@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-js-cwe915-mass-assignment.yaml

@@ -0,0 +1,111 @@
+# CWE-915: Node.js 过度绑定/批量赋值检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: Object.assign(req.body, target)、lodash.merge、Mongoose Model(req.body)、Sequelize bulkCreate
+
+rules:
+
+# ZM-JS-MA-001: Object.assign / lodash.merge 将 req.body 合并到数据库对象
+- id: zm-js-ma-001
+  severity: ERROR
+  message: |
+    Object.assign() 或 lodash.merge() 直接将 req.body / req.query / req.params
+    合并或赋值给数据库模型/内部对象，攻击者可注入额外字段(如 role: "admin"、isAdmin: true)
+    实现权限提升或数据篡改。
+
+    修复:
+    1. 只提取白名单字段: { username, email } = req.body; Object.assign(dbUser, { username, email })
+    2. 使用 pick() 辅助函数从 req.body 提取允许字段
+    3. 使用 Mongoose Schema 定义字段白名单
+    4. ORM层面设置 strict: 'throw' (Mongoose) 或 fields 白名单 (Sequelize)
+    5. 使用 joi / zod Schema 验证并 strip 未知字段
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: Object.assign($TARGET, $REQ.body, ...)
+    - pattern: Object.assign($TARGET, $REQ.query, ...)
+    - pattern: Object.assign($TARGET, $REQ.params, ...)
+    - pattern: lodash.merge($TARGET, $REQ.body, ...)
+    - pattern: lodash.merge($TARGET, $REQ.query, ...)
+    - pattern: lodash.merge($TARGET, $REQ.params, ...)
+    - pattern: _.merge($TARGET, $REQ.body, ...)
+    - pattern: _.merge($TARGET, $REQ.query, ...)
+    - pattern: _.merge($TARGET, $REQ.params, ...)
+    - pattern: _.assign($TARGET, $REQ.body, ...)
+    - pattern: _.assign($TARGET, $REQ.query, ...)
+    - pattern: _.assign($TARGET, $REQ.params, ...)
+    - pattern: _.defaults($TARGET, $REQ.body, ...)
+    - pattern: _.extend($TARGET, $REQ.body, ...)
+    - pattern: $merge($TARGET, $REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: high
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
+      - "https://mongoosejs.com/docs/guide.html#strict"
+
+# ZM-JS-MA-002: Mongoose/Sequelize 直接传入 req.body 创建/更新 (无字段过滤)
+- id: zm-js-ma-002
+  severity: ERROR
+  message: |
+    Mongoose Model 构造函数、create()、findByIdAndUpdate() 或 Sequelize Model.create()
+    直接传入 req.body / req.query 作为参数，未过滤允许字段，存在过度绑定风险。
+
+    攻击者可通过注入 protected 字段(如 role、credit、verified)绕过业务限制。
+
+    修复:
+    1. Mongoose: Schema 设置 { strict: true } 或 { strict: 'throw' }
+    2. Mongoose 查询: 先 destructure 白名单字段再传入
+    3. Sequelize: Model.create() 前使用 fields/attributes 白名单
+    4. 统一中间件层做字段过滤
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.create($REQ.body, ...)
+    - pattern: $MODEL.create($REQ.query, ...)
+    - pattern: new $MODEL($REQ.body, ...)
+    - pattern: new $MODEL($REQ.query, ...)
+    - pattern: $MODEL.insertMany($REQ.body, ...)
+    - pattern: $MODEL.findByIdAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.findOneAndUpdate($_, $REQ.body, ...)
+    - pattern: $MODEL.updateOne($_, $REQ.body, ...)
+    - pattern: $MODEL.updateMany($_, $REQ.body, ...)
+    - pattern: $MODEL.replaceOne($_, $REQ.body, ...)
+    - pattern: $MODEL.bulkWrite($REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: high
+    references:
+      - "https://mongoosejs.com/docs/guide.html#strict"
+      - "https://sequelize.org/docs/v6/core-concepts/model-basics/#data-types"
+
+# ZM-JS-MA-003: Sequelize bulkCreate 无 fields 白名单
+- id: zm-js-ma-003
+  severity: WARNING
+  message: |
+    Sequelize Model.bulkCreate() 接收 req.body 且可能未设置 fields 白名单。
+    攻击者可批量注入额外字段，影响大量记录。
+
+    修复:
+    1. Model.bulkCreate(data, { fields: ['name', 'email'] }) 显式指定白名单
+    2. 在 Controller 层做字段提取: const { name, email } = req.body
+    3. 使用 Sequelize beforeBulkCreate hook 做字段验证
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: $MODEL.bulkCreate($REQ.body, ...)
+    - pattern: $MODEL.bulkCreate($REQ.query, ...)
+    - pattern: $MODEL.bulkBuild($REQ.body, ...)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    category: mass-assignment
+    precision: medium
+    references:
+      - "https://sequelize.org/docs/v6/core-concepts/model-querying-basics/#bulkcreate"

