@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-js-cwe95-function-ctor.yaml

@@ -0,0 +1,31 @@
+# CWE-95: Function 构造函数代码注入检测规则
+# 逐码 ZhuMa V4.1 Sprint 1 — JS/TS 通用规则库
+
+rules:
+
+# ZM-JS-CI-003: new Function() 动态构造可执行代码
+- id: zm-js-ci-003
+  severity: WARNING
+  message: |
+    检测到使用 Function 构造函数动态创建函数。
+    new Function(arg) 会将字符串参数编译为可执行代码，行为类似 eval()，
+    存在代码注入风险。
+
+    修复建议:
+    1. 禁止使用 Function 构造函数处理用户输入
+    2. 替代方案: 使用闭包、高阶函数或策略模式替代动态代码生成
+    3. 如需动态执行，使用沙箱环境（vm2 / isolated-vm / WebAssembly）
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: new Function(...)
+    - pattern: Function(...)
+  metadata:
+    cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
+    owasp: "A03:2021 - Injection"
+    category: code-injection
+    precision: high
+    references:
+      - "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function"
+      - "https://owasp.org/www-community/attacks/Code_Injection"

package/rules/common/zm-py-cwe22-path-traversal.yaml

@@ -0,0 +1,86 @@
+# CWE-22: Python 路径穿越检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: os.path.join(userInput) / open(userInput) / Path(userInput) / tarfile.extractall 用户输入路径穿越
+
+rules:
+
+# ZM-PY-PT-01: os.path.join() / open() 参数来自 request
+- id: zm-py-path-traversal-001
+  severity: ERROR
+  message: |
+    检测到 os.path.join() / open() 参数来自 HTTP 请求。
+    攻击者可构造 ../ 遍历目录读取任意文件（如 /etc/passwd 或配置文件）。
+    修复: 使用 os.path.realpath() 规范化路径后校验前缀；禁止直接拼接用户输入到文件路径。
+  languages:
+    - python
+  pattern-either:
+    - pattern: open(request.args.get(...), ...)
+    - pattern: open(request.form.get(...), ...)
+    - pattern: open(request.values.get(...), ...)
+    - pattern: open(request.data, ...)
+    - pattern: os.path.join($BASE, request.args.get(...))
+    - pattern: os.path.join($BASE, request.form.get(...))
+    - pattern: os.path.join($BASE, request.values.get(...))
+    - pattern: os.path.join(request.args.get(...), ...)
+    - pattern: os.path.join(request.form.get(...), ...)
+    - pattern: os.path.join(request.values.get(...), ...)
+    - pattern: open($BASE + request.args.get(...), ...)
+    - pattern: open($BASE + request.form.get(...), ...)
+    - pattern: open(f"...{request.args.get(...)}...", ...)
+    - pattern: open(f"...{request.form.get(...)}...", ...)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: ERROR
+    precision: high
+    category: path-traversal
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-PY-PT-02: pathlib.Path() 参数来自 request
+- id: zm-py-path-traversal-002
+  severity: ERROR
+  message: |
+    检测到 pathlib.Path() 参数来自 HTTP 请求。
+    攻击者可通过 Path(userInput).read_text() 读取任意文件。
+    修复: 校验路径前缀；使用白名单限制可访问目录。
+  languages:
+    - python
+  pattern-either:
+    - pattern: Path(request.args.get(...))
+    - pattern: Path(request.form.get(...))
+    - pattern: Path(request.values.get(...))
+    - pattern: Path(request.data)
+    - pattern: pathlib.Path(request.args.get(...))
+    - pattern: pathlib.Path(request.form.get(...))
+    - pattern: pathlib.Path(request.values.get(...))
