@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-java-cwe94-spel-injection.yaml

@@ -0,0 +1,85 @@
+# CWE-94: SpEL Injection — deeper Spring expression variants
+# ZhuMa V4.1 — complement zm-java-cwe94-spel.yaml
+
+rules:
+
+# ZM-JAVA-SPEL-DEEP-001: EvaluationContext.setVariable() + user input
+- id: zm-java-spel-deep-001
+  severity: ERROR
+  message: |
+    EvaluationContext.setVariable() receives user-supplied value which is then evaluated via getValue().
+    Even with SimpleEvaluationContext, attacker-controlled SpEL expressions can cause DoS or unexpected behavior.
+    Fix: sanitize variable values; never pass raw user input as variable value to SpEL evaluation.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.setVariable($NAME, $REQ.getParameter(...));
+        ...
+        $PARSER.parseExpression($EXPR).getValue($CTX);
+    - pattern: |
+        $CTX.setVariable($NAME, $REQ.getHeader(...));
+        ...
+        $PARSER.parseExpression($EXPR).getValue($CTX);
+    - pattern: |
+        $PARSER.parseExpression($EXPR).setVariable($NAME, $REQ.getParameter(...)).getValue();
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-DEEP-002: ExpressionParser with TemplateParserContext (template mode)
+- id: zm-java-spel-deep-002
+  severity: HIGH
+  message: |
+    SpEL expression with TemplateParserContext (mixed template+expression) uses user input.
+    Attackers can embed #{T(java.lang.Runtime).exec("cmd")} inside template strings.
+    Fix: disable template mode for user input; use fixed template strings only.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PARSER.parseExpression($REQ.getParameter(...), new TemplateParserContext())
+    - pattern: |
+        $PARSER.parseExpression($REQ.getParameter(...), new TemplateParserContext()).getValue()
+    - pattern: |
+        $PARSER.parseExpression($REQ.getHeader(...), new TemplateParserContext())
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: HIGH
+    precision: high
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-DEEP-003: SpEL expression from request body or attribute
+- id: zm-java-spel-deep-003
+  severity: ERROR
+  message: |
+    SpelExpressionParser.parseExpression() with request body/attribute — attacker injects SpEL via JSON/XML body.
+    This is the Spring Cloud Function SpEL injection pattern (CVE-2022-22963).
+    Fix: never evaluate SpEL expressions from HTTP request body; use SimpleEvaluationContext if needed.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getReader().readLine()).getValue()
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getInputStream()).getValue()
+    - pattern: |
+        new SpelExpressionParser().parseExpression($REQ.getParameter(...)).getValue($CTX)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22963"

package/rules/common/zm-java-cwe94-spel.yaml

@@ -0,0 +1,112 @@
+# CWE-94: Spring Expression Language (SpEL) 表达式注入检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: SpelExpressionParser.parseExpression() 且参数来自 HTTP request
+
+rules:
+
+# ZM-JAVA-SPEL-001: SpEL parseExpression() 用户可控
+- id: zm-java-spel-001
+  severity: ERROR
+  message: |
+    检测到 SpelExpressionParser.parseExpression() 的参数可能来自 HTTP 请求（用户可控）。
+    SpEL 表达式可调用任意 Java 方法、访问系统属性、执行命令。
+    攻击者可通过注入 SpEL 表达式实现远程代码执行（RCE）。
+    修复方案:
+    1. 禁止将用户输入直接传入 parseExpression()
+    2. 使用 SimpleEvaluationContext 替代 StandardEvaluationContext（限制表达式能力）
+    3. 对用户输入使用白名单校验或预定义表达式映射
+    4. 使用非表达式逻辑实现业务需求
+    参考: CVE-2022-22963 (Spring Cloud Function SpEL RCE)
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getParameter(...));
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getHeader(...));
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getParameter(...)).getValue(...);
+        - pattern: |
+            new SpelExpressionParser().parseExpression($REQ.getHeader(...)).getValue(...);
+    - pattern: |
+        import org.springframework.expression.spel.standard.SpelExpressionParser;
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22963"
+      - "https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/expression/spel/standard/SpelExpressionParser.html"
+
+# ZM-JAVA-SPEL-002: SpEL parseExpression() 拼接变量 (可疑)
+- id: zm-java-spel-002
+  severity: ERROR
+  message: |
+    检测到 SpelExpressionParser.parseExpression() 的参数可能由变量拼接构成。
+    若该变量来自 HTTP 请求参数，攻击者可注入 SpEL 表达式实现 RCE。
+    修复方案:
+    1. 确认变量来源是否为用户可控，若来自 request 则必须立即修复
+    2. 使用 SimpleEvaluationContext + 白名单限制表达式能力
+    3. 对表达式内容做严格的正则/白名单过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+        $EXPR = $REQ.getParameter(...);
+        ...
+    - pattern: |
+        $EXPR = $REQ.getParameter(...);
+        ...
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+    - pattern: |
+        $EXPR = $REQ.getHeader(...);
+        ...
+        new SpelExpressionParser().parseExpression($EXPR);
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-JAVA-SPEL-003: ExpressionParser.parseExpression() 通用匹配
+- id: zm-java-spel-003
+  severity: HIGH
+  message: |
+    检测到 ExpressionParser.parseExpression() 调用，参数可能是用户可控的 HTTP 参数。
+    SpEL 表达式注入可导致任意代码执行。
+    修复方案:
+    1. 禁止将用户输入传入表达式解析器
+    2. 使用 SimpleEvaluationContext 替代默认上下文
+    3. 对输入进行白名单校验
+  languages:
+    - java
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $PARSER.parseExpression($REQ.getParameter(...))
+        - pattern: |
+            $PARSER.parseExpression($REQ.getHeader(...))
+    - pattern-inside: |
+        import org.springframework.expression.ExpressionParser;
+        ...
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: HIGH
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-java-cwe94-ssti.yaml