package/rules/common/zm-js-cwe918-ssrf-fetch.yaml

@@ -0,0 +1,134 @@
+# CWE-918: Node.js SSRF 深度覆盖 — fetch/axios/node-fetch/got 全量sink
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: fetch() / axios({url:...}) / node-fetch / got / undici 对象式请求
+
+rules:
+
+# ZM-JS-SSRF-FETCH-001: fetch/axios/node-fetch 直接传入用户输入URL
+- id: zm-js-ssrf-fetch-001
+  severity: ERROR
+  message: |
+    检测到 fetch / axios / node-fetch / got / undici.fetch 等 HTTP 客户端直接使用用户输入作为请求URL，
+    存在SSRF（服务端请求伪造）风险。
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+
+    修复:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 禁止用户输入直接决定请求目标，使用URL映射表替代
+    3. 使用SSRF保护库(如 ssrf-filter / safe-request)
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟踪
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # fetch()
+    - pattern: fetch($REQ.query.$PARAM, ...)
+    - pattern: fetch($REQ.params.$PARAM, ...)
+    - pattern: fetch($REQ.body.$PARAM, ...)
+    # node-fetch
+    - pattern: nodeFetch($REQ.query.$PARAM, ...)
+    - pattern: nodeFetch($REQ.params.$PARAM, ...)
+    - pattern: nodeFetch($REQ.body.$PARAM, ...)
+    # axios object-style
+    - pattern: |
+        axios({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        axios({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        axios({url: $REQ.body.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        $AXIOS({url: $REQ.body.$PARAM, ...})
+    # got object-style
+    - pattern: |
+        got({url: $REQ.query.$PARAM, ...})
+    - pattern: |
+        got({url: $REQ.params.$PARAM, ...})
+    - pattern: |
+        got({url: $REQ.body.$PARAM, ...})
+    # undici.fetch
+    - pattern: undici.fetch($REQ.query.$PARAM, ...)
+    - pattern: undici.fetch($REQ.params.$PARAM, ...)
+    - pattern: undici.fetch($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+
+# ZM-JS-SSRF-FETCH-002: 用户输入拼接URL后传入fetch/axios
+- id: zm-js-ssrf-fetch-002
+  severity: WARNING
+  message: |
+    fetch / axios 请求URL由用户输入拼接构造，需确认拼接变量是否可直接控制完整URL。
+    若用户可控制协议+域名部分(如 http://evil.com )，存在SSRF风险。
+
+    修复:
+    1. 使用 new URL() 解析目标并验证 hostname 白名单
+    2. 使用URL映射表(key->URL)替代直接拼接
+    3. 限制协议仅允许 https
+    4. 使用SSRF防护库过滤内网IP
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: fetch($URL + $INPUT, ...)
+    - pattern: nodeFetch($URL + $INPUT, ...)
+    - pattern: |
+        axios({url: $URL + $INPUT, ...})
+    - pattern: got($URL + $INPUT, ...)
+    - pattern: undici.fetch($URL + $INPUT, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: low
+    confidence: medium
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+
+# ZM-JS-SSRF-FETCH-003: got.stream / needle / superagent 对象式URL注入
+- id: zm-js-ssrf-fetch-003
+  severity: ERROR
+  message: |
+    got / superagent / needle 等 HTTP 库的对象式请求中，hostname/href/uri 字段由用户输入控制，
+    可导致SSRF攻击。
+
+    修复:
+    1. 白名单限制目标域名
+    2. 使用固定的baseURL + 相对路径模式
+    3. 禁止用户输入覆盖hostname/href/uri字段
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: "got({hostname: $REQ.query.$PARAM})"
+    - pattern: "got({hostname: $REQ.params.$PARAM})"
+    - pattern: "got({hostname: $REQ.body.$PARAM})"
+    - pattern: "got({href: $REQ.query.$PARAM})"
+    - pattern: "got({href: $REQ.params.$PARAM})"
+    - pattern: "got({uri: $REQ.query.$PARAM})"
+    - pattern: "got({uri: $REQ.params.$PARAM})"
+    - pattern: superagent($METHOD, $REQ.query.$PARAM)
+    - pattern: superagent($METHOD, $REQ.params.$PARAM)
+    - pattern: superagent($METHOD, $REQ.body.$PARAM)
+    - pattern: needle($METHOD, $REQ.query.$PARAM, ...)
+    - pattern: needle($METHOD, $REQ.params.$PARAM, ...)
+    - pattern: needle($METHOD, $REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    confidence: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"

