests.put(request.form.get(...))
+    - pattern: requests.head(request.args.get(...))
+    - pattern: requests.head(request.form.get(...))
+    - pattern: requests.request($METHOD, request.args.get(...))
+    - pattern: requests.request($METHOD, request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-02: urllib.request.urlopen() 参数来自 request
+- id: zm-py-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 urllib.request.urlopen() / urlretrieve() 的 URL 参数来自 HTTP 请求。
+    urllib 同样支持 file:// 协议，攻击者可读取本地文件。
+    修复: 使用 urllib.parse.urlparse() 解析 URL 后做协议和主机白名单校验。
+  languages:
+    - python
+  pattern-either:
+    - pattern: urllib.request.urlopen(request.args.get(...))
+    - pattern: urllib.request.urlopen(request.form.get(...))
+    - pattern: urllib.request.urlopen(request.values.get(...))
+    - pattern: urllib.request.urlopen(request.data)
+    - pattern: urllib.request.urlretrieve(request.args.get(...), ...)
+    - pattern: urllib.request.urlretrieve(request.form.get(...), ...)
+    - pattern: urllib.request.urlopen($BASE + request.args.get(...))
+    - pattern: urllib.request.urlopen($BASE + request.form.get(...))
+    - pattern: urllib.request.urlopen(f"...{request.args.get(...)}...")
+    - pattern: urllib.request.urlopen(f"...{request.form.get(...)}...")
+    - pattern: urllib.urlopen(request.args.get(...))
+    - pattern: urllib.urlopen(request.form.get(...))
+    - pattern: urllib2.urlopen(request.args.get(...))
+    - pattern: urllib2.urlopen(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-03: httpx.get/post 参数来自 request
+- id: zm-py-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 httpx.get/post/AsyncClient 的 URL 参数来自 HTTP 请求。
+    httpx 同样可能被利用进行 SSRF 攻击访问内网服务或云元数据。
+    修复: 校验用户输入 URL 协议仅允许 http/https；禁止解析到内网 IP。
+  languages:
+    - python
+  pattern-either:
+    - pattern: httpx.get(request.args.get(...))
+    - pattern: httpx.get(request.form.get(...))
+    - pattern: httpx.get(request.values.get(...))
+    - pattern: httpx.post(request.args.get(...))
+    - pattern: httpx.post(request.form.get(...))
+    - pattern: httpx.AsyncClient().get(request.args.get(...))
+    - pattern: httpx.AsyncClient().get(request.form.get(...))
+    - pattern: httpx.AsyncClient().post(request.args.get(...))
+    - pattern: httpx.AsyncClient().post(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-04: aiohttp.ClientSession().get() 参数来自 request
+- id: zm-py-ssrf-004
+  severity: ERROR
+  message: |
+    检测到 aiohttp.ClientSession().get/post 的 URL 参数来自 HTTP 请求。
+    异步 HTTP 客户端同样存在 SSRF 风险。
+    修复: 对用户输入 URL 做严格白名单校验；禁止访问内网地址段。
+  languages:
+    - python
+  pattern-either:
+    - pattern: aiohttp.ClientSession().get(request.args.get(...))
+    - pattern: aiohttp.ClientSession().get(request.form.get(...))
+    - pattern: aiohttp.ClientSession().post(request.args.get(...))
+    - pattern: aiohttp.ClientSession().post(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"

package/rules/unified/cwe-918/zm-taint-918-918-java-078.yaml

@@ -0,0 +1,45 @@
+# Source: taint | Cluster: CL-918-JAVA-078
+# Taint-upgraded rule: zhuma-nvd-918-918-java-078
+# Original CWE: CWE-918 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-918-918-java-078
+  mode: taint
+  metadata:
+    category: CWE-918
+    cwe: "CWE-918"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-918-918-java-078
+
+  message: |
+    检测到SSRF风险。请求URL参数可能来自用户输入，可被利用访问内部服务。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: new URL(...).openConnection()
+      - pattern: HttpURLConnection
+      - pattern: new URL(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: URI.create
+      - pattern: URLValidator

package/rules/unified/cwe-918/zm-taint-918-918-java-079.yaml

@@ -0,0 +1,45 @@
+# Source: taint | Cluster: CL-918-JAVA-079
+# Taint-upgraded rule: zhuma-nvd-918-918-java-079
+# Original CWE: CWE-918 | Language: java
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-918-918-java-079
+  mode: taint
+  metadata:
+    category: CWE-918
+    cwe: "CWE-918"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-918-918-java-079
+
+  message: |
+    检测到SSRF风险。请求URL参数可能来自用户输入，可被利用访问内部服务。
+
+  severity: WARNING
+  languages:
+    - java
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.getParameter(...)
+      - pattern: "@RequestParam $T $X"
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: new URL(...).openConnection()
+      - pattern: HttpURLConnection
+      - pattern: new URL(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: URI.create
+      - pattern: URLValidator