@@ -0,0 +1,22 @@
+# CWE-94: Java SSTI 模板注入检测
+rules:
+- id: zm-java-ssti-01
+  severity: ERROR
+  message: Thymeleaf processTemplate() 参数用户可控，可导致服务端模板注入(SSTI) RCE。
+  languages: [java]
+  pattern: $CTX.processTemplate($REQ.getParameter($PARAM), ...)
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }
+
+- id: zm-java-ssti-02
+  severity: ERROR
+  message: FreeMarker Template.process() 参数来自用户输入，可导致SSTI RCE。
+  languages: [java]
+  pattern: $TEMPLATE.process($REQ.getParameter($PARAM), ...)
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }
+
+- id: zm-java-ssti-03
+  severity: ERROR
+  message: Velocity evaluate() 用户输入可导致SSTI RCE。
+  languages: [java]
+  pattern: Velocity.evaluate($CTX, $WRITER, $LOG, $REQ.getParameter($PARAM))
+  metadata: { cwe: "CWE-94", precision: high, category: code-injection, owasp: "A03:2021 - Injection" }

package/rules/common/zm-java-cwe942-cors.yaml

@@ -0,0 +1,15 @@
+# CWE-942: Java CORS 通配符配置缺陷
+rules:
+- id: zm-java-cors-01
+  severity: WARNING
+  message: '@CrossOrigin(origins="*") 允许任意域跨域访问，可能导致CSRF/数据泄露。'
+  languages: [java]
+  pattern: '@CrossOrigin(origins = "*")'
+  metadata: { cwe: "CWE-942", precision: very-high, category: config, owasp: "A05:2021 - Security Misconfiguration" }
+
+- id: zm-java-cors-02
+  severity: WARNING
+  message: CorsConfiguration.addAllowedOrigin("*") 通配符允许任意域跨域。
+  languages: [java]
+  pattern: $CONFIG.addAllowedOrigin("*")
+  metadata: { cwe: "CWE-942", precision: very-high, category: config, owasp: "A05:2021" }