+    - pattern: pathlib.Path(request.data)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: ERROR
+    precision: high
+    category: path-traversal
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-PY-PT-03: tarfile.extractall 未校验路径
+- id: zm-py-path-traversal-003
+  severity: WARNING
+  message: |
+    检测到 tarfile.extractall() 解压用户上传的 tar 包，可能触发 Zip Slip 路径穿越。
+    攻击者可在 tar 包中嵌入包含 ../ 的文件名，解压时覆盖系统文件。
+    修复: 对每个成员调用 os.path.realpath() 校验路径在目标目录内；使用 tarfile.extractall(members=filtered)。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $T.extractall(...)
+    - pattern: tarfile.open(...).extractall(...)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)"
+    severity: WARNING
+    precision: very-high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"

package/rules/common/zm-py-cwe327-weak-crypto.yaml

@@ -0,0 +1,103 @@
+# CWE-327: Python 弱加密算法检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: hashlib.md5 / hashlib.sha1 / Crypto.Cipher.DES / AES-ECB 模式
+
+rules:
+
+# ZM-PY-WCR-01: hashlib.md5 / hashlib.sha1 弱哈希
+- id: zm-py-weak-crypto-001
+  severity: WARNING
+  message: |
+    检测到使用 hashlib.md5() / hashlib.sha1() 弱哈希算法。
+    MD5 和 SHA-1 已被证明存在碰撞攻击，不应用于安全场景（密码存储/数字签名/完整性校验）。
+    修复: 密码存储使用 bcrypt/scrypt/argon2；完整性校验使用 hashlib.sha256() 或 hashlib.sha512()。
+  languages:
+    - python
+  pattern-either:
+    - pattern: hashlib.md5(...)
+    - pattern: hashlib.sha1(...)
+    - pattern: hashlib.md5()
+    - pattern: hashlib.sha1()
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: weak-crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-PY-WCR-02: Crypto.Cipher.DES / Blowfish 弱对称加密
+- id: zm-py-weak-crypto-002
+  severity: ERROR
+  message: |
+    检测到使用 Crypto.Cipher.DES / Blowfish 弱对称加密算法。
+    DES 密钥仅 56 位可被暴力破解；Blowfish 64 位块大小存在 Sweet32 攻击风险。
+    修复: 使用 Crypto.Cipher.AES (GCM 模式) 或 ChaCha20-Poly1305 替代。
+  languages:
+    - python
+  pattern-either:
+    - pattern: Crypto.Cipher.DES.new(...)
+    - pattern: Crypto.Cipher.DES3.new(...)
+    - pattern: Crypto.Cipher.Blowfish.new(...)
+    - pattern: Crypto.Cipher.ARC2.new(...)
+    - pattern: Crypto.Cipher.ARC4.new(...)
+    - pattern: Cryptodome.Cipher.DES.new(...)
+    - pattern: Cryptodome.Cipher.DES3.new(...)
+    - pattern: Cryptodome.Cipher.Blowfish.new(...)
+    - pattern: Cryptodome.Cipher.ARC4.new(...)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: ERROR
+    precision: very-high
+    category: weak-crypto
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-PY-WCR-03: AES ECB 模式（不安全块加密模式）
+- id: zm-py-weak-crypto-003
+  severity: ERROR
+  message: |
+    检测到 AES 使用 ECB（电子密码本）模式加密。
+    ECB 模式相同明文块产生相同密文块，可被模式分析攻击还原明文。
+    修复: 使用 AES-GCM（带认证加密）或 AES-CBC + HMAC 替代 ECB 模式。
+  languages:
+    - python
+  pattern-either:
+    - pattern: AES.new($KEY, AES.MODE_ECB)
+    - pattern: AES.new($KEY, AES.MODE_ECB, ...)
+    - pattern: Crypto.Cipher.AES.new($KEY, Crypto.Cipher.AES.MODE_ECB)
+    - pattern: Crypto.Cipher.AES.new($KEY, Crypto.Cipher.AES.MODE_ECB, ...)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: ERROR
+    precision: very-high
+    category: weak-crypto
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-PY-WCR-04: random 模块用于安全场景
+- id: zm-py-weak-crypto-004
+  severity: WARNING
+  message: |
+    检测到使用 random 模块生成安全相关值（token/session ID/密码/密钥）。
+    random 模块使用 Mersenne Twister 伪随机算法，可被预测。
+    修复: 使用 secrets 模块 (Python 3.6+) 或 os.urandom() 生成密码学安全随机数。
+  languages:
+    - python
+  pattern-either:
+    - pattern: random.randint(..., ...)