package/rules/unified/cwe-918/zm-taint-918-918-python-085.yaml

@@ -0,0 +1,46 @@
+# Source: taint | Cluster: CL-918-PYTHON-085
+# Taint-upgraded rule: zhuma-nvd-918-918-python-085
+# Original CWE: CWE-918 | Language: python
+# Auto-generated by L1 Taint Migration
+
+rules:
+- id: zhuma-taint-918-918-python-085
+  mode: taint
+  metadata:
+    category: CWE-918
+    cwe: "CWE-918"
+    confidence: MEDIUM
+    source: nvd+wooyun+taint_migration
+    upgraded_from: zhuma-nvd-918-918-python-085
+
+  message: |
+    检测到SSRF风险。请求URL参数可能来自用户输入，可被利用访问内部服务。
+
+  severity: WARNING
+  languages:
+    - python
+
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/vendor/**"
+      - "**/node_modules/**"
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: request.args.get(...)
+      - pattern: request.form[...]
+
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: requests.get(...)
+      - pattern: requests.post(...)
+      - pattern: urllib.request.urlopen(...)
+      - pattern: httpx.get(...)
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: urlparse
+      - pattern: validators.url

package/rules/unified/cwe-94/cwe-94-code-injection.yaml

@@ -0,0 +1,60 @@
+# Source: common | Cluster: N/A
+# CWE-94: 代码注入检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-CI-001: ScriptEngine.eval 用户输入
+- id: zm-java-ci-001
+  severity: CRITICAL
+  message: |
+    检测到 ScriptEngine.eval() 可能执行用户可控的脚本代码。
+    攻击者可注入恶意脚本实现任意代码执行。
+    避免使用动态脚本执行；如必须使用，需严格白名单校验输入内容。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $ENGINE.eval($SCRIPT);
+    - pattern: |
+        $ENGINE.eval($SCRIPT + $PARAM);
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+
+# ZM-JAVA-CI-002: GroovyShell 动态执行
+- id: zm-java-ci-002
+  severity: CRITICAL
+  message: |
+    检测到 GroovyShell 可能执行用户可控的脚本代码。
+    GroovyShell 不应接收外部输入；应使用 SafeGroovyMethods 或禁用 import 等特性。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new GroovyShell().evaluate($SCRIPT);
+    - pattern: |
+        new GroovyShell().parse($SCRIPT);
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+
+# ZM-JAVA-CI-003: Runtime.exec 编译执行 (命令注入也可归为此类)
+- id: zm-java-ci-003
+  severity: MEDIUM
+  message: |
+    检测到 Class.forName 动态加载类，可能被利用进行代码注入。
+    动态类加载应使用白名单限制可加载的类型。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Class.forName($NAME).newInstance();
+    - pattern: |
+        Class.forName($NAME);
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    precision: low

package/rules/unified/cwe-94/zm-java-cwe94-ognl.yaml

@@ -0,0 +1,67 @@
+# Source: common | Cluster: N/A
+# CWE-94: OGNL 表达式注入检测
+# 逐码 ZhuMa V4.1
+
+rules:
+
+- id: zm-java-ognl-001
+  severity: ERROR
+  message: |
+    Ognl.parseExpression() 参数由 HTTP 请求参数传入，可导致 OGNL 注入 RCE。
+    修复: 1.禁止用户输入传入OGNL 2.Struts2参数白名单拦截器 3.启用strict-method-invocation
+    参考: CVE-2017-5638 (S2-045), CVE-2018-11776 (S2-057)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.parseExpression($REQ.getParameter($PARAM))
+    - pattern: |
+        Ognl.parseExpression($REQ.getHeader($PARAM))
+  metadata:
+    cwe: "CWE-94"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+- id: zm-java-ognl-002
+  severity: ERROR
+  message: |
+    Ognl.getValue() 表达式参数可能由用户输入构造，可导致任意代码执行。
+    修复: 1.禁止用户输入直接作为OGNL表达式 2.OgnlContext安全配置 3.替换为安全模板引擎
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.getValue($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-94"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+- id: zm-java-ognl-003
+  severity: HIGH
+  message: |
+    Ognl.parseExpression() 参数由变量拼接，若变量用户可控可导致OGNL注入RCE。
+    修复: 1.追踪变量来源 2.白名单表达式映射 3.严格校验表达式内容
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.parseExpression($EXPR + $Y)
+    - pattern: |
+        Ognl.parseExpression($EXPR)
+  metadata:
+    cwe: "CWE-94"
+    severity: HIGH
+    precision: low
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-94/zm-java-cwe94-spel-injection.yaml

