npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-94/zm-java-cwe94-ssti.yaml ADDED Viewed

@@ -0,0 +1,23 @@
+# Source: common | Cluster: N/A
+# CWE-94: Java SSTI 模板注入检测
+rules:
+- id: zm-java-ssti-01
+  severity: ERROR
+  message: Thymeleaf processTemplate() 参数用户可控，可导致服务端模板注入(SSTI) RCE。
+  languages: [java]
+  pattern: $CTX.processTemplate($REQ.getParameter($PARAM), ...)
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }
+- id: zm-java-ssti-02
+  severity: ERROR
+  message: FreeMarker Template.process() 参数来自用户输入，可导致SSTI RCE。
+  languages: [java]
+  pattern: $TEMPLATE.process($REQ.getParameter($PARAM), ...)
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }
+- id: zm-java-ssti-03
+  severity: ERROR
+  message: Velocity evaluate() 用户输入可导致SSTI RCE。
+  languages: [java]
+  pattern: Velocity.evaluate($CTX, $WRITER, $LOG, $REQ.getParameter($PARAM))
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }

package/rules/unified/cwe-94/zm-java-cwe94-value-spel.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-94: Spring SpEL @Value/#{} 表达式注入
+# 逐码 ZhuMa V4.3 — Spring SpEL 框架特化规则
+rules:
+# ZM-JAVA-CWE94-VALUE-001: @Value 注解使用 #{} SpEL 含外部输入
+- id: zm-java-cwe94-value-001
+  severity: ERROR
+  message: |
+    @Value 注解使用 SpEL 表达式 (#{...}) 且引用了来自 HTTP 请求头的值，
+    攻击者可通过注入恶意 SpEL 表达式执行任意代码。
+    修复: 禁止在 @Value 中使用 #{} 表达式引用用户可控输入，使用 programmatic 方式读取配置。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @Value("#{...")
+        private $TYPE $FIELD;
+    - pattern: |
+        @Value("#{${...}}")
+        private $TYPE $FIELD;
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: HIGH
+    impact: CRITICAL
+    references:
+      - "https://docs.spring.io/spring-framework/reference/core/expressions.html"
+# ZM-JAVA-CWE94-VALUE-002: @Value SystemProperties 引用
+- id: zm-java-cwe94-value-002
+  severity: WARNING
+  message: |
+    @Value 使用 SpEL 引用 SystemProperties (#{systemProperties...})，
+    可能执行命令或获取敏感系统属性。若表达式外部可控，存在 RCE 风险。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @Value("#{systemProperties[...]}")
+    - pattern: |
+        @Value("#{systemEnvironment[...]}")
+    - pattern: |
+        @Value("#{T(java.lang.Runtime).getRuntime().exec(...)}")
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: WARNING
+    precision: very-high
+    category: code-injection
+    owasp: "A03:2021 - Injection"
+    likelihood: MEDIUM
+    impact: CRITICAL