+    - pattern: random.choice(...)
+    - pattern: random.random()
+    - pattern: random.randrange(..., ...)
+    - pattern: random.getrandbits(...)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: weak-crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"

package/rules/common/zm-py-cwe502-pickle.yaml

@@ -0,0 +1,92 @@
+# CWE-502: Python Pickle/UnsafeLoader 反序列化 RCE 检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: pickle.loads / yaml.load(UnsafeLoader) / cPickle 用户输入反序列化
+
+rules:
+
+# ZM-PY-PICKLE-01: pickle.loads() 参数来自 request
+- id: zm-py-pickle-001
+  severity: ERROR
+  message: |
+    检测到 pickle.loads() 参数来自 HTTP 请求。
+    pickle 反序列化用户可控数据可触发任意代码执行（RCE）。
+    修复: 禁止反序列化用户输入；使用 JSON 等安全格式替代 pickle。
+  languages:
+    - python
+  pattern-either:
+    - pattern: pickle.loads(request.args.get(...))
+    - pattern: pickle.loads(request.form.get(...))
+    - pattern: pickle.loads(request.values.get(...))
+    - pattern: pickle.loads(request.data)
+    - pattern: pickle.loads(request.get_json().get(...))
+    - pattern: pickle.loads(request.json.get(...))
+    - pattern: pickle.loads(request.get_data())
+    - pattern: pickle.load(request.args.get(...))
+    - pattern: pickle.load(request.form.get(...))
+    - pattern: pickle.load(request.data)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PY-PICKLE-02: yaml.load() 使用 UnsafeLoader
+- id: zm-py-pickle-002
+  severity: ERROR
+  message: |
+    检测到 yaml.load() 使用 UnsafeLoader/Loader 且数据来自 HTTP 请求。
+    PyYAML 的 Loader 可构造 !!python/object 标签实现 RCE。
+    修复: 使用 yaml.safe_load() 替代 yaml.load()；或使用 FullLoader 仅限标准类型。
+  languages:
+    - python
+  pattern-either:
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.values.get(...), Loader=yaml.Loader)
+    - pattern: yaml.load(request.data, Loader=yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), yaml.Loader)
+    - pattern: yaml.load(request.form.get(...), yaml.Loader)
+    - pattern: yaml.load(request.data, yaml.Loader)
+    - pattern: yaml.load(request.args.get(...), Loader=yaml.UnsafeLoader)
+    - pattern: yaml.load(request.form.get(...), Loader=yaml.UnsafeLoader)
+    - pattern: yaml.load(request.data, Loader=yaml.UnsafeLoader)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+
+# ZM-PY-PICKLE-03: cPickle/_pickle 反序列化用户输入
+- id: zm-py-pickle-003
+  severity: ERROR
+  message: |
+    检测到 cPickle/_pickle.loads() 参数来自 HTTP 请求。
+    cPickle 是 C 实现的 pickle 模块，反序列化用户数据可导致 RCE。
+    修复: 使用 JSON/MessagePack 替代；禁止反序列化用户输入。
+  languages:
+    - python
+  pattern-either:
+    - pattern: cPickle.loads(request.args.get(...))
+    - pattern: cPickle.loads(request.form.get(...))
+    - pattern: cPickle.loads(request.values.get(...))
+    - pattern: cPickle.loads(request.data)
+    - pattern: cPickle.load(request.args.get(...))
+    - pattern: cPickle.load(request.form.get(...))
+    - pattern: cPickle.load(request.data)
+    - pattern: _pickle.loads(request.args.get(...))