@@ -0,0 +1,86 @@
+# Source: common | Cluster: N/A
+# CWE-94: SpEL Injection — deeper Spring expression variants
+# ZhuMa V4.1 — complement zm-java-cwe94-spel.yaml
+
+rules:
+
+# ZM-JAVA-SPEL-DEEP-001: EvaluationContext.setVariable() + user input
+- id: zm-java-spel-deep-001
+  severity: ERROR
+  message: |
+    EvaluationContext.setVariable() receives user-supplied value which is then evaluated via getValue().
+    Even with SimpleEvaluationContext, attacker-controlled SpEL expressions can cause DoS or unexpected behavior.
+    Fix: sanitize variable values; never pass raw user input as variable value to SpEL evaluation.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.setVariable($NAME, $REQ.getParameter(...));
+        ...
+        $PARSER.parseExpression($EXPR).getValue($CTX);
+    - pattern: |
+        $CTX.setVariable($NAME, $REQ.getHeader(...));
+        ...
+        $PARSER.parseExpression($EXPR).getValue($CTX);
+    - pattern: |
+        $PARSER.parseExpression($EXPR).setVariable($NAME, $REQ.getParameter(...)).getValue();
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-DEEP-002: ExpressionParser with TemplateParserContext (template mode)
+- id: zm-java-spel-deep-002
+  severity: HIGH
+  message: |
+    SpEL expression with TemplateParserContext (mixed template+expression) uses user input.
+    Attackers can embed #{T(java.lang.Runtime).exec("cmd")} inside template strings.
+    Fix: disable template mode for user input; use fixed template strings only.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PARSER.parseExpression($REQ.getParameter(...), new TemplateParserContext())
+    - pattern: |
+        $PARSER.parseExpression($REQ.getParameter(...), new TemplateParserContext()).getValue()
+    - pattern: |
+        $PARSER.parseExpression($REQ.getHeader(...), new TemplateParserContext())
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: HIGH
+    precision: high
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-DEEP-003: SpEL expression from request body or attribute
+- id: zm-java-spel-deep-003
+  severity: ERROR
+  message: |
+    SpelExpressionParser.parseExpression() with request body/attribute — attacker injects SpEL via JSON/XML body.
+    This is the Spring Cloud Function SpEL injection pattern (CVE-2022-22963).
+    Fix: never evaluate SpEL expressions from HTTP request body; use SimpleEvaluationContext if needed.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getReader().readLine()).getValue()
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getInputStream()).getValue()
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getParameter(...)).getValue($CTX)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22963"

package/rules/unified/cwe-94/zm-java-cwe94-spel.yaml

@@ -0,0 +1,113 @@
+# Source: common | Cluster: N/A
+# CWE-94: Spring Expression Language (SpEL) 表达式注入检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: SpelExpressionParser.parseExpression() 且参数来自 HTTP request
+
+rules:
+
+# ZM-JAVA-SPEL-001: SpEL parseExpression() 用户可控
+- id: zm-java-spel-001
+  severity: ERROR
+  message: |
+    检测到 SpelExpressionParser.parseExpression() 的参数可能来自 HTTP 请求（用户可控）。
+    SpEL 表达式可调用任意 Java 方法、访问系统属性、执行命令。
+    攻击者可通过注入 SpEL 表达式实现远程代码执行（RCE）。
+    修复方案:
+    1. 禁止将用户输入直接传入 parseExpression()
+    2. 使用 SimpleEvaluationContext 替代 StandardEvaluationContext（限制表达式能力）
+    3. 对用户输入使用白名单校验或预定义表达式映射
+    4. 使用非表达式逻辑实现业务需求
+    参考: CVE-2022-22963 (Spring Cloud Function SpEL RCE)
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getParameter(...));
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getHeader(...));
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getParameter(...)).getValue(...);
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getHeader(...)).getValue(...);
+    - pattern: |
+        import org.springframework.expression.spel.standard.SpelExpressionParser;
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22963"
+      - "https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/expression/spel/standard/SpelExpressionParser.html"
+
+# ZM-JAVA-SPEL-002: SpEL parseExpression() 拼接变量 (可疑)
+- id: zm-java-spel-002
+  severity: ERROR
+  message: |
+    检测到 SpelExpressionParser.parseExpression() 的参数可能由变量拼接构成。
+    若该变量来自 HTTP 请求参数，攻击者可注入 SpEL 表达式实现 RCE。
+    修复方案:
+    1. 确认变量来源是否为用户可控，若来自 request 则必须立即修复
+    2. 使用 SimpleEvaluationContext + 白名单限制表达式能力
+    3. 对表达式内容做严格的正则/白名单过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+        $EXPR = $REQ.getParameter(...);
+        ...
+    - pattern: |
+        $EXPR = $REQ.getParameter(...);
+        ...
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+    - pattern: |
+        $EXPR = $REQ.getHeader(...);
+        ...
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-003: ExpressionParser.parseExpression() 通用匹配
+- id: zm-java-spel-003
+  severity: HIGH
+  message: |
+    检测到 ExpressionParser.parseExpression() 调用，参数可能是用户可控的 HTTP 参数。
+    SpEL 表达式注入可导致任意代码执行。
+    修复方案:
+    1. 禁止将用户输入传入表达式解析器
+    2. 使用 SimpleEvaluationContext 替代默认上下文
+    3. 对输入进行白名单校验
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $PARSER.parseExpression($REQ.getParameter(...))
+        - pattern: |
+            $PARSER.parseExpression($REQ.getHeader(...))
+    - pattern-inside: |
+        import org.springframework.expression.ExpressionParser;
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: HIGH
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"