package/rules/unified/cwe-94/zm-java-expression-cwe94-001.yaml ADDED Viewed

@@ -0,0 +1,111 @@
+# Source: common | Cluster: N/A
+# CWE-94: 表达式注入深入 — MVEL/OGNL 深度变体
+# ZhuMa V4.1 — Expression Language Injection 全覆盖
+# 覆盖: MVEL.executeExpression / OgnlContext安全配置 / BeanShell Interpreter
+rules:
+# ZM-JAVA-MVEL-001: MVEL表达式执行用户输入
+- id: zm-java-mvel-001
+  severity: CRITICAL
+  message: |
+    MVEL.executeExpression() / MVEL.eval() 将HTTP请求参数作为MVEL表达式执行 — RCE。
+    MVEL是强大的脚本引擎，允许调用Java方法、创建对象、执行系统命令。
+    CVE-2023-22474: Parse Server MVEL模板注入导致RCE。
+    修复: 1) 禁止用户输入传入MVEL 2) 使用沙箱化MVELContext 3) 替换为安全模板引擎
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        MVEL.executeExpression(MVEL.compileExpression($REQ.getParameter(...)))
+    - pattern: |
+        MVEL.eval($REQ.getParameter(...), $CTX)
+    - pattern: |
+        MVEL.eval($REQ.getParameter(...))
+    - pattern: |
+        MVEL.compileExpression($REQ.getParameter(...))
+    - pattern: |
+        MVEL.executeExpression($COMPILED, $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-22474"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22965"
+      - "https://cwe.mitre.org/data/definitions/94.html"
+# ZM-JAVA-OGNL-CTX-001: OgnlContext安全配置缺陷
+- id: zm-java-ognl-ctx-001
+  severity: ERROR
+  message: |
+    OgnlContext未配置安全限制或MemberAccess为非严格模式 — OGNL表达式可调用任意方法和类。
+    不安全的OgnlContext允许表达式访问Class.forName、Runtime.exec等危险API。
+    CVE-2021-31805: Struts2 S2-061 OGNL注入RCE(利用不安全MemberAccess);
+    CVE-2020-17530: Struts2 S2-060 forced OGNL evaluation.
+    修复: 1) 设置 DefaultMemberAccess(false) 2) 使用 OgnlRuntime.setSecurityManager()
+    3) 禁止表达式调用静态方法 OgnlRuntime.setAllowStaticMethodAccess(false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX = new OgnlContext($MAP, $MAP, new DefaultMemberAccess(true))
+    - pattern: |
+        $CTX.setMemberAccess(new DefaultMemberAccess(true))
+    - pattern: |
+        OgnlRuntime.setAllowStaticMethodAccess(true)
+    - pattern: |
+        OgnlRuntime.setSecurityManager(null)
+    - pattern: |
+        $CTX = new OgnlContext(null, null, new DefaultMemberAccess(true))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-31805"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-17530"
+      - "https://cwiki.apache.org/confluence/display/WW/S2-061"
+# ZM-JAVA-BEANSHELL-001: BeanShell Interpreter.eval() 用户代码执行
+- id: zm-java-beanshell-001
+  severity: CRITICAL
+  message: |
+    BeanShell Interpreter.eval() 接收HTTP请求参数作为Java代码执行 — RCE。
+    BeanShell是完整Java解释器，可创建对象、调用方法、访问文件系统和网络。
+    CVE-2021-43859: 类似脚本引擎注入模式; CVE-2012-5370: BeanShell未授权代码执行。
+    修复: 1) 禁止用户输入传入Interpreter.eval() 2) 使用 bsh.NameSpace 隔离执行环境
+    3) 替换为有限表达式解析器(如Apache Commons JEXL with strict mode)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new Interpreter().eval($REQ.getParameter(...))
+    - pattern: |
+        $I.eval($REQ.getParameter(...))
+    - pattern: |
+        new Interpreter().source($REQ.getInputStream())
+    - pattern: |
+        $I.set($NAME, $REQ.getParameter(...));
+        ...
+        $I.eval($SCRIPT);
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2012-5370"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-43859"
+      - "https://cwe.mitre.org/data/definitions/94.html"