+    - pattern: _pickle.loads(request.form.get(...))
+    - pattern: _pickle.loads(request.data)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: ERROR
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/common/zm-py-cwe611-xxe.yaml

@@ -0,0 +1,100 @@
+# CWE-611: Python XML 外部实体注入 (XXE) 检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: lxml.etree.parse(userInput) 未禁用 resolve_entities / xml.sax.parse / defusedxml 未使用
+
+rules:
+
+# ZM-PY-XXE-01: lxml.etree.parse() 用户输入未禁用 resolve_entities
+- id: zm-py-xxe-001
+  severity: ERROR
+  message: |
+    检测到 lxml.etree.parse() / fromstring() 解析来自 HTTP 请求的 XML 未禁用实体解析。
+    攻击者可构造 XXE payload 读取本地文件（/etc/passwd）、SSRF 内网探测或 DoS（Billion Laughs）。
+    修复: 使用 defusedxml 替代标准 XML 解析；或 lxml 设置 resolve_entities=False, no_network=True。
+  languages:
+    - python
+  pattern-either:
+    - pattern: lxml.etree.parse(request.args.get(...))
+    - pattern: lxml.etree.parse(request.form.get(...))
+    - pattern: lxml.etree.parse(request.values.get(...))
+    - pattern: lxml.etree.parse(request.data)
+    - pattern: lxml.etree.fromstring(request.args.get(...))
+    - pattern: lxml.etree.fromstring(request.form.get(...))
+    - pattern: lxml.etree.fromstring(request.values.get(...))
+    - pattern: lxml.etree.fromstring(request.data)
+    - pattern: lxml.etree.XML(request.args.get(...))
+    - pattern: lxml.etree.XML(request.form.get(...))
+    - pattern: lxml.etree.XML(request.values.get(...))
+    - pattern: lxml.etree.XML(request.data)
+    - pattern: lxml.etree.iterparse(request.args.get(...))
+    - pattern: lxml.etree.iterparse(request.form.get(...))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+
+# ZM-PY-XXE-02: xml.etree.ElementTree / xml.sax / xml.dom 解析用户输入
+- id: zm-py-xxe-002
+  severity: ERROR
+  message: |
+    检测到标准库 xml 模块（ElementTree / sax / dom / parsers）解析来自 HTTP 请求的 XML。
+    Python 标准 XML 解析器默认启用外部实体解析，存在 XXE 漏洞。
+    修复: 使用 defusedxml.ElementTree / defusedxml.sax / defusedxml.minidom 替代标准库。
+  languages:
+    - python
+  pattern-either:
+    - pattern: xml.etree.ElementTree.parse(request.args.get(...))
+    - pattern: xml.etree.ElementTree.parse(request.form.get(...))
+    - pattern: xml.etree.ElementTree.parse(request.data)
+    - pattern: xml.etree.ElementTree.fromstring(request.args.get(...))
+    - pattern: xml.etree.ElementTree.fromstring(request.form.get(...))
+    - pattern: xml.etree.ElementTree.fromstring(request.data)
+    - pattern: xml.etree.ElementTree.XML(request.args.get(...))
+    - pattern: xml.etree.ElementTree.XML(request.form.get(...))
+    - pattern: xml.etree.ElementTree.XML(request.data)
+    - pattern: xml.sax.parseString(request.args.get(...), ...)
+    - pattern: xml.sax.parseString(request.form.get(...), ...)
+    - pattern: xml.sax.parseString(request.data, ...)
+    - pattern: xml.sax.parse(request.args.get(...), ...)
+    - pattern: xml.sax.parse(request.form.get(...), ...)
+    - pattern: xml.dom.minidom.parse(request.args.get(...))
+    - pattern: xml.dom.minidom.parse(request.form.get(...))
+    - pattern: xml.dom.minidom.parseString(request.args.get(...))
+    - pattern: xml.dom.minidom.parseString(request.form.get(...))
