@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-java-cwe502-jndi-injection.yaml

@@ -0,0 +1,91 @@
+# CWE-502: JNDI Injection (Log4Shell-like vectors)
+# ZhuMa V4.1 — JNDI lookup from untrusted input
+
+rules:
+
+# ZM-JAVA-JNDI-001: InitialContext.lookup() with user-controlled name
+- id: zm-java-jndi-001
+  severity: ERROR
+  message: |
+    InitialContext.lookup() receives HTTP request parameter — JNDI injection.
+    Attacker supplies ldap://evil.com/Exploit for remote class loading (same vector as Log4Shell).
+    Fix: 1) Never pass user input to lookup() 2) Whitelist allowed JNDI names 3) Set com.sun.jndi.ldap.object.trustURLCodebase=false
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new InitialContext().lookup($REQ.getParameter(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getHeader(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getAttribute(...))
+    - pattern: |
+        new InitialContext().lookup($REQ.getParameter(...));
+    - pattern: |
+        new InitialContext().lookup($REQ.getHeader(...));
+    - pattern: |
+        new InitialContext().lookup($REQ.getAttribute(...));
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      - "https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization"
+
+# ZM-JAVA-JNDI-002: Context.lookup() with concatenated user input
+- id: zm-java-jndi-002
+  severity: ERROR
+  message: |
+    Context.lookup() name string concatenates user-supplied HTTP parameter — JNDI injection.
+    Even partial user control of JNDI name enables ldap:// RCE via remote codebase loading.
+    Fix: Do NOT concatenate user input into JNDI names; use hardcoded lookup strings only.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.lookup($STR + $REQ.getParameter(...))
+    - pattern: |
+        $CTX.lookup($STR + $REQ.getHeader(...))
+    - pattern: |
+        $CTX.lookup($REQ.getParameter(...) + $STR)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: medium
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+
+# ZM-JAVA-JNDI-003: JndiTemplate/JndiLocatorDelegate lookup with user input (Spring)
+- id: zm-java-jndi-003
+  severity: ERROR
+  message: |
+    Spring JndiTemplate.lookup() receives user-supplied input — JNDI injection.
+    Use JndiObjectFactoryBean with hardcoded JNDI names; never pass dynamic user data.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new JndiTemplate().lookup($REQ.getParameter(...))
+    - pattern: |
+        $JT.lookup($REQ.getParameter(...))
+    - pattern: |
+        new JndiTemplate().lookup($REQ.getParameter(...));
+    - pattern: |
+        new JndiLocatorDelegate().lookup($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: jndi-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-java-cwe502-shiro.yaml

@@ -0,0 +1,108 @@
+# CWE-502: Apache Shiro RememberMe 反序列化检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: CookieRememberMeManager 且 AES 密钥硬编码 / 使用默认密钥
+
+rules:
+
+# ZM-JAVA-SHIRO-001: Shiro RememberMe 硬编码 AES 密钥
+- id: zm-java-shiro-001
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro CookieRememberMeManager 使用了硬编码的 AES 加密密钥。
+    若使用已知的默认密钥（如 kPH+bIxk5D2deZiIxcaaaA==），攻击者可伪造 RememberMe Cookie
+    实现反序列化 RCE（如 CommonsBeanutils + TemplatesImpl gadget 链）。
+    攻击链: 伪造 RememberMe Cookie → Base64解码 → AES解密 → 反序列化 → RCE
+    修复方案:
+    1. 使用随机生成的强 AES 密钥: KeyGenerator.getInstance("AES").generateKey()
+    2. 不要从配置文件/代码中硬编码密钥，使用环境变量或密钥管理服务
+    3. 升级 Shiro 至 1.13.0+ (默认启用更安全的反序列化过滤)
+    4. 替换默认密钥，确保每个部署实例使用不同密钥
+    参考:
+    - CVE-2016-4437 (Shiro RememberMe 反序列化 RCE)
+    - Shiro 默认密钥: kPH+bIxk5D2deZiIxcaaaA==
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new CookieRememberMeManager().setCipherKey(Base64.decode($KEY));
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode($KEY));
+    - pattern: |
+        CookieRememberMeManager $MGR = new CookieRememberMeManager();
+        ...
+        $MGR.setCipherKey($KEY);
+    - pattern: |
+        new CookieRememberMeManager()
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"
+      - "https://shiro.apache.org/security-reports.html"
+
+# ZM-JAVA-SHIRO-002: Shiro 默认 AES 密钥检测
+- id: zm-java-shiro-002
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro 使用了已知的默认 AES 密钥（Base64 编码字符串）。
+    该密钥为 Shiro 硬编码默认值，广泛公开，攻击者可直接用于伪造 RememberMe Cookie。
+    修复方案:
+    1. 立即替换为随机生成的密钥
+    2. 使用 KeyGenerator 生成新密钥，通过环境变量/密钥管理服务注入
+    3. 每个部署环境使用独立密钥
+    4. 如不需要 RememberMe 功能，禁用 CookieRememberMeManager
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="))
+    - pattern: |
+        $MGR.setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="));
+    - pattern: |
+        $MGR.setCipherKey("kPH+bIxk5D2deZiIxcaaaA==".getBytes())
+    - pattern: |
+        setCipherKey(Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="))
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: very-high
+    category: deserialization
+    likelihood: VERY_HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"
+
+# ZM-JAVA-SHIRO-003: Shiro RememberMeManager 无 re-encryption 密钥
+- id: zm-java-shiro-003
+  severity: ERROR
+  message: |
+    检测到 Apache Shiro CookieRememberMeManager 实例化但未设置自定义密钥。
+    若使用默认密钥，攻击者可伪造 RememberMe Cookie 实现反序列化 RCE。
+    修复方案:
+    1. 显式设置随机 AES 密钥: setCipherKey(KeyGenerator.getInstance("AES").generateKey().getEncoded())
+    2. 密钥从安全配置源加载，禁止硬编码
+    3. 部署时自动生成实例级密钥并持久化
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import org.apache.shiro.mgt.AbstractRememberMeManager;
+        ...
+    - pattern: |
+        new CookieRememberMeManager()
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"