package/rules/unified/cwe-94/zm-js-cwe94-template-injection.yaml ADDED Viewed

@@ -0,0 +1,131 @@
+# Source: common | Cluster: N/A
+# CWE-94: Node.js 服务端模板注入 (SSTI) 深度检测
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: EJS / Vue SSR / Pug / Handlebars / doT 模板引擎 + 用户输入渲染
+rules:
+# ZM-JS-SSTI-001: EJS render/renderFile 用户输入直接传入模板数据
+- id: zm-js-ssti-001
+  severity: ERROR
+  message: |
+    检测到 EJS 模板渲染函数(ejs.render / ejs.renderFile)的模板字符串或数据参数由用户输入控制。
+    攻击者可注入 <% process.exit() %>/<%= 7*7 %>/<% require('child_process').exec('cmd') %> 等EJS标签，
+    导致远程代码执行(RCE)。
+    修复:
+    1. 禁止用户输入直接作为模板字符串传入渲染函数
+    2. 使用固定的模板文件和严格的白名单变量
+    3. 开启EJS delimiter 严格模式，限制标签类型
+    4. 使用沙箱环境渲染用户内容(如 vm2/isolated-vm)
+    5. 评估是否需要用模板引擎处理用户数据——大多数场景不需要
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: ejs.render($REQ.query.$PARAM, ...)
+    - pattern: ejs.render($REQ.params.$PARAM, ...)
+    - pattern: ejs.render($REQ.body.$PARAM, ...)
+    - pattern: ejs.render($REQ.body, ...)
+    - pattern: ejs.renderFile($REQ.query.$PARAM, ...)
+    - pattern: ejs.renderFile($REQ.params.$PARAM, ...)
+    - pattern: ejs.renderFile($REQ.body.$PARAM, ...)
+    - pattern: ejs.compile($REQ.query.$PARAM, ...)
+    - pattern: ejs.compile($REQ.params.$PARAM, ...)
+    - pattern: ejs.compile($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://ejs.co/#docs"
+      - "https://portswigger.net/web-security/server-side-template-injection"
+# ZM-JS-SSTI-002: Pug / Handlebars / Nunjucks 用户输入模板渲染
+- id: zm-js-ssti-002
+  severity: ERROR
+  message: |
+    检测到 Pug / Handlebars / Nunjucks 模板引擎的 compile/render 函数接收用户可控的模板字符串。
+    各引擎支持自定义helper/函数调用，攻击者可注入恶意代码。
+    Pug: #{process.exit()} / each val in process.mainModule.require('child_process')
+    Handlebars: {{constructor.constructor('return process')()}}
+    Nunjucks: {{range.constructor('return process')().mainModule.require('child_process')}}
+    修复:
+    1. 禁止用户输入作为模板内容或模板路径
+    2. 禁用危险的 helper/过滤器注册
+    3. 对用户数据仅作为模板变量(非模板本身)传入
+    4. 使用沙箱环境
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # Pug
+    - pattern: pug.compile($REQ.query.$PARAM, ...)
+    - pattern: pug.compile($REQ.params.$PARAM, ...)
+    - pattern: pug.compile($REQ.body.$PARAM, ...)
+    - pattern: pug.render($REQ.query.$PARAM, ...)
+    - pattern: pug.render($REQ.params.$PARAM, ...)
+    - pattern: pug.render($REQ.body.$PARAM, ...)
+    # Handlebars
+    - pattern: Handlebars.compile($REQ.query.$PARAM, ...)
+    - pattern: Handlebars.compile($REQ.params.$PARAM, ...)
+    - pattern: Handlebars.compile($REQ.body.$PARAM, ...)
+    # Nunjucks
+    - pattern: nunjucks.renderString($REQ.query.$PARAM, ...)
+    - pattern: nunjucks.renderString($REQ.params.$PARAM, ...)
+    - pattern: nunjucks.renderString($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://portswigger.net/web-security/server-side-template-injection"
+# ZM-JS-SSTI-003: doT.js / lodash.template / mustache 模板注入
+- id: zm-js-ssti-003
+  severity: ERROR
+  message: |
+    检测到 doT.js / lodash.template / mustache 等轻量模板引擎的模板字符串由用户输入控制。
+    lodash.template 底层使用 Function() 构造函数，直接传入用户输入可导致任意代码执行。
+    doT.js 的 {{ }} 标签可执行 JavaScript 表达式。
+    mustache 虽相对安全(无逻辑标签)，但仍可能被利用做信息泄露。
+    修复:
+    1. 禁止用户输入作为模板字符串
+    2. 使用固定的预定义模板
+    3. 如需动态模板，仅允许安全的占位符替换(如简单的 String.replace)
+    4. 模板引擎仅用于开发阶段，生产环境避免动态编译
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: _.template($REQ.query.$PARAM, ...)
+    - pattern: _.template($REQ.params.$PARAM, ...)
+    - pattern: _.template($REQ.body.$PARAM, ...)
+    - pattern: lodash.template($REQ.query.$PARAM, ...)
+    - pattern: lodash.template($REQ.params.$PARAM, ...)
+    - pattern: dot.template($REQ.query.$PARAM, ...)
+    - pattern: dot.template($REQ.params.$PARAM, ...)
+    - pattern: dot.template($REQ.body.$PARAM, ...)
+    - pattern: Mustache.render($REQ.query.$PARAM, ...)
+    - pattern: Mustache.render($REQ.params.$PARAM, ...)
+    - pattern: Mustache.render($REQ.body.$PARAM, ...)
+    - pattern: mustache.render($REQ.query.$PARAM, ...)
+    - pattern: mustache.render($REQ.params.$PARAM, ...)
+    - pattern: mustache.render($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://lodash.com/docs/#template"
+      - "https://portswigger.net/web-security/server-side-template-injection"