package/rules/common/zm-js-cwe918-ssrf.yaml

@@ -0,0 +1,132 @@
+# CWE-918: Node.js SSRF 服务端请求伪造检测规则
+# 逐码 ZhuMa V4.1 Sprint 2 — JS/TS 规则库
+# 覆盖: http/https native、axios、fetch/node-fetch、got、superagent、needle、undici
+
+rules:
+
+# ZM-JS-SSRF-001: HTTP库直接传入 req.query/params/body 作为URL (高精度)
+- id: zm-js-ssrf-001
+  severity: ERROR
+  message: |
+    HTTP请求库直接将 req.query / req.params / req.body 的值作为URL参数传入，
+    存在SSRF（服务端请求伪造）风险。
+
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+
+    修复:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 禁止用户输入直接决定请求目标，使用URL映射表替代
+    3. 使用SSRF保护库(如 ssrf-filter / safe-request)
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟随
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # Native http/https
+    - pattern: http.get($REQ.query.$PARAM, ...)
+    - pattern: http.get($REQ.params.$PARAM, ...)
+    - pattern: http.get($REQ.body.$PARAM, ...)
+    - pattern: http.request($REQ.query.$PARAM, ...)
+    - pattern: http.request($REQ.params.$PARAM, ...)
+    - pattern: http.request($REQ.body.$PARAM, ...)
+    - pattern: https.get($REQ.query.$PARAM, ...)
+    - pattern: https.get($REQ.params.$PARAM, ...)
+    - pattern: https.get($REQ.body.$PARAM, ...)
+    - pattern: https.request($REQ.query.$PARAM, ...)
+    - pattern: https.request($REQ.params.$PARAM, ...)
+    - pattern: https.request($REQ.body.$PARAM, ...)
+    # axios
+    - pattern: axios.get($REQ.query.$PARAM, ...)
+    - pattern: axios.get($REQ.params.$PARAM, ...)
+    - pattern: axios.get($REQ.body.$PARAM, ...)
+    - pattern: axios.request($REQ.query.$PARAM, ...)
+    - pattern: axios.request($REQ.params.$PARAM, ...)
+    - pattern: axios.request($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.params.$PARAM, ...)
+    - pattern: $AXIOS.get($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.params.$PARAM, ...)
+    - pattern: $AXIOS.request($REQ.body.$PARAM, ...)
+    - pattern: $AXIOS.post($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.put($REQ.query.$PARAM, ...)
+    - pattern: $AXIOS.delete($REQ.query.$PARAM, ...)
+    # fetch / node-fetch
+    - pattern: fetch($REQ.query.$PARAM, ...)
+    - pattern: fetch($REQ.params.$PARAM, ...)
+    - pattern: fetch($REQ.body.$PARAM, ...)
+    # got
+    - pattern: got($REQ.query.$PARAM, ...)
+    - pattern: got($REQ.params.$PARAM, ...)
+    - pattern: got($REQ.body.$PARAM, ...)
+    - pattern: got.get($REQ.query.$PARAM, ...)
+    - pattern: got.get($REQ.params.$PARAM, ...)
+    - pattern: got.get($REQ.body.$PARAM, ...)
+    - pattern: got.post($REQ.query.$PARAM, ...)
+    - pattern: got.put($REQ.query.$PARAM, ...)
+    # superagent
+    - pattern: superagent.get($REQ.query.$PARAM)
+    - pattern: superagent.get($REQ.params.$PARAM)
+    - pattern: superagent.get($REQ.body.$PARAM)
+    - pattern: request.get($REQ.query.$PARAM)
+    - pattern: request.get($REQ.params.$PARAM)
+    - pattern: request.get($REQ.body.$PARAM)
+    # needle
+    - pattern: needle.get($REQ.query.$PARAM, ...)
+    - pattern: needle.get($REQ.params.$PARAM, ...)
+    - pattern: needle.get($REQ.body.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.query.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.params.$PARAM, ...)
+    - pattern: needle.request('get', $REQ.body.$PARAM, ...)
+    # undici
+    - pattern: undici.request($REQ.query.$PARAM, ...)
+    - pattern: undici.request($REQ.params.$PARAM, ...)
+    - pattern: undici.request($REQ.body.$PARAM, ...)
+    - pattern: undici.fetch($REQ.query.$PARAM, ...)
+    - pattern: undici.fetch($REQ.params.$PARAM, ...)
+    - pattern: undici.fetch($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: high
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+
+# ZM-JS-SSRF-002: HTTP库URL字符串拼接 (低精度，需人工确认)
+- id: zm-js-ssrf-002
+  severity: WARNING
+  message: |
+    HTTP请求库使用了字符串拼接或模板字符串构建请求URL，需确认拼接变量是否来自用户输入。
+    若变量可控则存在SSRF风险。
+
+    修复:
+    1. 使用 new URL() 解析目标并验证 hostname 白名单
+    2. 使用URL映射表(key->URL)替代直接拼接
+    3. 使用SSRF防护库过滤内网IP
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: http.get($URL + $INPUT, ...)
+    - pattern: http.request($URL + $INPUT, ...)
+    - pattern: https.get($URL + $INPUT, ...)
+    - pattern: https.request($URL + $INPUT, ...)
+    - pattern: $AXIOS.get($URL + $INPUT, ...)
+    - pattern: $AXIOS.request($URL + $INPUT, ...)
+    - pattern: axios.get($URL + $INPUT, ...)
+    - pattern: fetch($URL + $INPUT, ...)
+    - pattern: got($URL + $INPUT, ...)
+    - pattern: got.get($URL + $INPUT, ...)
+    - pattern: superagent.get($URL + $INPUT)
+    - pattern: needle.get($URL + $INPUT, ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    category: ssrf
+    precision: low
+    references:
+      - "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"