package/rules/common/zm-java-cwe601-url-redirect-spring.yaml

@@ -0,0 +1,85 @@
+# CWE-601: URL Redirection — Spring-specific open redirect
+# ZhuMa V4.1 — detection for redirect-to-user-input patterns
+
+rules:
+
+# ZM-JAVA-REDIRECT-001: "redirect:" prefix + user-controlled URL
+- id: zm-java-redirect-001
+  severity: MEDIUM
+  message: |
+    Spring MVC "redirect:" prefix concatenated with HTTP parameter - open redirect to attacker URL.
+    Phishers use open redirects to make malicious links appear trusted (e.g. example.com/redirect?url=evil.com).
+    Fix: validate redirect target against domain whitelist or use relative redirects only.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PREFIX = "redirect:";
+        ...
+        return $PREFIX + $REQ.getParameter(...);
+    - pattern: |
+        return $STR + $REQ.getParameter(...);
+    - pattern: |
+        $R = $STR + $REQ.getParameter(...);
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: MEDIUM
+    precision: medium
+    category: url-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-REDIRECT-002: HttpServletResponse.sendRedirect() with user input
+- id: zm-java-redirect-002
+  severity: MEDIUM
+  message: |
+    HttpServletResponse.sendRedirect() receives user-supplied URL — open redirect.
+    Attackers craft phishing URLs like /login?redirect=https://evil.com to steal credentials.
+    Fix: validate against safelist of allowed destinations; prefer relative paths.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RESP.sendRedirect($REQ.getParameter(...))
+    - pattern: |
+        $RESP.sendRedirect($REQ.getHeader(...))
+    - pattern: |
+        $RESP.sendRedirect($PREFIX + $REQ.getParameter(...))
+    - pattern: |
+        response.sendRedirect($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: MEDIUM
+    precision: high
+    category: url-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-REDIRECT-003: ModelAndView / RedirectView with user-controlled URL
+- id: zm-java-redirect-003
+  severity: MEDIUM
+  message: |
+    Spring ModelAndView or RedirectView constructed with user-supplied redirect URL.
+    Open redirects enable phishing and social engineering attacks.
+    Fix: use a redirect strategy that validates target hosts; or redirect to a fixed landing page.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ModelAndView("redirect:" + $REQ.getParameter(...))
+    - pattern: |
+        new RedirectView($REQ.getParameter(...))
+    - pattern: |
+        new RedirectView($REQ.getParameter(...), true)
+    - pattern: |
+        new RedirectView($PREFIX + $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site (Open Redirect)"
+    severity: MEDIUM
+    precision: high
+    category: url-redirect
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"