+    - pattern: xml.dom.pulldom.parse(request.args.get(...))
+    - pattern: xml.dom.pulldom.parse(request.form.get(...))
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: ERROR
+    precision: high
+    category: xxe
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+
+# ZM-PY-XXE-03: lxml.etree.parse 使用解析器但未禁用 resolve_entities
+- id: zm-py-xxe-003
+  severity: WARNING
+  message: |
+    检测到 lxml.etree.parse() 创建了自定义解析器但可能未禁用 resolve_entities。
+    lxml 默认解析器启用实体解析，需显式设置 resolve_entities=False。
+    修复: 使用 etree.XMLParser(resolve_entities=False, no_network=True) 创建安全解析器。
+  languages:
+    - python
+  pattern-either:
+    - pattern: etree.XMLParser()
+    - pattern: etree.XMLParser(..., load_dtd=True, ...)
+    - pattern: etree.XMLParser(..., dtd_validation=True, ...)
+    - pattern: etree.iterparse($STREAM, events=...)
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    severity: WARNING
+    precision: medium
+    category: xxe
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A05:2021 - Security Misconfiguration"

package/rules/common/zm-py-cwe78-command-injection.yaml

@@ -0,0 +1,121 @@
+# CWE-78: Python 命令注入检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: os.system / os.popen / subprocess.call(shell=True) / subprocess.Popen(shell=True) 用户输入注入
+
+rules:
+
+# ZM-PY-CMD-01: os.system() / os.popen() 参数来自 request
+- id: zm-py-command-injection-001
+  severity: ERROR
+  message: |
+    检测到 os.system() / os.popen() 参数来自 HTTP 请求。
+    攻击者可注入恶意命令实现任意代码执行（RCE）。
+    修复: 使用 subprocess.run([cmd, arg1, arg2]) 参数数组形式，禁止 shell 拼接用户输入。
+  languages:
+    - python
+  pattern-either:
+    - pattern: os.system(request.args.get(...))
+    - pattern: os.system(request.form.get(...))
+    - pattern: os.system(request.values.get(...))
+    - pattern: os.system(request.data)
+    - pattern: os.system($CMD + request.args.get(...))
+    - pattern: os.system($CMD + request.form.get(...))
+    - pattern: os.system(f"...{request.args.get(...)}...")
+    - pattern: os.system(f"...{request.form.get(...)}...")
+    - pattern: os.popen(request.args.get(...))
+    - pattern: os.popen(request.form.get(...))
+    - pattern: os.popen(request.values.get(...))
+    - pattern: os.popen(request.data)
+    - pattern: os.popen($CMD + request.args.get(...))
+    - pattern: os.popen($CMD + request.form.get(...))
+    - pattern: os.popen(f"...{request.args.get(...)}...")
+    - pattern: os.popen(f"...{request.form.get(...)}...")
