corpus-core 0.1.0

package/src/cve-database.json

@@ -0,0 +1,396 @@
+{
+  "version": 1,
+  "lastUpdated": "2026-04-05",
+  "patterns": [
+    {
+      "id": "CVE-2017-5941",
+      "name": "node-serialize RCE",
+      "pattern": "\\bunserialize\\s*\\(",
+      "flags": "gi",
+      "description": "node-serialize unserialize() allows remote code execution when an attacker passes an IIFE (Immediately Invoked Function Expression) encoded as a serialized string. The function evaluates JavaScript code within the serialized payload.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["node-serialize"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2017-5941", "https://github.com/luin/serialize/issues/4"],
+      "codeExample": "var serialize = require('node-serialize');\nvar payload = '{\"rce\":\"_$$ND_FUNC$$_function(){require(\\\"child_process\\\").exec(\\\"whoami\\\")}()\"}';\nserialize.unserialize(payload);",
+      "fixExample": "// Never use node-serialize with untrusted input.\n// Use JSON.parse() for deserialization instead:\nconst data = JSON.parse(userInput);"
+    },
+    {
+      "id": "CVE-2021-23337",
+      "name": "Lodash template injection",
+      "pattern": "_\\.template\\s*\\([^)]*\\b(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|args|argv)",
+      "flags": "g",
+      "description": "lodash _.template() allows command injection when template strings are constructed from user-controlled input. An attacker can inject template delimiters to execute arbitrary JavaScript code.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["lodash", "lodash.template"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-23337", "https://github.com/lodash/lodash/issues/5261"],
+      "codeExample": "const _ = require('lodash');\nconst compiled = _.template(req.body.templateStr);\nconst result = compiled({ name: 'user' });",
+      "fixExample": "// Never pass user input as the template string.\n// Only use static template strings:\nconst compiled = _.template('<h1><%= name %></h1>');\nconst result = compiled({ name: sanitize(req.body.name) });"
+    },
+    {
+      "id": "CVE-2019-10744",
+      "name": "Lodash defaultsDeep prototype pollution",
+      "pattern": "_\\.defaultsDeep\\s*\\(",
+      "flags": "g",
+      "description": "lodash defaultsDeep allows prototype pollution via crafted payloads containing __proto__ or constructor.prototype properties, enabling an attacker to inject properties onto Object.prototype.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["lodash", "lodash.defaultsdeep"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-10744", "https://github.com/lodash/lodash/pull/4336"],
+      "codeExample": "const _ = require('lodash');\nconst payload = JSON.parse('{\"__proto__\":{\"polluted\":true}}');\n_.defaultsDeep({}, payload);",
+      "fixExample": "// Upgrade lodash to >= 4.17.12.\n// Sanitize input before passing to defaultsDeep:\nfunction sanitize(obj) {\n  const str = JSON.stringify(obj);\n  if (str.includes('__proto__') || str.includes('constructor')) throw new Error('Invalid input');\n  return obj;\n}"
+    },
+    {
+      "id": "CVE-2022-24999",
+      "name": "qs prototype pollution",
+      "pattern": "\\bqs\\.parse\\s*\\([^)]*\\{[^}]*(allowPrototypes\\s*:\\s*true)",
+      "flags": "g",
+      "description": "The qs package allows prototype pollution when allowPrototypes option is enabled. Attackers can inject properties onto Object.prototype via crafted query strings.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["qs"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2022-24999", "https://github.com/ljharb/qs/issues/200"],
+      "codeExample": "const qs = require('qs');\nconst parsed = qs.parse(req.query, { allowPrototypes: true });",
+      "fixExample": "// Upgrade qs to >= 6.10.3.\n// Never set allowPrototypes to true:\nconst parsed = qs.parse(req.query, { allowPrototypes: false });"
+    },
+    {
+      "id": "CVE-2023-22578",
+      "name": "Sequelize raw query SQL injection",
+      "pattern": "sequelize\\.(query|literal)\\s*\\(\\s*`[^`]*\\$\\{",
+      "flags": "g",
+      "description": "Sequelize allows SQL injection when raw queries are constructed using template literals with user-controlled input instead of using parameterized replacements.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["sequelize"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-22578", "https://github.com/sequelize/sequelize/issues/14519"],
+      "codeExample": "const results = await sequelize.query(`SELECT * FROM users WHERE id = ${req.params.id}`);",
+      "fixExample": "// Use parameterized replacements:\nconst results = await sequelize.query(\n  'SELECT * FROM users WHERE id = :id',\n  { replacements: { id: req.params.id }, type: QueryTypes.SELECT }\n);"