package/rules/unified/cwe-94/zm-php-cwe94-code-injection.yaml ADDED Viewed

@@ -0,0 +1,129 @@
+# Source: common | Cluster: N/A
+# CWE-94: PHP 代码注入检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: eval/assert/preg_replace /e 修饰符/create_function 含用户输入
+rules:
+# ZM-PHP-CODE-001: eval() 参数来自 $_GET/$_POST
+- id: zm-php-cwe94-code-injection-001
+  severity: CRITICAL
+  message: |
+    检测到 eval() 参数来自 $_GET/$_POST/$_REQUEST/$_COOKIE 等 HTTP 输入。
+    eval() 将字符串作为 PHP 代码执行，用户可控参数导致直接代码注入，
+    攻击者可执行任意 PHP 代码，完全控制服务器。
+    修复方案:
+    1. **绝对禁止**将用户输入传入 eval()
+    2. 使用 call_user_func() 或匿名函数替代动态代码执行
+    3. 若需动态调用方法，使用白名单映射:
+       $allowed = ['methodA' => [$obj, 'methodA']];
+       call_user_func($allowed[$input]);
+    4. 移除所有 eval() 调用，这是最高风险函数
+  languages:
+    - php
+  pattern-either:
+    - pattern: eval($_GET[$X])
+    - pattern: eval($_POST[$X])
+    - pattern: eval($_REQUEST[$X])
+    - pattern: eval($_COOKIE[$X])
+    - pattern: eval("..." . $_GET[$X])
+    - pattern: eval("..." . $_POST[$X])
+    - pattern: eval("..." . $_REQUEST[$X])
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://www.php.net/manual/en/function.eval.php"
+# ZM-PHP-CODE-002: assert() 参数来自用户输入
+- id: zm-php-cwe94-code-injection-002
+  severity: CRITICAL
+  message: |
+    检测到 assert() 参数来自 $_GET/$_POST 等 HTTP 输入。
+    在 PHP 5 中 assert() 接受字符串参数并作为 PHP 代码执行（类似 eval）。
+    PHP 7 中 assert() 改为语言结构不再执行代码，但遗留代码中仍存在风险。
+    修复方案:
+    1. 移除所有 assert() 调用
+    2. 使用 if 语句 + 异常替代 assert 进行断言检查
+    3. 生产环境禁用 assert: zend.assertions = 0 (php.ini)
+  languages:
+    - php
+  pattern-either:
+    - pattern: assert($_GET[$X])
+    - pattern: assert($_POST[$X])
+    - pattern: assert($_REQUEST[$X])
+    - pattern: assert("..." . $_GET[$X])
+    - pattern: assert("..." . $_POST[$X])
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PHP-CODE-003: preg_replace /e 修饰符 — 代码执行
+- id: zm-php-cwe94-code-injection-003
+  severity: CRITICAL
+  message: |
+    检测到 preg_replace() 使用 /e 修饰符且替换部分来自用户输入。
+    /e 修饰符（PHP 4/5）将替换字符串作为 PHP 代码执行，已自 PHP 5.5 起废弃、PHP 7 中移除。
+    但遗留代码中仍可能发现此模式。
+    修复方案:
+    1. 使用 preg_replace_callback() 替代 preg_replace /e
+       preg_replace_callback($pattern, function($m) { return safeTransform($m[1]); }, $subject);
+    2. 升级至 PHP 7+（/e 已移除，代码会直接报错）
+  languages:
+    - php
+  pattern-either:
+    - pattern: preg_replace($PATTERN, $_GET[$X], ...)
+    - pattern: preg_replace($PATTERN, $_POST[$X], ...)
+    - pattern: preg_replace($PATTERN, $_REQUEST[$X], ...)
+    - pattern: preg_replace($PATTERN, "..." . $_GET[$X], ...)
+    - pattern: preg_replace($PATTERN, "..." . $_POST[$X], ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: CRITICAL
+    precision: HIGH
+    category: code-injection
+    likelihood: LOW
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PHP-CODE-004: create_function() 含用户输入
+- id: zm-php-cwe94-code-injection-004
+  severity: CRITICAL
+  message: |
+    检测到 create_function() 参数来自 $_GET/$_POST 等 HTTP 输入。
+    create_function() 内部使用 eval() 创建匿名函数，自 PHP 7.2 起废弃。
+    用户输入可注入任意代码。
+    修复方案:
+    1. 使用匿名函数替代 create_function:
+       $func = function($arg) use ($safeVar) { return $safeVar . $arg; };
+    2. 绝对禁止用户输入进入函数体参数
+  languages:
+    - php
+  pattern-either:
+    - pattern: create_function($ARGS, $_GET[$X])
+    - pattern: create_function($ARGS, $_POST[$X])
+    - pattern: create_function($ARGS, $_REQUEST[$X])
+    - pattern: create_function($ARGS, "..." . $_GET[$X])
+    - pattern: create_function($ARGS, "..." . $_POST[$X])
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: CRITICAL
+    precision: high
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-94/zm-py-cwe94-ssti.yaml ADDED Viewed

