@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-py-cwe798-hardcoded-creds.yaml

@@ -0,0 +1,86 @@
+# CWE-798: Python 硬编码凭证检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: 硬编码 API_KEY / password / token / secret / database URL 含凭证
+
+rules:
+
+# ZM-PY-HC-01: 硬编码 API_KEY / SECRET_KEY / TOKEN / PASSWORD
+- id: zm-py-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到变量赋值中硬编码了 API_KEY / SECRET_KEY / TOKEN / PASSWORD 等凭证字符串。
+    凭证泄露到代码仓库后攻击者可获取数据库/云服务/第三方 API 访问权限。
+    修复: 使用环境变量 os.environ.get("KEY") 或密钥管理服务（Vault/AWS Secrets Manager）存储凭证。
+  languages:
+    - python
+  patterns:
+    - pattern: $VAR = "..."
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(API_KEY|API_SECRET|SECRET_KEY|SECRET|TOKEN|PASSWORD|PASSWD|DB_PASSWORD|REDIS_PASSWORD|AWS_SECRET|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|ACCESS_KEY|ACCESS_KEY_ID|PRIVATE_KEY|AUTH_TOKEN|CLIENT_SECRET|APP_SECRET)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-PY-HC-02: 硬编码 Database URL 含凭证
+- id: zm-py-hardcoded-creds-002
+  severity: ERROR
+  message: |
+    检测到硬编码的数据库连接字符串包含用户名密码（如 mysql://user:pass@host/db）。
+    DB 凭证泄露到代码仓库可导致数据库遭未授权访问或数据泄露。
+    修复: 使用环境变量或配置中心存储 DB 连接字符串；代码中仅引用变量名。
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        $DATABASE_URL = "mysql://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "postgresql://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "mongodb://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "redis://...:...@..."
+    - pattern: |
+        $DB_URL = "mysql://...:...@..."
+    - pattern: |
+        $DB_URL = "postgresql://...:...@..."
+    - pattern: |
+        $SQLALCHEMY_DATABASE_URI = "mysql://...:...@..."
+    - pattern: |
+        $SQLALCHEMY_DATABASE_URI = "postgresql://...:...@..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-PY-HC-03: 硬编码 JWT_SECRET / 加密密钥
+- id: zm-py-hardcoded-creds-003
+  severity: ERROR
+  message: |
+    检测到硬编码的 JWT_SECRET / ENCRYPTION_KEY 等加密密钥。
+    密钥泄露后攻击者可伪造 JWT Token 或解密敏感数据。
+    修复: 通过环境变量或密钥管理服务注入密钥；定期轮换密钥。
+  languages:
+    - python
+  patterns:
+    - pattern: $VAR = "..."
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(JWT_SECRET|JWT_SECRET_KEY|ENCRYPTION_KEY|FERNET_KEY|AES_KEY|SECRET_KEY_BASE|SECRET_KEY|DJANGO_SECRET_KEY|FLASK_SECRET_KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"

package/rules/common/zm-py-cwe89-sqli.yaml

@@ -0,0 +1,59 @@
+# CWE-89: Django SQL 注入检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: raw() SQL拼接 / cursor.execute() 字符串格式化注入
+
+rules:
+
+# ZM-PY-DJANGO-SQLI-01: Model.objects.raw() SQL 字符串拼接用户输入
+- id: zm-py-django-sqli-001
+  severity: ERROR
+  message: |
+    检测到 raw() 中使用格式化拼接用户输入，可导致 SQL 注入。
+    攻击者可通过构造恶意参数绕过查询逻辑或拖取数据库。
+    修复: 使用 .objects.filter(**kwargs) 或 raw() + params=[] 参数化查询。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $M.objects.raw($SQL % request)
+    - pattern: $M.objects.raw($SQL.format(request))
+    - pattern: $M.objects.raw($SQL + request)
+    - pattern: $M.objects.raw(f"...{request.$ATTR}...")
+    - pattern: $M.objects.raw("..." % request)
+    - pattern: $M.objects.raw("...".format(request))
+    - pattern: $M.objects.raw("..." + request)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-DJANGO-SQLI-02: cursor.execute() 字符串格式化注入
+- id: zm-py-django-sqli-002
+  severity: ERROR
+  message: |
+    检测到 cursor.execute() 使用 %s/.format()/f-string 拼接 SQL，可导致 SQL 注入。
+    攻击者可注入 UNION SELECT、--注释等绕过认证或窃取数据。
+    修复: 使用参数化查询 cursor.execute("SELECT ... WHERE id=%s", [param])。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $C.execute("..." % request)
+    - pattern: $C.execute("...".format(request))
+    - pattern: $C.execute("..." + request)
+    - pattern: $C.execute($SQL % request)
+    - pattern: $C.execute($SQL.format(request))
+    - pattern: $C.execute($SQL + request)
+    - pattern: $C.execute(f"...{request.$ATTR}...")
+    - pattern: $C.executemany("..." % request)
+    - pattern: $C.executemany("...".format(request))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: ERROR
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-py-cwe918-ssrf.yaml