+    },
+    {
+      "id": "CVE-2022-25883",
+      "name": "semver ReDoS",
+      "pattern": "semver\\.(satisfies|valid|coerce|clean|gt|lt|gte|lte|eq|compare)\\s*\\([^)]*\\b(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput)",
+      "flags": "g",
+      "description": "The semver package is vulnerable to Regular Expression Denial of Service (ReDoS) via crafted version strings. User-controlled input passed directly to semver functions can freeze the event loop.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["semver"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2022-25883", "https://github.com/npm/node-semver/pull/564"],
+      "codeExample": "const semver = require('semver');\nconst isValid = semver.valid(req.body.version);",
+      "fixExample": "// Upgrade semver to >= 7.5.2.\n// Validate input length before passing to semver:\nconst version = req.body.version;\nif (typeof version !== 'string' || version.length > 256) throw new Error('Invalid version');\nconst isValid = semver.valid(version);"
+    },
+    {
+      "id": "CVE-2021-3749",
+      "name": "axios SSRF",
+      "pattern": "axios\\.(get|post|put|delete|patch|request|head)\\s*\\(\\s*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|args)",
+      "flags": "g",
+      "description": "axios is vulnerable to Server-Side Request Forgery when user-controlled input is passed directly as the URL. Attackers can make the server issue requests to internal services.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["axios"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-3749", "https://github.com/axios/axios/issues/3407"],
+      "codeExample": "const axios = require('axios');\nconst response = await axios.get(req.body.url);",
+      "fixExample": "// Validate and whitelist URLs before making requests:\nconst url = new URL(req.body.url);\nconst allowedHosts = ['api.example.com'];\nif (!allowedHosts.includes(url.hostname)) throw new Error('Forbidden host');\nconst response = await axios.get(url.toString());"
+    },
+    {
+      "id": "CVE-2022-0155",
+      "name": "follow-redirects data exposure",
+      "pattern": "follow-redirects|maxRedirects\\s*:\\s*([2-9]\\d|\\d{3,})",
+      "flags": "g",
+      "description": "follow-redirects exposes sensitive headers (Authorization, Cookie) to third-party hosts when following cross-origin redirects. High maxRedirects values increase exposure surface.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": ["follow-redirects"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2022-0155", "https://github.com/follow-redirects/follow-redirects/issues/169"],
+      "codeExample": "const http = require('follow-redirects').http;\nhttp.get({ host: userInput, headers: { Authorization: 'Bearer ' + token } });",
+      "fixExample": "// Upgrade follow-redirects to >= 1.14.8.\n// Strip sensitive headers on redirect:\nconst http = require('follow-redirects').http;\nhttp.get({\n  host: 'trusted.example.com',\n  beforeRedirect: (options) => { delete options.headers.authorization; }\n});"
+    },
+    {
+      "id": "CVE-2021-44228-JS",
+      "name": "Log injection via template literals",
+      "pattern": "(console\\.(log|warn|error|info|debug)|logger\\.(log|warn|error|info|debug|trace|fatal))\\s*\\(\\s*`[^`]*\\$\\{[^}]*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|args)",
+      "flags": "g",
+      "description": "Log4Shell-inspired log injection in JavaScript: user-controlled input interpolated directly into log statements via template literals can enable log forging, ANSI escape injection, or downstream log processor exploitation.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://owasp.org/www-community/attacks/Log_Injection"],
+      "codeExample": "console.log(`User login: ${req.body.username}`);",
+      "fixExample": "// Sanitize user input before logging:\nconst sanitized = req.body.username.replace(/[\\n\\r\\t]/g, '');\nconsole.log('User login:', sanitized);"
+    },
+    {
+      "id": "CVE-2020-7660",
+      "name": "serialize-javascript code execution",
+      "pattern": "serialize\\s*\\(\\s*[^,)]*\\{[^}]*\\bspace\\b",
+      "flags": "g",
+      "description": "serialize-javascript allows remote code execution through crafted input when the space option is used. Malicious payloads can break out of the serialized context and execute arbitrary code.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["serialize-javascript"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-7660", "https://github.com/yahoo/serialize-javascript/issues/73"],
+      "codeExample": "const serialize = require('serialize-javascript');\nconst output = serialize(userInput, { space: 2 });",