package/rules/common/zm-java-cwe611-xxe-enhanced.yaml

@@ -0,0 +1,80 @@
+# CWE-611: XXE 增强检测 — TransformerFactory / Validator / SAXBuilder
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 覆盖 xm-java-xxe 未覆盖的 Sinks
+
+rules:
+
+# ZM-JAVA-XXE-E01: TransformerFactory.newTransformer(StreamSource) 未配置 secure-processing
+- id: zm-java-xxe-e01
+  severity: ERROR
+  message: |
+    TransformerFactory.newTransformer() 使用 StreamSource 解析 XML，
+    未设置 FEATURE_SECURE_PROCESSING 或禁用外部实体。
+    攻击者可通过外部实体注入读取本地文件、发起 SSRF。
+    修复: tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getInputStream()))
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getReader()))
+    - pattern: |
+        $TF.newTransformer(new StreamSource($REQ.getParameter($PARAM)))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-XXE-E02: Validator.validate(StreamSource) 用户输入
+- id: zm-java-xxe-e02
+  severity: ERROR
+  message: |
+    Validator.validate() 使用 StreamSource 且 Source 来自用户输入。
+    Validator 默认未禁用外部实体，攻击者可注入 XXE。
+    修复: 设置 XMLConstants.ACCESS_EXTERNAL_DTD/Schema 为空字符串
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getInputStream()))
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getReader()))
+    - pattern: |
+        $VAL.validate(new StreamSource($REQ.getParameter($PARAM)))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-XXE-E03: SAXBuilder (JDOM) + 用户输入
+- id: zm-java-xxe-e03
+  severity: ERROR
+  message: |
+    JDOM SAXBuilder.build() 解析用户输入 XML，未禁用外部实体。
+    SAXBuilder 默认启用 DTD 和外部实体解析。
+    修复: builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+  languages:
+    - java
+  patterns:
+    - pattern-inside: |
+        import org.jdom2.input.SAXBuilder;
+        ...
+    - pattern: |
+        $SB.build($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-java-cwe611-xxe-transformer.yaml

@@ -0,0 +1,85 @@
+# CWE-611: XXE — DocumentBuilderFactory / SAXParser / XMLInputFactory
+# ZhuMa V4.1 — complementary to zm-java-cwe611-xxe-enhanced.yaml
+
+rules:
+
+# ZM-JAVA-XXE-DBF-001: DocumentBuilderFactory + user XML without secure processing
+- id: zm-java-xxe-dbf-001
+  severity: ERROR
+  message: |
+    DocumentBuilderFactory.parse() receives untrusted XML input without disabling external entities.
+    Attacker can read local files (file:///etc/passwd) or perform SSRF via XXE.
+    Fix: dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) and dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($REQ.getInputStream())
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($REQ.getReader())
+    - pattern: |
+        $DBF.newDocumentBuilder().parse($SRC);
+        ...
+        $SRC = new InputSource($REQ.getInputStream());
+    - pattern: |
+        DocumentBuilderFactory.newInstance().newDocumentBuilder().parse($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-XXE-SAX-001: SAXParser + user XML without disabling DTD
+- id: zm-java-xxe-sax-001
+  severity: ERROR
+  message: |
+    SAXParser.parse() receives untrusted XML — DTD/external entities enabled by default.
+    Fix: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) and spf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $SAX.parse($REQ.getInputStream(), $HANDLER)
+    - pattern: |
+        $SAX.parse(new InputSource($REQ.getInputStream()))
+    - pattern: |
+        $SAX.parse(new InputSource($REQ.getReader()))
+    - pattern: |
+        SAXParserFactory.newInstance().newSAXParser().parse($REQ.getInputStream(), $H)
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-XXE-STAX-001: XMLInputFactory + user XML without external entity restriction
+- id: zm-java-xxe-stax-001
+  severity: ERROR
+  message: |
+    StAX XMLInputFactory creates reader from user XML — external entities enabled by default.
+    Fix: factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false) and factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        $FACTORY.createXMLEventReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLStreamReader($REQ.getInputStream())
+    - pattern: |
+        XMLInputFactory.newInstance().createXMLEventReader($REQ.getInputStream())
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-java-cwe639-idor.yaml