@@ -0,0 +1,123 @@
+# CWE-918: Python SSRF 服务端请求伪造检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: requests.get(userInput) / urllib.request.urlopen(userInput) / httpx.get(userInput)
+
+rules:
+
+# ZM-PY-SSRF-01: requests.get/post/put/head 参数来自 request
+- id: zm-py-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 requests.get/post/put/head 等方法的 URL 参数来自 HTTP 请求。
+    攻击者可构造内网地址（如 http://169.254.169.254/latest/meta-data/）访问云元数据服务或内网服务。
+    修复: 对用户输入的 URL 做白名单校验（协议/域名/IP）；禁用内网 IP 段（10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16）。
+  languages:
+    - python
+  pattern-either:
+    - pattern: requests.get(request.args.get(...))
+    - pattern: requests.get(request.form.get(...))
+    - pattern: requests.get(request.values.get(...))
+    - pattern: requests.get(request.data)
+    - pattern: requests.get(request.json.get(...))
+    - pattern: requests.post(request.args.get(...))
+    - pattern: requests.post(request.form.get(...))
+    - pattern: requests.post(request.values.get(...))
+    - pattern: requests.post(request.data)
+    - pattern: requests.put(request.args.get(...))
+    - pattern: requests.put(request.form.get(...))
+    - pattern: requests.head(request.args.get(...))
+    - pattern: requests.head(request.form.get(...))
+    - pattern: requests.request($METHOD, request.args.get(...))
+    - pattern: requests.request($METHOD, request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-02: urllib.request.urlopen() 参数来自 request
+- id: zm-py-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 urllib.request.urlopen() / urlretrieve() 的 URL 参数来自 HTTP 请求。
+    urllib 同样支持 file:// 协议，攻击者可读取本地文件。
+    修复: 使用 urllib.parse.urlparse() 解析 URL 后做协议和主机白名单校验。
+  languages:
+    - python
+  pattern-either:
+    - pattern: urllib.request.urlopen(request.args.get(...))
+    - pattern: urllib.request.urlopen(request.form.get(...))
+    - pattern: urllib.request.urlopen(request.values.get(...))
+    - pattern: urllib.request.urlopen(request.data)
+    - pattern: urllib.request.urlretrieve(request.args.get(...), ...)
+    - pattern: urllib.request.urlretrieve(request.form.get(...), ...)
+    - pattern: urllib.request.urlopen($BASE + request.args.get(...))
+    - pattern: urllib.request.urlopen($BASE + request.form.get(...))
+    - pattern: urllib.request.urlopen(f"...{request.args.get(...)}...")
+    - pattern: urllib.request.urlopen(f"...{request.form.get(...)}...")
+    - pattern: urllib.urlopen(request.args.get(...))
+    - pattern: urllib.urlopen(request.form.get(...))
+    - pattern: urllib2.urlopen(request.args.get(...))
+    - pattern: urllib2.urlopen(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-03: httpx.get/post 参数来自 request
+- id: zm-py-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 httpx.get/post/AsyncClient 的 URL 参数来自 HTTP 请求。
+    httpx 同样可能被利用进行 SSRF 攻击访问内网服务或云元数据。
+    修复: 校验用户输入 URL 协议仅允许 http/https；禁止解析到内网 IP。
+  languages:
+    - python
+  pattern-either:
+    - pattern: httpx.get(request.args.get(...))
+    - pattern: httpx.get(request.form.get(...))
+    - pattern: httpx.get(request.values.get(...))
+    - pattern: httpx.post(request.args.get(...))
+    - pattern: httpx.post(request.form.get(...))
+    - pattern: httpx.AsyncClient().get(request.args.get(...))
+    - pattern: httpx.AsyncClient().get(request.form.get(...))
+    - pattern: httpx.AsyncClient().post(request.args.get(...))
+    - pattern: httpx.AsyncClient().post(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"
+
+# ZM-PY-SSRF-04: aiohttp.ClientSession().get() 参数来自 request
+- id: zm-py-ssrf-004
+  severity: ERROR
+  message: |
+    检测到 aiohttp.ClientSession().get/post 的 URL 参数来自 HTTP 请求。
+    异步 HTTP 客户端同样存在 SSRF 风险。
+    修复: 对用户输入 URL 做严格白名单校验；禁止访问内网地址段。
+  languages:
+    - python
+  pattern-either:
+    - pattern: aiohttp.ClientSession().get(request.args.get(...))
+    - pattern: aiohttp.ClientSession().get(request.form.get(...))
+    - pattern: aiohttp.ClientSession().post(request.args.get(...))
+    - pattern: aiohttp.ClientSession().post(request.form.get(...))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A10:2021 - Server-Side Request Forgery"