+      "fixExample": "// Upgrade serialize-javascript to >= 3.1.0.\n// Avoid serializing untrusted input:\nconst output = serialize(trustedData, { space: 2, isJSON: true });"
+    },
+    {
+      "id": "CVE-2019-11358",
+      "name": "jQuery extend prototype pollution",
+      "pattern": "\\$\\.extend\\s*\\(\\s*true\\s*,",
+      "flags": "g",
+      "description": "jQuery $.extend with deep=true allows prototype pollution. Attackers can inject __proto__ properties through crafted objects to pollute Object.prototype.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": ["jquery"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"],
+      "codeExample": "$.extend(true, {}, JSON.parse(userInput));",
+      "fixExample": "// Upgrade jQuery to >= 3.4.0.\n// Filter dangerous keys from input:\nfunction safeExtend(target, source) {\n  for (const key of Object.keys(source)) {\n    if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue;\n    target[key] = source[key];\n  }\n  return target;\n}"
+    },
+    {
+      "id": "CVE-2023-26136",
+      "name": "tough-cookie prototype pollution",
+      "pattern": "tough-cookie|new\\s+Cookie\\s*\\(",
+      "flags": "g",
+      "description": "tough-cookie is vulnerable to prototype pollution via the Cookie constructor when processing crafted cookie strings containing __proto__ keys.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": ["tough-cookie"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-26136", "https://github.com/salesforce/tough-cookie/issues/282"],
+      "codeExample": "const { Cookie } = require('tough-cookie');\nconst cookie = Cookie.parse(userInput);",
+      "fixExample": "// Upgrade tough-cookie to >= 4.1.3.\n// Validate cookie strings before parsing:\nif (userInput.includes('__proto__') || userInput.includes('constructor')) {\n  throw new Error('Invalid cookie');\n}"
+    },
+    {
+      "id": "CVE-2022-29078",
+      "name": "EJS template injection",
+      "pattern": "ejs\\.render(File)?\\s*\\([^)]*\\b(req\\.|params\\.|query\\.|body\\.|settings\\s*\\[)",
+      "flags": "g",
+      "description": "EJS allows server-side template injection when user-controlled input is passed into render options or when settings object is exposed. Attackers can achieve RCE through crafted view options.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["ejs"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2022-29078", "https://github.com/mde/ejs/issues/720"],
+      "codeExample": "app.get('/page', (req, res) => {\n  res.render('page', req.query);\n});",
+      "fixExample": "// Upgrade EJS to >= 3.1.7.\n// Never pass user input directly as render options:\napp.get('/page', (req, res) => {\n  res.render('page', { title: sanitize(req.query.title) });\n});"
+    },
+    {
+      "id": "CVE-2018-3721",
+      "name": "Lodash merge prototype pollution",
+      "pattern": "_\\.merge\\s*\\([^)]*\\b(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|JSON\\.parse)",
+      "flags": "g",
+      "description": "lodash _.merge allows prototype pollution when merging objects from untrusted sources. Attackers can inject __proto__ properties to pollute Object.prototype and modify application behavior.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["lodash", "lodash.merge"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-3721", "https://github.com/lodash/lodash/commit/d299b0f"],
+      "codeExample": "const _ = require('lodash');\nconst config = _.merge({}, JSON.parse(req.body.settings));",
+      "fixExample": "// Upgrade lodash to >= 4.17.5.\n// Sanitize input before merging:\nfunction stripProto(obj) {\n  return JSON.parse(JSON.stringify(obj), (key, value) => {\n    if (key === '__proto__' || key === 'constructor') return undefined;\n    return value;\n  });\n}\nconst config = _.merge({}, stripProto(req.body.settings));"
+    },
+    {
+      "id": "CVE-2021-32804",
+      "name": "tar path traversal",
+      "pattern": "tar\\.(extract|x)\\s*\\(|tar\\.Extract|new\\s+tar\\.Unpack",
+      "flags": "g",
+      "description": "The tar package allows path traversal via crafted tar entries with absolute paths or ../ sequences. Files can be written outside the intended extraction directory.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["tar"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-32804", "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"],
+      "codeExample": "const tar = require('tar');\ntar.extract({ file: userUpload, cwd: '/tmp/extract' });",
+      "fixExample": "// Upgrade tar to >= 6.1.9.\n// Validate entries before extraction:\nconst tar = require('tar');\ntar.extract({\n  file: userUpload,\n  cwd: '/tmp/extract',\n  filter: (path) => !path.includes('..') && !path.startsWith('/')\n});"