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: ERROR
+    precision: high
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-CMD-02: subprocess 系列 shell=True + 用户输入
+- id: zm-py-command-injection-002
+  severity: ERROR
+  message: |
+    检测到 subprocess.call/run/Popen 使用 shell=True 且参数来自 HTTP 请求。
+    shell=True 时字符串参数经 shell 解析，攻击者可注入任意命令。
+    修复: 移除 shell=True；使用 args=['cmd', 'arg1', 'arg2'] 参数数组形式。
+  languages:
+    - python
+  pattern-either:
+    - pattern: subprocess.call(request.args.get(...), shell=True)
+    - pattern: subprocess.call(request.form.get(...), shell=True)
+    - pattern: subprocess.call(request.values.get(...), shell=True)
+    - pattern: subprocess.call($CMD + request.args.get(...), shell=True)
+    - pattern: subprocess.call($CMD + request.form.get(...), shell=True)
+    - pattern: subprocess.call(f"...{request.args.get(...)}...", shell=True)
+    - pattern: subprocess.Popen(request.args.get(...), shell=True)
+    - pattern: subprocess.Popen(request.form.get(...), shell=True)
+    - pattern: subprocess.Popen(request.values.get(...), shell=True)
+    - pattern: subprocess.Popen($CMD + request.args.get(...), shell=True)
+    - pattern: subprocess.Popen($CMD + request.form.get(...), shell=True)
+    - pattern: subprocess.Popen(f"...{request.args.get(...)}...", shell=True)
+    - pattern: subprocess.run(request.args.get(...), shell=True)
+    - pattern: subprocess.run(request.form.get(...), shell=True)
+    - pattern: subprocess.run($CMD + request.args.get(...), shell=True)
+    - pattern: subprocess.run($CMD + request.form.get(...), shell=True)
+    - pattern: subprocess.run(f"...{request.args.get(...)}...", shell=True)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: ERROR
+    precision: high
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-CMD-03: shell=True 赋值为变量 + 用户输入拼接
+- id: zm-py-command-injection-003
+  severity: WARNING
+  message: |
+    检测到命令字符串由用户输入拼接后传入 subprocess 执行（shell=True）。
+    通过变量传递后执行同样存在命令注入风险。
+    修复: 使用 args=['cmd', 'arg1'] 数组传参，不使用 shell=True。
+  languages:
+    - python
+  pattern: |
+    $CMD = $STRING + request.$ATTR.get(...)
+    ...
+    subprocess.$FUNC($CMD, shell=True)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: WARNING
+    precision: medium
+    category: command-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-CMD-04: commands.getoutput / commands.getstatusoutput 遗留危险函数
+- id: zm-py-command-injection-004
+  severity: ERROR
+  message: |
+    检测到 commands.getoutput() / getstatusoutput() 参数来自 HTTP 请求。
+    该模块在 Python 3 中已弃用但仍存在于 Python 2 遗留代码中，存在命令注入风险。
+    修复: 迁移至 subprocess.run(['cmd', 'arg']) 参数数组形式。
+  languages:
+    - python
+  pattern-either:
+    - pattern: commands.getoutput(request.args.get(...))
+    - pattern: commands.getoutput(request.form.get(...))
+    - pattern: commands.getstatusoutput(request.args.get(...))
+    - pattern: commands.getstatusoutput(request.form.get(...))
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: ERROR
+    precision: high
+    category: command-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-py-cwe79-xss.yaml

@@ -0,0 +1,123 @@
+# CWE-79: Django/Flask XSS 跨站脚本检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: mark_safe / render_template + userInput / HttpResponse(userInput) / json.dumps+isSafe
+
+rules:
+
+# ZM-PY-XSS-01: mark_safe / SafeString 包装用户输入
+- id: zm-py-xss-001
+  severity: ERROR
+  message: |
+    检测到 django.utils.safestring.mark_safe() 包装来自 HTTP 请求的用户输入。
+    mark_safe() 会绕过 Django 自动 HTML 转义，导致 XSS 攻击。
+    修复: 移除 mark_safe() 包装使用默认自动转义；如确需 HTML 渲染使用 bleach 库白名单过滤。
+  languages:
+    - python
+  pattern-either:
+    - pattern: mark_safe(request.args.get(...))
+    - pattern: mark_safe(request.form.get(...))
+    - pattern: mark_safe(request.values.get(...))
+    - pattern: mark_safe(request.POST.get(...))
+    - pattern: mark_safe(request.GET.get(...))
+    - pattern: mark_safe(request.data)
+    - pattern: django.utils.safestring.mark_safe(request.args.get(...))
+    - pattern: django.utils.safestring.mark_safe(request.form.get(...))
+    - pattern: django.utils.safestring.mark_safe(request.POST.get(...))
+    - pattern: django.utils.safestring.mark_safe(request.GET.get(...))
+    - pattern: SafeString(request.args.get(...))
+    - pattern: SafeString(request.form.get(...))
+    - pattern: SafeString(request.POST.get(...))
+    - pattern: SafeText(request.args.get(...))