package/rules/common/zm-js-cwe94-template-injection.yaml

@@ -0,0 +1,130 @@
+# CWE-94: Node.js 服务端模板注入 (SSTI) 深度检测
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: EJS / Vue SSR / Pug / Handlebars / doT 模板引擎 + 用户输入渲染
+
+rules:
+
+# ZM-JS-SSTI-001: EJS render/renderFile 用户输入直接传入模板数据
+- id: zm-js-ssti-001
+  severity: ERROR
+  message: |
+    检测到 EJS 模板渲染函数(ejs.render / ejs.renderFile)的模板字符串或数据参数由用户输入控制。
+    攻击者可注入 <% process.exit() %>/<%= 7*7 %>/<% require('child_process').exec('cmd') %> 等EJS标签，
+    导致远程代码执行(RCE)。
+
+    修复:
+    1. 禁止用户输入直接作为模板字符串传入渲染函数
+    2. 使用固定的模板文件和严格的白名单变量
+    3. 开启EJS delimiter 严格模式，限制标签类型
+    4. 使用沙箱环境渲染用户内容(如 vm2/isolated-vm)
+    5. 评估是否需要用模板引擎处理用户数据——大多数场景不需要
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: ejs.render($REQ.query.$PARAM, ...)
+    - pattern: ejs.render($REQ.params.$PARAM, ...)
+    - pattern: ejs.render($REQ.body.$PARAM, ...)
+    - pattern: ejs.render($REQ.body, ...)
+    - pattern: ejs.renderFile($REQ.query.$PARAM, ...)
+    - pattern: ejs.renderFile($REQ.params.$PARAM, ...)
+    - pattern: ejs.renderFile($REQ.body.$PARAM, ...)
+    - pattern: ejs.compile($REQ.query.$PARAM, ...)
+    - pattern: ejs.compile($REQ.params.$PARAM, ...)
+    - pattern: ejs.compile($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://ejs.co/#docs"
+      - "https://portswigger.net/web-security/server-side-template-injection"
+
+# ZM-JS-SSTI-002: Pug / Handlebars / Nunjucks 用户输入模板渲染
+- id: zm-js-ssti-002
+  severity: ERROR
+  message: |
+    检测到 Pug / Handlebars / Nunjucks 模板引擎的 compile/render 函数接收用户可控的模板字符串。
+    各引擎支持自定义helper/函数调用，攻击者可注入恶意代码。
+
+    Pug: #{process.exit()} / each val in process.mainModule.require('child_process')
+    Handlebars: {{constructor.constructor('return process')()}}
+    Nunjucks: {{range.constructor('return process')().mainModule.require('child_process')}}
+
+    修复:
+    1. 禁止用户输入作为模板内容或模板路径
+    2. 禁用危险的 helper/过滤器注册
+    3. 对用户数据仅作为模板变量(非模板本身)传入
+    4. 使用沙箱环境
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    # Pug
+    - pattern: pug.compile($REQ.query.$PARAM, ...)
+    - pattern: pug.compile($REQ.params.$PARAM, ...)
+    - pattern: pug.compile($REQ.body.$PARAM, ...)
+    - pattern: pug.render($REQ.query.$PARAM, ...)
+    - pattern: pug.render($REQ.params.$PARAM, ...)
+    - pattern: pug.render($REQ.body.$PARAM, ...)
+    # Handlebars
+    - pattern: Handlebars.compile($REQ.query.$PARAM, ...)
+    - pattern: Handlebars.compile($REQ.params.$PARAM, ...)
+    - pattern: Handlebars.compile($REQ.body.$PARAM, ...)
+    # Nunjucks
+    - pattern: nunjucks.renderString($REQ.query.$PARAM, ...)
+    - pattern: nunjucks.renderString($REQ.params.$PARAM, ...)
+    - pattern: nunjucks.renderString($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://portswigger.net/web-security/server-side-template-injection"
+