package/rules/common/zm-py-cwe94-ssti.yaml

@@ -0,0 +1,87 @@
+# CWE-94: Flask/Jinja2 Server-Side Template Injection (SSTI) 检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: render_template_string / jinja2.Template 用户输入注入点
+
+rules:
+
+# ZM-PY-SSTI-01: render_template_string() 参数来自 request
+- id: zm-py-ssti-001
+  severity: ERROR
+  message: |
+    检测到 render_template_string() 参数来自 HTTP 请求。
+    攻击者可注入 Jinja2 模板语法 {{config}} {{''.__class__.__mro__[2].__subclasses__()}}
+    读取敏感配置或实现 RCE。
+    修复: 禁止将用户输入传入 render_template_string()；使用 render_template() + 模板文件。
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.render_template_string(request.args.get(...))
+    - pattern: flask.render_template_string(request.form.get(...))
+    - pattern: flask.render_template_string(request.values.get(...))
+    - pattern: render_template_string(request.args.get(...))
+    - pattern: render_template_string(request.form.get(...))
+    - pattern: render_template_string(request.values.get(...))
+    - pattern: render_template_string(request.data)
+    - pattern: render_template_string(request.get_json().get(...))
+    - pattern: render_template_string(request.json.get(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: ssti
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-SSTI-02: jinja2.Template() 用户输入直接作为模板
+- id: zm-py-ssti-002
+  severity: ERROR
+  message: |
+    检测到 jinja2.Template() 直接使用用户输入作为模板字符串。
+    攻击者可嵌入 SSTI payload 实现任意代码执行。
+    修复: 不要将用户输入作为模板字符串；使用预定义模板文件 + 变量绑定。
+  languages:
+    - python
+  pattern-either:
+    - pattern: jinja2.Template(request.args.get(...)).render()
+    - pattern: jinja2.Template(request.form.get(...)).render()
+    - pattern: jinja2.Template(request.values.get(...)).render()
+    - pattern: Template(request.args.get(...)).render()
+    - pattern: Template(request.form.get(...)).render()
+    - pattern: Template(request.values.get(...)).render()
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: ERROR
+    precision: high
+    category: ssti
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-SSTI-03: Markup() 包装用户输入（等效模板 |safe 过滤器）
+- id: zm-py-ssti-003
+  severity: WARNING
+  message: |
+    检测到 flask.Markup() / markupsafe.Markup() 包装用户输入，等效模板 |safe 过滤器。
+    绕过自动转义后，用户 HTML/JS 将直接渲染导致 XSS，若含 Jinja2 语法则升级为 SSTI。
+    修复: 移除 Markup() 包装使用默认自动转义。
+  languages:
+    - python
+  pattern-either:
+    - pattern: flask.Markup(request.args.get(...))
+    - pattern: flask.Markup(request.form.get(...))
+    - pattern: flask.Markup(request.values.get(...))
+    - pattern: markupsafe.Markup(request.args.get(...))
+    - pattern: markupsafe.Markup(request.form.get(...))
+    - pattern: markupsafe.Markup(request.values.get(...))
+    - pattern: Markup(request.args.get(...))
+    - pattern: Markup(request.form.get(...))
+    - pattern: Markup(request.values.get(...))
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
+    severity: WARNING
+    precision: medium
+    category: ssti
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-py-cwe943-nosql-injection.yaml