@@ -0,0 +1,88 @@
+# Source: common | Cluster: N/A
+# CWE-94: Flask/Jinja2 Server-Side Template Injection (SSTI) 检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: render_template_string / jinja2.Template 用户输入注入点
+rules:
+# ZM-PY-SSTI-01: render_template_string() 参数来自 request
+- id: zm-py-ssti-001
+  severity: ERROR
+  message: |
+    检测到 render_template_string() 参数来自 HTTP 请求。
+    攻击者可注入 Jinja2 模板语法 {{config}} {{''.__class__.__mro__[2].__subclasses__()}}
+    读取敏感配置或实现 RCE。
+    修复: 禁止将用户输入传入 render_template_string()；使用 render_template() + 模板文件。
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.render_template_string(request.args.get(...))
+    - pattern: flask.render_template_string(request.form.get(...))
+    - pattern: flask.render_template_string(request.values.get(...))
+    - pattern: render_template_string(request.args.get(...))
+    - pattern: render_template_string(request.form.get(...))
+    - pattern: render_template_string(request.values.get(...))
+    - pattern: render_template_string(request.data)
+    - pattern: render_template_string(request.get_json().get(...))
+    - pattern: render_template_string(request.json.get(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: ssti
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PY-SSTI-02: jinja2.Template() 用户输入直接作为模板
+- id: zm-py-ssti-002
+  severity: ERROR
+  message: |
+    检测到 jinja2.Template() 直接使用用户输入作为模板字符串。
+    攻击者可嵌入 SSTI payload 实现任意代码执行。
+    修复: 不要将用户输入作为模板字符串；使用预定义模板文件 + 变量绑定。
+  languages:
+    - python
+  pattern-either:
+    - pattern: jinja2.Template(request.args.get(...)).render()
+    - pattern: jinja2.Template(request.form.get(...)).render()
+    - pattern: jinja2.Template(request.values.get(...)).render()
+    - pattern: Template(request.args.get(...)).render()
+    - pattern: Template(request.form.get(...)).render()
+    - pattern: Template(request.values.get(...)).render()
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: ssti
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-PY-SSTI-03: Markup() 包装用户输入（等效模板 |safe 过滤器）
+- id: zm-py-ssti-003
+  severity: WARNING
+  message: |
+    检测到 flask.Markup() / markupsafe.Markup() 包装用户输入，等效模板 |safe 过滤器。
+    绕过自动转义后，用户 HTML/JS 将直接渲染导致 XSS，若含 Jinja2 语法则升级为 SSTI。
+    修复: 移除 Markup() 包装使用默认自动转义。
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.Markup(request.args.get(...))
+    - pattern: flask.Markup(request.form.get(...))
+    - pattern: flask.Markup(request.values.get(...))
+    - pattern: markupsafe.Markup(request.args.get(...))
+    - pattern: markupsafe.Markup(request.form.get(...))
+    - pattern: markupsafe.Markup(request.values.get(...))
+    - pattern: Markup(request.args.get(...))
+    - pattern: Markup(request.form.get(...))
+    - pattern: Markup(request.values.get(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: WARNING
+    precision: medium
+    category: ssti
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-942/zm-java-cwe942-cors-wildcard.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+# Source: common | Cluster: N/A
+# CWE-942: CORS 通配符 * Origin 检测
+# 逐码 ZhuMa V4.3 — CORS 安全专项
+rules:
+# ZM-JAVA-CWE942-CORS-001: CORS Access-Control-Allow-Origin: *
+- id: zm-java-cwe942-cors-001
+  severity: WARNING
+  message: |
+    Spring 配置中 CORS Access-Control-Allow-Origin 设置为通配符 *，
+    允许任何域跨域访问，允许攻击者通过恶意网站窃取用户凭证。
+    修复: 1. 指定明确的允许域名列表 allowedOrigins("https://example.com")
+    2. 使用 allowedOriginPatterns 替代 allowedOrigins 支持子域名
+    3. 配合 allowCredentials(true) 时必须指定具体 origin（不能使用 *）
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @CrossOrigin(origins = "*")
+    - pattern: |
+        @CrossOrigin("*")
+    - pattern: |
+        $CFG.allowedOrigins("*")
+    - pattern: |
+        $CORS.addAllowedOrigin("*")
+    - pattern: |
+        $REGISTRY.addMapping($PATH).allowedOrigins("*")
+    - pattern: |
+        $REGISTRY.addMapping($PATH).allowedOriginPatterns("*")
+  metadata:
+    cwe: "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
+    severity: WARNING
+    precision: very-high
+    category: cors
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [cors, spring-security, misconfiguration]
+# ZM-JAVA-CWE942-CORS-002: CORS allowCredentials(true) + Origin *
+- id: zm-java-cwe942-cors-002
+  severity: ERROR
+  message: |
+    CORS 同时配置 allowCredentials(true) 和 allowedOrigins("*")，
+    浏览器会直接拒绝此配置（W3C 规范不允许），且表明开发者对 CORS 理解有误。
+    修复: 移除通配符 *，指定具体的可信 origin 域名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $REGISTRY.addMapping($PATH).allowedOrigins("*").allowCredentials(true)
+    - pattern: |
+        $REGISTRY.addMapping($PATH).allowCredentials(true).allowedOrigins("*")
+  metadata:
+    cwe: "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
+    severity: ERROR
+    precision: very-high
+    category: cors
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [cors, misconfiguration]