+# ZM-JS-SSTI-003: doT.js / lodash.template / mustache 模板注入
+- id: zm-js-ssti-003
+  severity: ERROR
+  message: |
+    检测到 doT.js / lodash.template / mustache 等轻量模板引擎的模板字符串由用户输入控制。
+
+    lodash.template 底层使用 Function() 构造函数，直接传入用户输入可导致任意代码执行。
+    doT.js 的 {{ }} 标签可执行 JavaScript 表达式。
+    mustache 虽相对安全(无逻辑标签)，但仍可能被利用做信息泄露。
+
+    修复:
+    1. 禁止用户输入作为模板字符串
+    2. 使用固定的预定义模板
+    3. 如需动态模板，仅允许安全的占位符替换(如简单的 String.replace)
+    4. 模板引擎仅用于开发阶段，生产环境避免动态编译
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: _.template($REQ.query.$PARAM, ...)
+    - pattern: _.template($REQ.params.$PARAM, ...)
+    - pattern: _.template($REQ.body.$PARAM, ...)
+    - pattern: lodash.template($REQ.query.$PARAM, ...)
+    - pattern: lodash.template($REQ.params.$PARAM, ...)
+    - pattern: dot.template($REQ.query.$PARAM, ...)
+    - pattern: dot.template($REQ.params.$PARAM, ...)
+    - pattern: dot.template($REQ.body.$PARAM, ...)
+    - pattern: Mustache.render($REQ.query.$PARAM, ...)
+    - pattern: Mustache.render($REQ.params.$PARAM, ...)
+    - pattern: Mustache.render($REQ.body.$PARAM, ...)
+    - pattern: mustache.render($REQ.query.$PARAM, ...)
+    - pattern: mustache.render($REQ.params.$PARAM, ...)
+    - pattern: mustache.render($REQ.body.$PARAM, ...)
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    owasp: "A03:2021 - Injection"
+    category: ssti
+    precision: high
+    confidence: high
+    references:
+      - "https://lodash.com/docs/#template"
+      - "https://portswigger.net/web-security/server-side-template-injection"

package/rules/common/zm-js-cwe942-cors.yaml

@@ -0,0 +1,49 @@
+# CWE-942: CORS 配置缺陷检测规则
+# 逐码 ZhuMa V4.1 Sprint 1
+
+rules:
+
+- id: zm-js-cors-001
+  severity: WARNING
+  message: |
+    CORS 中间件 origin 配置为 '*' 通配符，允许任意域跨域访问 API。
+    修复: 1.将origin设为白名单数组或校验函数 2.需要凭证时禁用通配符 3.尽量同域部署
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: 'cors({..., origin: "*", ...})'
+        - pattern: "cors({..., origin: '*', ...})"
+        - pattern: |
+            $APP.use(cors({..., origin: "*", ...}))
+        - pattern: |
+            $APP.use(cors({..., origin: '*', ...}))
+  metadata:
+    cwe: "CWE-942"
+    precision: very-high
+    category: config
+    owasp: "A05:2021 - Security Misconfiguration"
+
+- id: zm-js-cors-002
+  severity: WARNING
+  message: |
+    手动设置 Access-Control-Allow-Origin 响应头为 '*' 通配符。
+    修复: 1.限制origin为受信域名列表 2.如必须使用通配符，确保接口不返回敏感数据
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        res.setHeader('Access-Control-Allow-Origin', '*')
+    - pattern: |
+        res.setHeader("Access-Control-Allow-Origin", "*")
+    - pattern: |
+        res.header("Access-Control-Allow-Origin", "*")
+    - pattern: |
+        res.header('Access-Control-Allow-Origin', '*')
+  metadata:
+    cwe: "CWE-942"
+    precision: very-high
+    category: config
+    owasp: "A05:2021 - Security Misconfiguration"