+    },
+    {
+      "id": "CVE-2019-10758",
+      "name": "mongo-express RCE",
+      "pattern": "mongo-express|mongoExpress\\s*\\(",
+      "flags": "g",
+      "description": "mongo-express allows remote code execution via crafted BSON data in the document editing interface. When exposed publicly, attackers can execute arbitrary commands on the server.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": ["mongo-express"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-10758", "https://github.com/mongo-express/mongo-express/issues/577"],
+      "codeExample": "const mongoExpress = require('mongo-express/lib/middleware');\napp.use('/mongo', mongoExpress(config));",
+      "fixExample": "// Upgrade mongo-express to >= 0.54.0.\n// Never expose mongo-express to the public internet.\n// Use authentication and restrict to localhost:\napp.use('/mongo', requireAuth, mongoExpress(config));\n// Bind to localhost only:\napp.listen(8081, '127.0.0.1');"
+    },
+    {
+      "id": "CVE-2023-36665",
+      "name": "protobuf.js prototype pollution",
+      "pattern": "protobufjs|protobuf\\.load|protobuf\\.parse",
+      "flags": "g",
+      "description": "protobuf.js allows prototype pollution through crafted protobuf messages containing __proto__ fields. This can lead to denial of service or remote code execution.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": ["protobufjs"],
+      "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-36665", "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-h755-8qp9-cq85"],
+      "codeExample": "const protobuf = require('protobufjs');\nconst root = await protobuf.load('schema.proto');\nconst decoded = MessageType.decode(userBuffer);",
+      "fixExample": "// Upgrade protobufjs to >= 7.2.5.\n// Validate and freeze prototypes after decoding:\nconst decoded = MessageType.decode(userBuffer);\nconst safe = MessageType.toObject(decoded);\nObject.freeze(Object.getPrototypeOf(safe));"
+    },
+    {
+      "id": "CORPUS-PATH-TRAVERSAL",
+      "name": "Path traversal via user input",
+      "pattern": "(readFile|readFileSync|createReadStream|access|stat|writeFile|writeFileSync|unlink|rmdir|mkdir|appendFile|rename|copyFile)\\s*\\([^)]*\\.\\.[\\\\/]|\\.\\.(/|\\\\\\\\)",
+      "flags": "g",
+      "description": "Path traversal occurs when user-controlled input containing ../ sequences is used in filesystem operations, allowing access to files outside the intended directory.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/attacks/Path_Traversal"],
+      "codeExample": "const filePath = path.join('/uploads', req.params.filename);\nconst content = fs.readFileSync(filePath);",
+      "fixExample": "// Resolve and validate the path stays within the intended directory:\nconst basePath = path.resolve('/uploads');\nconst filePath = path.resolve('/uploads', req.params.filename);\nif (!filePath.startsWith(basePath)) throw new Error('Path traversal detected');\nconst content = fs.readFileSync(filePath);"
+    },
+    {
+      "id": "CORPUS-SQL-INJECTION",
+      "name": "SQL injection via string concatenation",
+      "pattern": "(query|execute|raw|prepare)\\s*\\(\\s*(['\"`]\\s*(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE)\\b[^'\"`)]*\\s*\\+|`[^`]*(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE)\\b[^`]*\\$\\{)",
+      "flags": "gi",
+      "description": "SQL injection occurs when user input is concatenated or interpolated into SQL query strings instead of using parameterized queries or prepared statements.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/attacks/SQL_Injection"],
+      "codeExample": "const result = await db.query('SELECT * FROM users WHERE id = ' + req.params.id);\nconst result = await db.query(`SELECT * FROM users WHERE name = '${req.body.name}'`);",
+      "fixExample": "// Use parameterized queries:\nconst result = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);"
+    },
+    {
+      "id": "CORPUS-SSRF",
+      "name": "SSRF via user-controlled URL",
+      "pattern": "(fetch|axios\\.(get|post|put|delete|patch|request)|http\\.get|https\\.get|http\\.request|https\\.request|got|superagent|request)\\s*\\(\\s*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|args\\[|process\\.argv)",
+      "flags": "g",
+      "description": "Server-Side Request Forgery occurs when user-controlled input is used as a URL in server-side HTTP requests, allowing attackers to access internal services and resources.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],
+      "codeExample": "const response = await fetch(req.body.url);\nconst data = await axios.get(req.query.endpoint);",