@@ -0,0 +1,123 @@
+# CWE-639: 不安全的直接对象引用 (IDOR) 检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+
+rules:
+
+- id: zm-java-idor-001
+  severity: WARNING
+  message: |
+    REST Controller 从 @PathVariable 获取资源 ID 直接查询，
+    未发现 @PreAuthorize 注解或资源所有权校验。
+    修复方案:
+    1. 添加 @PreAuthorize 验证用户权限
+    2. 查询时关联当前用户: WHERE id = :id AND user_id = :currentUserId
+    3. 使用 UUID 替代自增 ID
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @GetMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.findById($ID);
+              ...
+            }
+        - pattern: |
+            @PutMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.findById($ID);
+              ...
+            }
+        - pattern: |
+            @DeleteMapping(...)
+            public $RET $METHOD(@PathVariable $IDTYPE $ID) {
+              ...
+              $DAO.deleteById($ID);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: medium
+    category: auth
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+
+- id: zm-java-idor-002
+  severity: WARNING
+  message: |
+    Controller 中路径变量 ID 直接传入数据访问层查询，
+    未发现将当前用户身份作为查询条件的代码。
+    修复方案:
+    1. DAO 层添加用户关联: findBy*AndUserId(id, currentUserId)
+    2. 使用 @PostAuthorize 校验返回对象所有权
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@PathVariable("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $DAO.$FINDBY($IDVAR);
+              ...
+            }
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@PathVariable("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $REPO.$FINDBY($IDVAR);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: low
+    category: auth
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+
+- id: zm-java-idor-003
+  severity: WARNING
+  message: |
+    Controller 从 @RequestParam 获取资源 ID 直接查询数据库，无 @PreAuthorize 保护。
+    修复方案:
+    1. 添加 @PreAuthorize 验证
+    2. 查询结果关联当前用户身份
+    3. 不一致则返回 403
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@RequestParam("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $DAO.findById($IDVAR);
+              ...
+            }
+        - pattern: |
+            @$MAPPING(...)
+            public $RET $METHOD(@RequestParam("$IDNAME") $IDTYPE $IDVAR, ...) {
+              ...
+              $REPO.findById($IDVAR);
+              ...
+            }
+    - pattern-not: |
+        @PreAuthorize($X)
+  metadata:
+    cwe: "CWE-639"
+    severity: WARNING
+    precision: medium
+    category: auth
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"

package/rules/common/zm-java-cwe79-xss-depth.yaml

@@ -0,0 +1,98 @@
+# CWE-79 XSS 全量 sink 覆盖 (v2): Spring MVC Response 写入所有变体
+
+rules:
+
+# ZM-JAVA-XSS-RESPONSE-001: HttpServletResponse.getWriter 直接输出用户输入
+- id: zm-java-xss-response-001
+  severity: MEDIUM
+  message: |
+    HttpServletResponse.getWriter().print/write 直接输出用户输入，无 HTML 编码。
+    在输出到响应流前对用户数据进行 OWASP Encoder 或 Spring HtmlUtils.htmlEscape 编码。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RESP.getWriter().print($INPUT);
+    - pattern: $RESP.getWriter().write($INPUT);
+    - pattern: $RESP.getWriter().println($INPUT);
+    - pattern: $RESP.getOutputStream().print($INPUT);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+    tags: [xss, servlet, response]
+
+# ZM-JAVA-XSS-MODELANDVIEW-001: ModelAndView 中添加未转义的用户输入
+- id: zm-java-xss-mv-001
+  severity: MEDIUM
+  message: |
+    ModelAndView.addObject 添加用户输入 — 如果 JSP 模板中未使用 c:out 或 ${fn:escapeXml()}，
+    可能导致存储型 XSS。确认对应 JSP/Thymeleaf 模板有输出编码。
+  languages:
+    - java
+  pattern: |
+    $MV.addObject($KEY, $INPUT);
+    ...
+    return $MV;
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+    tags: [xss, modelandview, stored-xss]
+
+# ZM-JAVA-XSS-HEADER-001: 响应头注入 (CRLF 注入)
+- id: zm-java-xss-header-001
+  severity: LOW
+  message: |
+    resp.setHeader/addHeader 使用用户可控的值 — 可能导致 HTTP 响应头注入 (CRLF Injection)。
+    对用户值中的 \r\n 做过滤或编码，同时移除不可打印字符。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RESP.setHeader($NAME, $INPUT);
+    - pattern: $RESP.addHeader($NAME, $INPUT);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: low
+    tags: [xss, header-injection, crlf]
+
+# ZM-JAVA-XSS-FORMAT-001: String.format 拼接用户输入到HTML模板
+- id: zm-java-xss-format-001
+  severity: MEDIUM
+  message: |
+    String.format 将用户输入直接拼入 HTML 片段 — 产生 XSS。
+    使用参数化模板（Thymeleaf th:text / JSP c:out）替代 Java 字符串拼接。
+  languages:
+    - java
+  pattern-either:
+    - pattern: String.format("<$TAG>$CONTENT</$TAG>", $X, ...)
+    - pattern: |
+        String.format("...<...%s...>...", $X, ...)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+    tags: [xss, string-format, html-injection]
+
+# ZM-JAVA-XSS-SPRING-ESCAPE-001: 显式使用 springHtmlEscape=false
+- id: zm-java-xss-escape-001
+  severity: MEDIUM
+  message: |
+    HtmlEscape 设置为 false 或 defaultHtmlEscape = false — 禁用自动 HTML 转义。
+    启用 defaultHtmlEscape 或逐页设置 `spring:htmlEscape="true"`。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        htmlEscape = false
+    - pattern: |
+        setHtmlEscape(false)
+    - pattern: |
+        defaultHtmlEscape = false
+    - pattern: |
+        setDefaultHtmlEscape(false)
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: very-high
+    tags: [xss, spring, html-escape]