package/rules/common/zm-js-cwe1321-prototype-pollution.yaml

@@ -0,0 +1,61 @@
+# CWE-1321: 原型链污染检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+
+rules:
+
+- id: zm-js-pp-001
+  severity: ERROR
+  message: |
+    检测到将用户可控数据（req.body / req.query / req.params）通过动态键赋值
+    到对象嵌套属性，可能导致原型链污染。
+    修复: 1.Object.create(null)创建无原型对象 2.过滤__proto__/constructor/prototype键名
+    3.使用Map替代普通对象 4.检查lodash.merge版本(<4.17.12存在漏洞)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $OBJ[$REQ.body] = $VAL
+    - pattern: |
+        $OBJ[$REQ.query] = $VAL
+    - pattern: |
+        $OBJ[$REQ.params] = $VAL
+    - pattern: |
+        $OBJ[$KEY] = $REQ.body
+    - pattern: |
+        $OBJ[$KEY] = $REQ.query
+    - pattern: |
+        $OBJ[$KEY] = $REQ.params
+  metadata:
+    cwe: "CWE-1321"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+- id: zm-js-pp-002
+  severity: ERROR
+  message: |
+    检测到对 __proto__ 或 constructor.prototype 的直接赋值操作。
+    这是原型链污染的典型模式。
+    修复: 1.禁止对__proto__和constructor.prototype赋值 2.冻结原型: Object.freeze(Object.prototype)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $OBJ.__proto__ = $VAL
+    - pattern: |
+        $OBJ['__proto__'] = $VAL
+    - pattern: |
+        $OBJ.constructor.prototype = $VAL
+    - pattern: |
+        $OBJ.constructor.prototype.$PROP = $VAL
+    - pattern: |
+        $OBJ.__proto__.$PROP = $VAL
+  metadata:
+    cwe: "CWE-1321"
+    severity: ERROR
+    precision: very-high
+    category: code-injection
+    owasp: "A08:2021"

package/rules/common/zm-js-cwe200-info-disclosure.yaml

@@ -0,0 +1,95 @@
+# CWE-200: Node.js 敏感信息泄露检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: Error stack trace 返回、console.log 含密码、helmet 未配置、res.json(err) 内网信息
+
+rules:
+
+# ZM-JS-INFO-001: 错误处理中直接返回 error stack trace
+- id: zm-js-info-001
+  severity: WARNING
+  message: |
+    检测到HTTP响应中直接返回 error.stack / err (可能未脱敏)。
+    泄露服务器路径/依赖版本等信息。
+    修复: 生产环境返回通用错误 res.send({ error: 'Internal Server Error' })。
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: $RES.send($ERR.stack)
+        - pattern: $RES.json($ERR.stack)
+    - pattern-not: |
+        ...;
+        $RES.send({...});
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: info-disclosure
+    precision: high
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html"
+
+# ZM-JS-INFO-002: console.log 输出敏感信息
+- id: zm-js-info-002
+  severity: WARNING
+  message: |
+    检测到 console.log 可能输出了 password / token / secret 等敏感字段。
+    生产环境日志可能被持久化存储，造成凭据泄露。
+    修复: 使用日志脱敏库(pino.redact)或生产环境禁用 console 输出。
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern: console.$FUNC(...)
+    - metavariable-regex:
+        metavariable: $FUNC
+        regex: ^(log|error|warn)$
+    - pattern: |
+        console.$FUNC($OBJ.$FIELD, ...)
+    - metavariable-regex:
+        metavariable: $FIELD
+        regex: ^(password|passwd|token|secret|apiKey|api_key|credential|accessKey|access_key|privateKey|private_key)$
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    category: info-disclosure
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/532.html"
+
+# ZM-JS-INFO-003: Helmet 安全头未配置 / 缺失
+- id: zm-js-info-003
+  severity: WARNING
+  message: |
+    检测到 Express 应用可能未启用 helmet 安全头中间件。
+    缺少安全响应头可能导致信息泄露 (X-Powered-By 暴露技术栈)、
+    点击劫持 (X-Frame-Options)、MIME sniffing 等风险。
+
+    修复:
+    1. app.use(helmet()) — 启用默认安全头
+    2. 至少手动设置:
+       - X-Content-Type-Options: nosniff
+       - X-Frame-Options: DENY
+       - X-XSS-Protection: 0 (已废弃，但保留)
+       - Referrer-Policy: no-referrer
+       - Strict-Transport-Security: max-age=31536000
+       - 移除 X-Powered-By 头: app.disable('x-powered-by')
+    3. helmet.contentSecurityPolicy() 配置CSP防止XSS
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        const express = require('express')
+        ...
+        const app = express()
+      # 检测 express() 调用但无 helmet
+    - pattern: $APP.listen(...)
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A05:2021 - Security Misconfiguration"
+    category: info-disclosure
+    precision: low
+    references:
+      - "https://helmetjs.github.io/"
+      - "https://expressjs.com/en/advanced/best-practice-security.html"

