@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-98/zm-php-cwe98-file-include.yaml

@@ -0,0 +1,142 @@
+# Source: common | Cluster: N/A
+# CWE-98: PHP 文件包含 (LFI/RFI) 检测
+# 逐码 ZhuMa V4.3 — PHP 通用规则库
+# 检测: include/require/include_once/require_once 参数含用户输入变量
+
+rules:
+
+# ZM-PHP-FI-001: include 含 $_GET/$_POST 变量 — LFI
+- id: zm-php-cwe98-file-include-001
+  severity: CRITICAL
+  message: |
+    检测到 include() 参数包含 $_GET/$_POST/$_REQUEST/$_COOKIE 用户可控变量。
+    攻击者可通过路径穿越（../）包含任意本地文件造成 LFI，
+    严重时可配合文件上传/日志包含实现 RCE。
+
+    修复方案:
+    1. 禁止将用户输入直接传递给 include/require
+    2. 使用白名单机制: 将允许包含的文件路径写入数组，通过用户输入索引
+       $allowed = ['home' => '/path/home.php', 'about' => '/path/about.php'];
+       include($allowed[$_GET['page']] ?? 'default.php');
+    3. 使用 basename() 去除路径穿越字符
+    4. 禁用 allow_url_include (php.ini)
+    5. 参考 OWASP 文件包含防御指南
+  languages:
+    - php
+  pattern-either:
+    - pattern: include($_GET[$X])
+    - pattern: include($_POST[$X])
+    - pattern: include($_REQUEST[$X])
+    - pattern: include($_COOKIE[$X])
+    - pattern: include($PATH . $_GET[$X])
+    - pattern: include($PATH . $_POST[$X])
+    - pattern: include("..." . $_GET[$X])
+    - pattern: include("..." . $_POST[$X])
+    - pattern: include("..." . $_REQUEST[$X])
+  metadata:
+    cwe: "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)"
+    severity: CRITICAL
+    precision: high
+    category: file-inclusion
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion"
+      - "https://www.php.net/manual/en/ini.core.php#ini.allow-url-include"
+
+# ZM-PHP-FI-002: require 含用户变量
+- id: zm-php-cwe98-file-include-002
+  severity: CRITICAL
+  message: |
+    检测到 require() 参数包含 $_GET/$_POST/$_REQUEST 用户可控变量。
+    require 与 include 的区别仅在于错误处理方式，安全风险相同。
+
+    修复方案:
+    使用白名单映射:
+      $pages = ['index' => 'pages/index.php', 'contact' => 'pages/contact.php'];
+      require($pages[$_GET['page']] ?? 'pages/404.php');
+  languages:
+    - php
+  pattern-either:
+    - pattern: require($_GET[$X])
+    - pattern: require($_POST[$X])
+    - pattern: require($_REQUEST[$X])
+    - pattern: require($_COOKIE[$X])
+    - pattern: require($PATH . $_GET[$X])
+    - pattern: require($PATH . $_POST[$X])
+    - pattern: require("..." . $_GET[$X])
+    - pattern: require("..." . $_POST[$X])
+  metadata:
+    cwe: "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)"
+    severity: CRITICAL
+    precision: high
+    category: file-inclusion
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PHP-FI-003: include_once/require_once 含用户变量
+- id: zm-php-cwe98-file-include-003
+  severity: CRITICAL
+  message: |
+    检测到 include_once()/require_once() 参数包含用户可控变量。
+    _once 变体同样存在 LFI/RFI 风险，不应放松警惕。
+
+    修复方案:
+    使用白名单索引 + 绝对路径:
+      $templates = ['header' => '/app/views/header.php', 'footer' => '/app/views/footer.php'];
+      include_once('/app/views/' . basename($templates[$_GET['tpl']]));
+  languages:
+    - php
+  pattern-either:
+    - pattern: include_once($_GET[$X])
+    - pattern: include_once($_POST[$X])
+    - pattern: include_once($_REQUEST[$X])
+    - pattern: include_once($PATH . $_GET[$X])
+    - pattern: include_once($PATH . $_POST[$X])
+    - pattern: require_once($_GET[$X])
+    - pattern: require_once($_POST[$X])
+    - pattern: require_once($_REQUEST[$X])
+    - pattern: require_once($PATH . $_GET[$X])
+    - pattern: require_once($PATH . $_POST[$X])
+  metadata:
+    cwe: "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)"
+    severity: CRITICAL