+    - pattern: SafeText(request.form.get(...))
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: ERROR
+    precision: high
+    category: xss
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-XSS-02: HttpResponse() / render() 直接输出用户输入
+- id: zm-py-xss-002
+  severity: WARNING
+  message: |
+    检测到 HttpResponse() 直接写入用户输入，或 render() 模板变量直接嵌入用户输入。
+    Django 默认自动转义模板变量，但 HttpResponse 直接输出不会转义。
+    修复: HttpResponse 中使用 html.escape() 转义；render() 中避免使用 |safe 过滤器。
+  languages:
+    - python
+  pattern-either:
+    - pattern: HttpResponse(request.args.get(...))
+    - pattern: HttpResponse(request.form.get(...))
+    - pattern: HttpResponse(request.POST.get(...))
+    - pattern: HttpResponse(request.GET.get(...))
+    - pattern: HttpResponse(request.data)
+    - pattern: HttpResponse(f"...{request.args.get(...)}...")
+    - pattern: HttpResponse(f"...{request.form.get(...)}...")
+    - pattern: HttpResponse($STR + request.args.get(...))
+    - pattern: HttpResponse($STR + request.form.get(...))
+    - pattern: django.http.HttpResponse(request.args.get(...))
+    - pattern: django.http.HttpResponse(request.form.get(...))
+    - pattern: django.http.HttpResponse(request.POST.get(...))
+    - pattern: django.http.HttpResponse(request.GET.get(...))
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-XSS-03: render_template 变量中含用户输入未转义
+- id: zm-py-xss-003
+  severity: WARNING
+  message: |
+    检测到 render_template() 模板变量直接来自 HTTP 请求。
+    Jinja2 默认自动转义 HTML，但若模板中使用了 |safe 过滤器或 {% autoescape false %}，则存在 XSS 风险。
+    修复: 避免模板中使用 |safe 过滤器标记用户输入；使用 bleach 库做白名单 HTML 清理。
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.render_template($TEMPLATE, $VAR=request.args.get(...))
+    - pattern: flask.render_template($TEMPLATE, $VAR=request.form.get(...))
+    - pattern: flask.render_template($TEMPLATE, $VAR=request.values.get(...))
+    - pattern: render_template($TEMPLATE, $VAR=request.args.get(...))
+    - pattern: render_template($TEMPLATE, $VAR=request.form.get(...))
+    - pattern: render_template($TEMPLATE, $VAR=request.values.get(...))
+    - pattern: 'django.shortcuts.render(request, $TEMPLATE, {$VAR: request.GET.get(...)})'
+    - pattern: 'django.shortcuts.render(request, $TEMPLATE, {$VAR: request.POST.get(...)})'
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-XSS-04: JsonResponse 不安全的 JSON 序列化
+- id: zm-py-xss-004
+  severity: WARNING
+  message: |
+    检测到 JsonResponse / json.dumps 输出用户输入，且未正确设置 Content-Type 或已禁用转义。
+    Django JsonResponse 默认 safe=True 仅允许 dict；若 safe=False 传入含 HTML 的用户输入可导致 DOM XSS。
+    修复: 对用户输入做 HTML 转义后再放入 JSON；避免 safe=False 传入非 dict 类型。
+  languages:
+    - python
+  pattern-either:
+    - pattern: 'JsonResponse({"$KEY": request.args.get(...)}, safe=False)'
+    - pattern: 'JsonResponse({"$KEY": request.form.get(...)}, safe=False)'
+    - pattern: 'JsonResponse({"$KEY": request.POST.get(...)}, safe=False)'
+    - pattern: 'JsonResponse({"$KEY": request.GET.get(...)}, safe=False)'
+    - pattern: 'json.dumps({"$KEY": request.args.get(...)})'
+    - pattern: 'json.dumps({"$KEY": request.form.get(...)})'
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: WARNING
+    precision: medium
+    category: xss
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A03:2021 - Injection"