package/rules/common/zm-js-cwe943-nosql-injection.yaml

@@ -0,0 +1,52 @@
+# CWE-943: Node.js NoSQL 注入检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+
+rules:
+
+# ZM-JS-NSQLI-001: MongoDB find/findOne 直接传入请求体
+- id: zm-js-nosqli-001
+  severity: ERROR
+  message: |
+    检测到 MongoDB find() / findOne() / updateMany() 直接接收 req.body 或 req.query
+    作为查询条件，存在 NoSQL 注入风险。
+
+    攻击者可通过注入 $gt / $ne / $regex 等 MongoDB 操作符绕过认证逻辑，
+    例如: { username: { $gt: "" }, password: { $gt: "" } } 可绕过登录。
+
+    修复建议:
+    1. 使用 mongo-sanitize 或 express-mongo-sanitize 库过滤 $ 和 . 字符
+    2. 对用户输入做严格的类型校验（如只允许字符串，拒绝对象）
+    3. 使用 joi / zod 等 Schema 验证库，禁止传入嵌套对象
+    4. 认证场景使用 bcrypt.compare 而非直接查询
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        $COLLECTION.find($REQ.body, ...)
+    - pattern: |
+        $COLLECTION.findOne($REQ.body, ...)
+    - pattern: |
+        $COLLECTION.find($REQ.body)
+    - pattern: |
+        $COLLECTION.findOne($REQ.body)
+    - pattern: |
+        $COLLECTION.find($REQ.query, ...)
+    - pattern: |
+        $COLLECTION.findOne($REQ.query, ...)
+    - pattern: |
+        $COLLECTION.updateMany($REQ.body, ...)
+    - pattern: |
+        $COLLECTION.updateOne($REQ.body, ...)
+    - pattern: |
+        $COLLECTION.deleteMany($REQ.body, ...)
+    - pattern: |
+        $COLLECTION.deleteOne($REQ.body, ...)
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    owasp: "A03:2021 - Injection"
+    category: sql-injection
+    precision: medium
+    references:
+      - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection"
+      - "https://www.mongodb.com/docs/manual/faq/fundamentals/#javascript"

package/rules/common/zm-js-cwe95-eval.yaml

@@ -0,0 +1,59 @@
+# CWE-95: eval() 代码注入检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+
+rules:
+
+# ZM-JS-CI-001: eval() 动态代码执行
+- id: zm-js-ci-001
+  severity: ERROR
+  message: |
+    检测到 eval() 调用，参数为非字面量字符串。
+    eval() 会执行传入的任意 JavaScript 代码，攻击者可注入恶意代码导致
+    远程代码执行（RCE）。
+
+    修复建议:
+    1. 禁止使用 eval() 处理用户输入
+    2. JSON 数据解析使用 JSON.parse() 替代
+    3. 动态属性访问使用 obj[key] 替代 eval
+    4. 如确实需要动态执行，使用沙箱环境（如 vm2 / isolated-vm）
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern: eval(...)
+    - pattern-not: eval("...")
+  metadata:
+    cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
+    owasp: "A03:2021 - Injection"
+    category: code-injection
+    precision: high
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval"
+      - "https://owasp.org/www-community/attacks/Code_Injection"
+
+# ZM-JS-CI-002: 间接 eval 调用 (通过 globalThis / (0, eval))
+- id: zm-js-ci-002
+  severity: ERROR
+  message: |
+    检测到间接 eval() 调用（如 globalThis.eval / global.eval / (0, eval)），
+    可能被用于绕过静态检测工具。
+    
+    修复建议:
+    1. 移除所有 eval 调用，包括间接调用形式
+    2. 替代方案: Function 构造器（仍有风险）、沙箱执行或重新设计逻辑
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: globalThis.eval(...)
+    - pattern: global.eval(...)
+    - pattern: (0, eval)(...)
+    - pattern: (1, eval)(...)
+    - pattern: window.eval(...)
+  metadata:
+    cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
+    owasp: "A03:2021 - Injection"
+    category: code-injection
+    precision: high
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#direct_and_indirect_eval"