+    precision: high
+    category: file-inclusion
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PHP-FI-004: include 使用 $_GET 拼接 + .php 后缀 — 绕过检测
+- id: zm-php-cwe98-file-include-004
+  severity: CRITICAL
+  message: |
+    检测到 include() 参数为 $_GET/$_POST 变量拼接固定后缀（如 .php）。
+    虽然添加了后缀,但攻击者仍可通过 NULL 字节截断（PHP < 5.3.4）
+    或路径穿越 + 包装器绕过。
+
+    修复方案:
+    1. 使用白名单映射替代文件名拼接
+    2. 使用 realpath() 验证文件在允许目录内
+    3. PHP >= 5.3.4 已修复 NULL 字节截断，但 LFI 风险仍存在
+  languages:
+    - php
+  pattern-either:
+    - pattern: include($_GET[$X] . ".php")
+    - pattern: include($_POST[$X] . ".php")
+    - pattern: require($_GET[$X] . ".php")
+    - pattern: require($_POST[$X] . ".php")
+    - pattern: include_once($_GET[$X] . ".php")
+    - pattern: include_once($_POST[$X] . ".php")
+    - pattern: require_once($_GET[$X] . ".php")
+    - pattern: require_once($_POST[$X] . ".php")
+  metadata:
+    cwe: "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)"
+    severity: CRITICAL
+    precision: high
+    category: file-inclusion
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/unified/cwe-unknown/zm-docker-security.yaml

@@ -0,0 +1,105 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Dockerfile 安全检测
+# V4.1 Sprint 3 起步 — 首批5条覆盖最常见的 Docker 镜像构建安全问题
+
+rules:
+  # ZM-IAC-DOCKER-001: FROM 使用 latest tag
+  - id: zm-iac-docker-latest-001
+    severity: LOW
+    message: |
+      FROM 使用 `latest` tag — 每次构建拉取不同镜像，不可重现。
+      使用语义化版本固定基础镜像标签，例如 `node:20-alpine` 而非 `node:latest`。
+    languages:
+      - dockerfile
+    pattern: |
+      FROM $IMAGE:latest
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      precision: very-high
+      tags: [docker, supply-chain, reproducibility]
+
+  # ZM-IAC-DOCKER-002: RUN curl/wget 后未清理缓存
+  - id: zm-iac-docker-curl-cleanup-001
+    severity: LOW
+    message: |
+      `curl`/`wget` 拉取文件后未在同层 `RUN` 中删除临时文件 — 镜像膨胀且残留敏感信息。
+      合并为单条 `RUN curl ... && rm -f /tmp/... && apk del curl` 或使用 multi-stage 避免工具链残留。
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN $CURL ...
+      - pattern: |
+          RUN $WGET ...
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      precision: low
+      tags: [docker, image-size, supply-chain]
+
+  # ZM-IAC-DOCKER-003: USER root (未降权)
+  - id: zm-iac-docker-root-001
+    severity: MEDIUM
+    message: |
+      容器以 `root` 身份运行 — 容器逃逸后拥有宿主机 root 权限。
+      Dockerfile 末尾添加 `USER 1000` 切换到非 root 用户，
+      或 Kubernetes PodSecurityContext 设置 `runAsNonRoot: true`。
+    languages:
+      - dockerfile
+    pattern: |
+      USER root
+    pattern-not: |
+      USER $NONROOT
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [docker, privilege-escalation, root]
+
+  # ZM-IAC-DOCKER-004: COPY --chown 缺失（COPY 的文件以 root 拥有）
+  - id: zm-iac-docker-chown-001
+    severity: LOW
+    message: |
+      `COPY` 未使用 `--chown` — 文件默认为 `root:root` 拥有，非 root 用户无法读取。
+      使用 `COPY --chown=1000:1000 src/ dest/` 将文件所有权授予非 root 用户。
+    languages:
+      - dockerfile
+    pattern: |
+      COPY $SRC $DEST
+    pattern-not: |
+      COPY --chown=$OWNER $SRC $DEST
+    metadata:
+      cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: low
+      tags: [docker, file-permission]
+
+  # ZM-IAC-DOCKER-005: EXPOSE 敏感端口
+  - id: zm-iac-docker-sensitive-port-001
+    severity: HIGH
+    message: |
+      EXPOSE 暴露了数据库/管理/调试端口 — 端口 22(SSH)/2375(Docker)/3306(MySQL)/5432(PostgreSQL)/
+      6379(Redis)/27017(MongoDB)/9200(ES)/9090(Prometheus) 不应直接对外。
+      仅 EXPOSE 业务端口 (80/443/8080)，敏感端口由内部网络或 sidecar 代理访问。