package/rules/common/zm-js-cwe22-path-traversal-fs.yaml

@@ -0,0 +1,113 @@
+# CWE-22: Node.js 文件系统路径穿越深度检测
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: fs.readFile/writeFile + userInput 路径拼接
+
+rules:
+
+# ZM-JS-PT-FS-001: fs.readFile / readFileSync 用户输入路径
+- id: zm-js-pt-fs-001
+  severity: ERROR
+  message: |
+    检测到 fs.readFile / fs.readFileSync / fs.createReadStream 使用用户可控的路径参数。
+    攻击者可输入 ../../etc/passwd 或 /proc/self/environ 等路径穿越读取任意文件。
+
+    修复:
+    1. 使用 path.resolve + path.normalize 规范化路径后，验证是否在允许的基础目录内:
+       const safePath = path.resolve(baseDir, path.normalize(userInput))
+       if (!safePath.startsWith(path.resolve(baseDir))) { throw new Error('Path traversal detected') }
+    2. 使用 path.basename() 仅提取文件名，丢弃路径部分
+    3. 对用户输入的文件名做白名单校验
+    4. 将文件存储在非Web可访问目录中
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: fs.readFile($REQ.query.$PARAM, ...)
+    - pattern: fs.readFile($REQ.params.$PARAM, ...)
+    - pattern: fs.readFile($REQ.body.$PARAM, ...)
+    - pattern: fs.readFileSync($REQ.query.$PARAM, ...)
+    - pattern: fs.readFileSync($REQ.params.$PARAM, ...)
+    - pattern: fs.readFileSync($REQ.body.$PARAM, ...)
+    - pattern: fs.createReadStream($REQ.query.$PARAM, ...)
+    - pattern: fs.createReadStream($REQ.params.$PARAM, ...)
+    - pattern: fs.createReadStream($REQ.body.$PARAM, ...)
+    - pattern: fsPromises.readFile($REQ.query.$PARAM, ...)
+    - pattern: fsPromises.readFile($REQ.params.$PARAM, ...)
+    - pattern: fsPromises.readFile($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Path_Traversal"
+
+# ZM-JS-PT-FS-002: fs.writeFile / writeFileSync 用户输入路径写入
+- id: zm-js-pt-fs-002
+  severity: ERROR
+  message: |
+    检测到 fs.writeFile / fs.writeFileSync / fs.createWriteStream 使用用户可控的路径参数。
+    攻击者可写入任意路径文件，覆盖配置文件、植入webshell，或向系统目录写入恶意文件。
+
+    修复:
+    1. 规范化路径并验证在允许的基础目录内
+    2. 限制文件扩展名白名单(如仅 .txt .log)
+    3. 对用户输入的文件名做严格的白名单校验
+    4. 使用随机文件名(uuid)而非用户提供文件名
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: fs.writeFile($REQ.query.$PARAM, ...)
+    - pattern: fs.writeFile($REQ.params.$PARAM, ...)
+    - pattern: fs.writeFile($REQ.body.$PARAM, ...)
+    - pattern: fs.writeFileSync($REQ.query.$PARAM, ...)
+    - pattern: fs.writeFileSync($REQ.params.$PARAM, ...)
+    - pattern: fs.writeFileSync($REQ.body.$PARAM, ...)
+    - pattern: fs.createWriteStream($REQ.query.$PARAM, ...)
+    - pattern: fs.createWriteStream($REQ.params.$PARAM, ...)
+    - pattern: fs.createWriteStream($REQ.body.$PARAM, ...)
+    - pattern: fsPromises.writeFile($REQ.query.$PARAM, ...)
+    - pattern: fsPromises.writeFile($REQ.params.$PARAM, ...)
+    - pattern: fsPromises.writeFile($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Path_Traversal"
+
+# ZM-JS-PT-FS-003: 路径拼接 + fs操作 (低精度，需人工确认)
+- id: zm-js-pt-fs-003
+  severity: WARNING
+  message: |
+    检测到路径拼接后传入 fs 文件操作，需确认拼接变量是否来自用户输入。
+    若拼接变量可控，存在路径穿越风险。
+
+    修复:
+    1. 追踪变量来源，确认是否为用户输入
+    2. 使用 path.resolve + path.normalize 规范化
+    3. 验证结果路径的基础目录前缀
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: fs.readFile($DIR + $INPUT, ...)
+    - pattern: fs.readFileSync($DIR + $INPUT, ...)
+    - pattern: fs.writeFile($DIR + $INPUT, ...)
+    - pattern: fs.writeFileSync($DIR + $INPUT, ...)
+    - pattern: fs.createReadStream($DIR + $INPUT, ...)
+    - pattern: fs.createWriteStream($DIR + $INPUT, ...)
+    - pattern: fsPromises.readFile($DIR + $INPUT, ...)
+    - pattern: fsPromises.writeFile($DIR + $INPUT, ...)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: low
+    confidence: medium
+    references:
+      - "https://owasp.org/www-community/attacks/Path_Traversal"