package/rules/unified/cwe-942/zm-java-cwe942-cors.yaml ADDED Viewed

@@ -0,0 +1,16 @@
+# Source: common | Cluster: N/A
+# CWE-942: Java CORS 通配符配置缺陷
+rules:
+- id: zm-java-cors-01
+  severity: INFO
+  message: '@CrossOrigin(origins="*") 允许任意域跨域访问，可能导致CSRF/数据泄露。'
+  languages: [java]
+  pattern: '@CrossOrigin(origins = "*")'
+  metadata: { cwe: "CWE-942", precision: very-high, category: config, owasp: "A05:2021 - Security Misconfiguration" }
+- id: zm-java-cors-02
+  severity: INFO
+  message: CorsConfiguration.addAllowedOrigin("*") 通配符允许任意域跨域。
+  languages: [java]
+  pattern: $CONFIG.addAllowedOrigin("*")
+  metadata: { cwe: "CWE-942", precision: very-high, category: config, owasp: "A05:2021" }

package/rules/unified/cwe-942/zm-js-cwe942-cors.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+# Source: common | Cluster: N/A
+# CWE-942: CORS 配置缺陷检测规则
+# 逐码 ZhuMa V4.1 Sprint 1
+rules:
+- id: zm-js-cors-001
+  severity: INFO
+  message: |
+    CORS 中间件 origin 配置为 '*' 通配符，允许任意域跨域访问 API。
+    修复: 1.将origin设为白名单数组或校验函数 2.需要凭证时禁用通配符 3.尽量同域部署
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: 'cors({..., origin: "*", ...})'
+        - pattern: "cors({..., origin: '*', ...})"
+        - pattern: |
+            $APP.use(cors({..., origin: "*", ...}))
+        - pattern: |
+            $APP.use(cors({..., origin: '*', ...}))
+  metadata:
+    cwe: "CWE-942"
+    precision: very-high
+    category: config
+    owasp: "A05:2021 - Security Misconfiguration"
+- id: zm-js-cors-002
+  severity: INFO
+  message: |
+    手动设置 Access-Control-Allow-Origin 响应头为 '*' 通配符。
+    修复: 1.限制origin为受信域名列表 2.如必须使用通配符，确保接口不返回敏感数据
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        res.setHeader('Access-Control-Allow-Origin', '*')
+    - pattern: |
+        res.setHeader("Access-Control-Allow-Origin", "*")
+    - pattern: |
+        res.header("Access-Control-Allow-Origin", "*")
+    - pattern: |
+        res.header('Access-Control-Allow-Origin', '*')
+  metadata:
+    cwe: "CWE-942"
+    precision: very-high
+    category: config
+    owasp: "A05:2021 - Security Misconfiguration"