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: EXPOSE 22
+      - pattern: EXPOSE 2375
+      - pattern: EXPOSE 3306
+      - pattern: EXPOSE 5432
+      - pattern: EXPOSE 6379
+      - pattern: EXPOSE 27017
+      - pattern: EXPOSE 9200
+      - pattern: EXPOSE 9090
+      - pattern: EXPOSE 9093
+      - pattern: EXPOSE 3000
+      - pattern: EXPOSE 5000
+      - pattern: EXPOSE 8000
+      - pattern: EXPOSE 8500
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [docker, network-exposure, sensitive-port]

package/rules/unified/cwe-unknown/zm-go-cwe-unknown-misc.yaml

@@ -0,0 +1,152 @@
+# Source: common | Cluster: N/A
+# CWE-667: Go sync.Mutex Lock defer unlock缺失 / strconv错误处理 / unsafe.Pointer
+# 逐码 ZhuMa V4.3 — Go 通用规则库
+# 检测: Mutex Lock无defer Unlock、strconv.Atoi错误未检查、unsafe.Pointer使用
+
+rules:
+
+# ZM-GO-CONCURRENCY-001: sync.Mutex Lock缺少defer Unlock
+- id: zm-go-concurrency-001
+  severity: WARNING
+  message: |
+    检测到 sync.Mutex.Lock() 后未使用 defer Unlock()。
+    若Lock和Unlock之间有return/panic，锁将不会被释放，导致死锁。
+
+    修复方案:
+    1. 始终使用defer: mu.Lock(); defer mu.Unlock()
+    2. 使用 sync.RWMutex 区分读写锁
+    3. 对于条件变量场景使用 sync.Cond.Wait 自动释放锁
+  languages:
+    - go
+  patterns:
+    - pattern: |
+        $MU.Lock()
+        ...
+        $MU.Unlock()
+  metadata:
+    cwe: "CWE-667: Improper Locking"
+    severity: WARNING
+    precision: medium
+    category: concurrency
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    references:
+      - "https://pkg.go.dev/sync#Mutex"
+
+# ZM-GO-ERROR-001: strconv.Atoi错误未检查
+- id: zm-go-error-handling-001
+  severity: WARNING
+  message: |
+    检测到 strconv.Atoi() 返回值使用了空白标识符(_)忽略错误。
+    若输入非法(如包含字母)，Atoi返回0且无错误信息，可能导致逻辑错误。
+
+    修复方案:
+    1. 始终检查错误: val, err := strconv.Atoi(input); if err != nil { return err }
+    2. 对用户输入使用 strconv.Atoi 前做格式验证
+    3. 使用 strconv.ParseInt 并指定进制更安全
+  languages:
+    - go
+  patterns:
+    - pattern: '$VAL, _ := strconv.Atoi($INPUT)'
+    - pattern: '$_, _ := strconv.Atoi($INPUT)'
+  metadata:
+    cwe: "CWE-252: Unchecked Return Value"
+    severity: WARNING
+    precision: very-high
+    category: error-handling
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A04:2021 - Insecure Design"
+    references:
+      - "https://pkg.go.dev/strconv#Atoi"
+
+# ZM-GO-ERROR-002: database/sql QueryRow Scan错误未处理
+- id: zm-go-error-handling-002
+  severity: WARNING
+  message: |
+    检测到 database/sql QueryRow().Scan() 忽略了返回值错误。
+    QueryRow可能返回 sql.ErrNoRows(无数据)或连接错误，忽略错误
+    会导致使用零值数据或连接池耗尽。
+
+    修复方案:
+    1. 始终检查Scan错误:
+       err := db.QueryRow("SELECT name FROM users WHERE id = ?", id).Scan(&name)
+       if err == sql.ErrNoRows { /* 无数据 */ }
+       if err != nil { /* 其他错误 */ }
+    2. 注意 sql.ErrNoRows 与连接错误的区分
+  languages:
+    - go
+  patterns:
+    - pattern: '$DB.QueryRow($QUERY, $ARGS).Scan($DEST)'
+  metadata:
+    cwe: "CWE-252: Unchecked Return Value"
+    severity: WARNING
+    precision: very-high
+    category: error-handling
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A04:2021 - Insecure Design"
+    references:
+      - "https://pkg.go.dev/database/sql#DB.QueryRow"
+
+# ZM-GO-MEMORY-001: unsafe.Pointer使用
+- id: zm-go-unsafe-pointer-001
+  severity: WARNING
+  message: |
+    检测到使用 unsafe.Pointer。unsafe操作绕过了Go的类型安全和内存安全，
+    可能导致内存损坏、越界访问和数据竞争。
+
+    修复方案:
+    1. 使用安全的类型转换替代 unsafe.Pointer
+    2. 使用 encoding/binary 进行字节序转换
+    3. 若必须使用，遵守 unsafe.Pointer 六条安全规则:
+       - 指针转换: T → unsafe.Pointer → *ArbitraryType → unsafe.Pointer → T
+    4. 代码审查时要特别仔细检查 unsafe 代码块
+  languages:
+    - go
+  pattern-either:
+    - pattern: unsafe.Pointer($V)
+    - pattern: unsafe.Pointer(uintptr($V))
+    - pattern: uintptr(unsafe.Pointer($V))
+  metadata:
+    cwe: "CWE-787: Out-of-bounds Write"
+    severity: WARNING
+    precision: very-high
+    category: memory-safety
+    likelihood: LOW
+    impact: HIGH
+    owasp: "A04:2021 - Insecure Design"
+    references:
+      - "https://pkg.go.dev/unsafe"
+
+# ZM-GO-MISC-001: time.LoadLocation含用户输入
+- id: zm-go-misc-001
+  severity: WARNING
+  message: |
+    检测到 time.LoadLocation 参数来自用户输入。
+    LoadLocation 会读取系统时区数据库，恶意输入可能导致panic或DoS。
+
+    修复方案:
+    1. 使用时区白名单: allowedTZs := map[string]bool{"Asia/Shanghai": true, "UTC": true}
+    2. 使用 time.FixedZone 从偏移量创建时区
+    3. 代码审查所有 time.LoadLocation 调用确保参数为常量
+  languages:
+    - go
+  pattern-either:
+    - pattern: time.LoadLocation(c.Query($KEY))
+    - pattern: time.LoadLocation(c.Param($KEY))
+    - pattern: time.LoadLocation(ctx.QueryParam($KEY))
+    - pattern: time.LoadLocation(ctx.Param($KEY))
+    - pattern: time.LoadLocation(r.URL.Query().Get($KEY))
+    - pattern: time.LoadLocation(r.FormValue($KEY))
+  metadata:
+    cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+    severity: WARNING
+    precision: high
+    category: misc
+    likelihood: LOW
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://pkg.go.dev/time#LoadLocation"

package/rules/unified/cwe-unknown/zm-k8s-security.yaml

@@ -0,0 +1,80 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Kubernetes 安全检测
+# V4.1 Sprint 3 — 首批3条 K8s 最常见安全配置问题
+
+rules:
+  # ZM-IAC-K8S-001: runAsNonRoot 未设置
+  - id: zm-iac-k8s-nonroot-001
+    severity: HIGH
+    message: |
+      Pod/容器未设置 `runAsNonRoot: true` — 容器可以以 root 身份运行。
+      在 Pod securityContext 或 Container securityContext 中添加:
+      ```yaml
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      ```
+    languages:
+      - yaml
+    pattern: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+    pattern-not: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+          securityContext:
+            ...
+            runAsNonRoot: $VAL
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: medium
+      tags: [kubernetes, privilege-escalation, securitycontext]
+
+  # ZM-IAC-K8S-002: privileged: true
+  - id: zm-iac-k8s-privileged-001
+    severity: CRITICAL
+    message: |
+      容器以 `privileged: true` 运行 — 该容器获得宿主机的所有 Linux Capabilities，
+      包括加载内核模块、访问所有设备。除非是系统级组件 (如 kube-proxy、CNI 插件)，
+      否则应移除 `privileged: true` 并使用细粒度 `capabilities` 声明。
+    languages:
+      - yaml
+    pattern: |
+      privileged: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [kubernetes, privileged-container, rce, escape]
+
+  # ZM-IAC-K8S-003: allowPrivilegeEscalation 未显式禁用
+  - id: zm-iac-k8s-allow-escalation-001
+    severity: MEDIUM
+    message: |
+      未显式设置 `allowPrivilegeEscalation: false` — 默认允许子进程获取比父进程更多的特权。
+      在容器 securityContext 中添加:
+      ```yaml
+      securityContext:
+        allowPrivilegeEscalation: false
+      ```
+    languages:
+      - yaml
+    pattern: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+    pattern-not: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+          securityContext:
+            ...
+            allowPrivilegeEscalation: $VAL
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: medium
+      tags: [kubernetes, privilege-escalation, securitycontext]