@@ -0,0 +1,123 @@
+# CWE-943: Python NoSQL 注入检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: $where / $regex / $ne 用户输入直接传入 MongoDB/PyMongo/Motor 查询构造
+
+rules:
+
+# ZM-PY-NOSQL-01: MongoDB $where 操作符 + 用户输入
+- id: zm-py-nosql-injection-001
+  severity: ERROR
+  message: |
+    检测到 MongoDB 查询中使用 $where 操作符且参数来自 HTTP 请求。
+    $where 允许执行任意 JavaScript 表达式，攻击者可注入恶意 JS 代码获取全量数据或执行 DoS。
+    修复: 禁止在查询中使用 $where；如确需复杂查询使用 $expr + 聚合管道替代。
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        {"$where": request.args.get(...)}
+    - pattern: |
+        {"$where": request.form.get(...)}
+    - pattern: |
+        {"$where": request.values.get(...)}
+    - pattern: |
+        {"$where": request.data}
+    - pattern: |
+        {"$where": $USER_VAR}
+    - pattern: '$COLL.find({"$where": request.args.get(...)})'
+    - pattern: '$COLL.find({"$where": request.form.get(...)})'
+    - pattern: '$COLL.find({"$where": request.values.get(...)})'
+    - pattern: '$COLL.find({"$where": $USER_VAR})'
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    severity: ERROR
+    precision: high
+    category: nosql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-NOSQL-02: MongoDB $regex 操作符 + 用户输入
+- id: zm-py-nosql-injection-002
+  severity: WARNING
+  message: |
+    检测到 MongoDB 查询中 $regex 操作符参数来自 HTTP 请求。
+    攻击者可构造 ^ 锚点绕过正则匹配或 ReDoS 正则拒绝服务攻击耗尽 CPU。
+    修复: 对用户输入做正则特殊字符转义（re.escape）；限制正则复杂度。
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        {"$regex": request.args.get(...)}
+    - pattern: |
+        {"$regex": request.form.get(...)}
+    - pattern: |
+        {"$regex": request.values.get(...)}
+    - pattern: '$COLL.find({"$KEY": {"$regex": request.args.get(...)}})'
+    - pattern: '$COLL.find({"$KEY": {"$regex": request.form.get(...)}})'
+    - pattern: '$COLL.find({"$KEY": {"$regex": request.values.get(...)}})'
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    severity: WARNING
+    precision: medium
+    category: nosql-injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-NOSQL-03: MongoDB 查询操作符 $ne / $gt / $lt 直接由用户输入构造
+- id: zm-py-nosql-injection-003
+  severity: WARNING
+  message: |
+    检测到 MongoDB 查询字典直接由 HTTP 请求参数构造，攻击者可注入 $ne 等操作符绕过认证/授权。
+    例如 POST {"username":"admin","password":{"$ne":""}} 可绕过登录。
+    修复: 使用 mongo-sanitize 或 mquery 库清理用户输入中的 $ 前缀操作符；对输入做类型校验。
+  languages:
+    - python
+  pattern-either:
+    - pattern: $COLL.find_one(request.json)
+    - pattern: $COLL.find_one(request.get_json())
+    - pattern: $COLL.find_one(request.args)
+    - pattern: $COLL.find_one(request.form)
+    - pattern: $COLL.find(request.json)
+    - pattern: $COLL.find(request.get_json())
+    - pattern: $COLL.find(request.args)
+    - pattern: $COLL.find(request.form)
+    - pattern: $COLL.find(request.POST)
+    - pattern: $COLL.find_one(request.POST)
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    severity: WARNING
+    precision: high
+    category: nosql-injection
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+
+# ZM-PY-NOSQL-04: Motor (Async MongoDB) 查询 + 用户输入
+- id: zm-py-nosql-injection-004
+  severity: WARNING
+  message: |
+    检测到 Motor (异步 MongoDB 驱动) 的 find/find_one 查询参数直接来自 HTTP 请求。
+    攻击者可注入 $ne/$gt/$where 等操作符实现 NoSQL 注入。
+    修复: 对查询条件中的用户输入做类型校验和 $ 操作符过滤。
+  languages:
+    - python
+  pattern-either:
+    - pattern: motor.motor_asyncio.AsyncIOMotorCollection.find(request.json)
+    - pattern: motor.motor_asyncio.AsyncIOMotorCollection.find_one(request.json)
+    - pattern: $COLL.find(request.args.get(...))
+    - pattern: $COLL.find(request.form.get(...))
+    - pattern: '$COLL.find({"$KEY": request.args.get(...)})'
+    - pattern: '$COLL.find({"$KEY": request.form.get(...)})'
+    - pattern: '$COLL.find({"$KEY": request.values.get(...)})'
+    - pattern: '$COLL.find_one({"$KEY": request.args.get(...)})'
+    - pattern: '$COLL.find_one({"$KEY": request.form.get(...)})'
+  metadata:
+    cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
+    severity: WARNING
+    precision: medium
+    category: nosql-injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml

@@ -0,0 +1,63 @@
+# 逐码 ZhuMa IaC 规则 — Ansible 权限提升检测
+# V4.1 Sprint — CWE-269: Improper Privilege Management
+
+rules:
+  # ZM-ANSIBLE-CWE269-001: become: yes 未限制 become_user
+  - id: zm-ansible-cwe269-privesc-001
+    severity: HIGH
+    message: |
+      Ansible Playbook 中 `become: yes` 未同时指定 `become_user` — 默认升级为 root 用户执行所有任务。
+      应在 Play 或 Task 级别明确指定 `become_user` 为最小权限所需的非 root 用户:
+      ```yaml
+      become: yes
+      become_user: appuser
+      ```
+    languages:
+      - generic
+    pattern: |
+      become: yes
+    pattern-not: |
+      become_user: $USER
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, privilege-escalation, become, root]
+
+  # ZM-ANSIBLE-CWE269-002: become: true (另一种写法)
+  - id: zm-ansible-cwe269-privesc-002
+    severity: HIGH
+    message: |
+      Ansible Playbook 中 `become: true` 未限制 `become_user` — 可能意外升级为 root。
+      明确指定 `become_user` 并确保目标用户具有完成任务的必要权限而不需要完整 root 权限。
+    languages:
+      - generic
+    pattern: |
+      become: true
+    pattern-not: |
+      become_user: $USER
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, privilege-escalation, become, root]
+
+  # ZM-ANSIBLE-CWE269-003: become_method: su 配合 become: yes
+  - id: zm-ansible-cwe269-privesc-003
+    severity: MEDIUM
+    message: |
+      Ansible 使用 `become_method: su` — su 方法对密码处理不够安全，且通常意味着直接升级为 root。
+      优先使用 `become_method: sudo` 并配合 `/etc/sudoers` 中的细粒度 sudo 规则，
+      仅授予必要命令的执行权限，遵循最小权限原则。
+    languages:
+      - generic
+    pattern: |
+      become_method: su
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: very-high
+      confidence: high
+      tags: [ansible, privilege-escalation, become_method, su]

package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml

@@ -0,0 +1,67 @@
+# 逐码 ZhuMa IaC 规则 — Ansible Shell/Command 注入检测
+# V4.1 Sprint — CWE-78: OS Command Injection
+
+rules:
+  # ZM-ANSIBLE-CWE78-001: shell 模块 + 未经 quote 的变量
+  - id: zm-ansible-cwe78-cmdi-001
+    severity: CRITICAL
+    message: |
+      Ansible `shell` 模块中使用了未经 `quote` 过滤的变量 `{{ user_input }}` — 攻击者可通过变量注入任意 Shell 命令。
+      对所有用户可控变量使用 `{{ var | quote }}` 过滤器，或将命令重构为 `command` 模块（天然不调用 Shell）。
+      示例修复:
+      ```yaml
+      shell: echo {{ user_input | quote }}
+      ```
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          shell: "{{ $VAR }}"
+      - pattern: |
+          shell: "...{{ $VAR }}..."
+    metadata:
+      cwe: "CWE-78: OS Command Injection"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, command-injection, shell, variable]
+
+  # ZM-ANSIBLE-CWE78-002: command 模块 + 直接变量拼接
+  - id: zm-ansible-cwe78-cmdi-002
+    severity: HIGH
+    message: |
+      Ansible `command` 模块中直接拼接用户变量 `{{ user_input }}` — 虽然不经过 Shell，但攻击者仍可注入命令参数。
+      使用 `{{ var | quote }}` 或将变量作为 `args` 传递以限制注入面。
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          command: "...{{ $VAR }}..."
+      - pattern: |
+          command: "{{ $VAR }}"
+    metadata:
+      cwe: "CWE-78: OS Command Injection"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, command-injection, command, variable]
+
+  # ZM-ANSIBLE-CWE78-003: raw 模块 + 变量
+  - id: zm-ansible-cwe78-cmdi-003
+    severity: CRITICAL
+    message: |
+      Ansible `raw` 模块直接执行 SSH 命令，并将变量 `{{ user_input }}` 直接拼入命令 — 等同于远程命令执行。
+      `raw` 模块应避免使用用户变量。如必须使用，请用 `{{ var | quote }}` 并在任务文档中记录理由。
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          raw: "...{{ $VAR }}..."
+      - pattern: |
+          raw: "{{ $VAR }}"
+    metadata:
+      cwe: "CWE-78: OS Command Injection"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, command-injection, raw, rce]