package/rules/common/zm-js-cwe22-pathtraversal.yaml

@@ -0,0 +1,111 @@
+# CWE-22: Node.js 路径穿越检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — FPR 优化版
+# 变更: zm-js-pt-001 拆为两版——高精度(用户输入源) + 低精度(通用路径拼接)
+# 原因: path.join($INPUT) 匹配到 fs.readdirSync 结果等非用户输入，FPR=100%
+
+rules:
+
+# ZM-JS-PT-001: fs.readFile + req.query/params/body 直接导致路径穿越 (高精度)
+- id: zm-js-pt-001
+  severity: ERROR
+  message: |
+    fs 读取操作使用 req.query/req.params/req.body 直接拼接路径，确认用户可控输入。
+    攻击者可注入 ../ 穿越目录读取任意文件。
+
+    修复:
+    1. path.normalize() + 路径前缀白名单校验
+    2. 禁止用户输入直接拼入文件路径
+    3. express.static 设置 dotfiles: 'deny'
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        fs.readFile($REQ.query.$PARAM, ...)
+    - pattern: |
+        fs.readFileSync($REQ.query.$PARAM, ...)
+    - pattern: |
+        fs.readFile($REQ.params.$PARAM, ...)
+    - pattern: |
+        fs.readFileSync($REQ.params.$PARAM, ...)
+    - pattern: |
+        fs.readFile($REQ.body.$PARAM, ...)
+    - pattern: |
+        fs.readFileSync($REQ.body.$PARAM, ...)
+    - pattern: |
+        fs.createReadStream($REQ.query.$PARAM)
+    - pattern: |
+        fs.createReadStream($REQ.params.$PARAM)
+    - pattern: |
+        fs.createReadStream($REQ.body.$PARAM)
+    - pattern: |
+        fs.readFile(path.resolve($ROOT, $REQ.query.$PARAM), ...)
+    - pattern: |
+        fs.readFileSync(path.resolve($ROOT, $REQ.query.$PARAM), ...)
+    - pattern: |
+        fs.readFile(path.join($ROOT, $REQ.query.$PARAM), ...)
+    - pattern: |
+        fs.readFileSync(path.join($ROOT, $REQ.query.$PARAM), ...)
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: high
+    references:
+      - "https://owasp.org/www-community/attacks/Path_Traversal"
+
+# ZM-JS-PT-003: fs.readFile + 任意变量路径拼接 (低精度，需人工复核)
+- id: zm-js-pt-003
+  severity: WARNING
+  message: |
+    fs 读取操作使用了动态路径拼接，可能是路径穿越风险（也可能是安全的内部文件读取）。
+    需人工确认变量来源是否为用户可控输入。
+
+    修复:
+    1. 如果变量来自 req.query/params/body，必须做路径前缀白名单校验
+    2. 如果是 fs.readdirSync 结果（同目录遍历），忽略本规则
+    3. 使用 path.normalize() 规范化后验证前缀在允许目录内
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        fs.readFile(path.resolve($ROOT, $INPUT), ...)
+    - pattern: |
+        fs.readFileSync(path.resolve($ROOT, $INPUT), ...)
+    - pattern: |
+        fs.readFile(path.join($INPUT, ...), ...)
+    - pattern: |
+        fs.readFileSync(path.join($INPUT, ...), ...)
+    - pattern: |
+        fs.createReadStream(path.join($INPUT, ...))
+    - pattern: |
+        fs.createReadStream(path.resolve($ROOT, $INPUT))
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: low
+    references:
+      - "https://owasp.org/www-community/attacks/Path_Traversal"
+
+# ZM-JS-PT-002: express.static 未设置 root 选项
+- id: zm-js-pt-002
+  severity: WARNING
+  message: |
+    express.static() 未设置 root 或将用户输入用于目录路径，可能导致路径穿越。
+    修复: 设置 root 选项 + dotfiles: 'deny'
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: $APP.use(express.static($USER_INPUT))
+        - pattern: $APP.use(express.static($USER_INPUT, ...))
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    category: path-traversal
+    precision: medium
+    references:
+      - "https://expressjs.com/en/4x/api.html#express.static"