+      "fixExample": "// Validate and whitelist URLs:\nconst url = new URL(req.body.url);\nconst allowedHosts = ['api.trusted.com'];\nif (!allowedHosts.includes(url.hostname)) throw new Error('Forbidden host');\nif (['127.0.0.1', 'localhost', '0.0.0.0'].includes(url.hostname)) throw new Error('Blocked');\nconst response = await fetch(url.toString());"
+    },
+    {
+      "id": "CORPUS-UNSAFE-DESER",
+      "name": "Unsafe deserialization of user input",
+      "pattern": "JSON\\.parse\\s*\\(\\s*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|Buffer\\.from|readFileSync|await\\s+fetch)",
+      "flags": "g",
+      "description": "Parsing JSON from untrusted sources without validation can lead to prototype pollution if the parsed object contains __proto__ keys, or unexpected behavior from crafted payloads.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_HTTP_Incoming_Requests"],
+      "codeExample": "const data = JSON.parse(req.body.payload);\nObject.assign(config, data);",
+      "fixExample": "// Validate parsed JSON against a schema:\nconst data = JSON.parse(req.body.payload);\nconst validated = schema.validate(data);\nif (validated.error) throw new Error('Invalid input');"
+    },
+    {
+      "id": "CORPUS-CMD-INJECTION",
+      "name": "Command injection via exec/spawn",
+      "pattern": "(exec|execSync|spawn|spawnSync|execFile|execFileSync)\\s*\\(\\s*(`[^`]*\\$\\{|[^,)]*\\+\\s*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput|args))",
+      "flags": "g",
+      "description": "Command injection occurs when user-controlled input is interpolated or concatenated into shell commands executed via child_process functions.",
+      "severity": "CRITICAL",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/attacks/Command_Injection"],
+      "codeExample": "const { exec } = require('child_process');\nexec(`git clone ${req.body.repoUrl}`);",
+      "fixExample": "// Use execFile with argument arrays instead of exec:\nconst { execFile } = require('child_process');\nexecFile('git', ['clone', '--', req.body.repoUrl]);"
+    },
+    {
+      "id": "CORPUS-OPEN-REDIRECT",
+      "name": "Open redirect via user-controlled URL",
+      "pattern": "(res\\.redirect|location\\.href\\s*=|window\\.location\\s*=|location\\.replace)\\s*\\(\\s*(req\\.|params\\.|query\\.|body\\.|headers\\.|user[Ii]nput)",
+      "flags": "g",
+      "description": "Open redirect occurs when a web application redirects users to a URL controlled by attacker input, enabling phishing attacks and credential theft.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect"],
+      "codeExample": "app.get('/redirect', (req, res) => {\n  res.redirect(req.query.url);\n});",
+      "fixExample": "// Validate redirect URL against an allowlist:\nconst allowedPaths = ['/dashboard', '/profile'];\nconst target = req.query.url;\nif (!allowedPaths.includes(target)) return res.status(400).send('Invalid redirect');\nres.redirect(target);"
+    },
+    {
+      "id": "CORPUS-XXE",
+      "name": "XXE via XML parsing without entity restriction",
+      "pattern": "(xml2js|libxmljs|DOMParser|parseXml|parseString|xml\\.parse|sax\\.parser|fast-xml-parser)\\s*[.(]",
+      "flags": "g",
+      "description": "XML External Entity (XXE) injection occurs when XML parsers process external entity references in untrusted XML input, potentially leading to file disclosure, SSRF, or denial of service.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"],
+      "codeExample": "const xml2js = require('xml2js');\nconst parser = new xml2js.Parser();\nparser.parseString(userXml, callback);",
+      "fixExample": "// Disable external entities and DTD processing:\nconst parser = new xml2js.Parser({\n  explicitRoot: false,\n  // xml2js is generally safe, but validate input:\n});\n// For libxmljs: { noent: false, dtdload: false, dtdattr: false }\n// Always sanitize XML input before parsing."
+    },
+    {
+      "id": "CORPUS-INSECURE-RANDOM",
+      "name": "Insecure randomness for security purposes",
+      "pattern": "Math\\.random\\s*\\(\\s*\\)\\s*[^;]*\\b(token|secret|key|password|salt|nonce|csrf|session|auth|otp|api[Kk]ey|apiSecret)",
+      "flags": "gi",
+      "description": "Math.random() is not cryptographically secure and should never be used to generate tokens, secrets, keys, or other security-sensitive values. It uses a predictable PRNG that can be reverse-engineered.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/vulnerabilities/Insecure_Randomness"],
+      "codeExample": "const token = Math.random().toString(36).substring(2);\nconst apiKey = 'key_' + Math.random().toString(36);",
+      "fixExample": "// Use crypto.randomBytes or crypto.randomUUID:\nconst crypto = require('crypto');\nconst token = crypto.randomBytes(32).toString('hex');\nconst apiKey = 'key_' + crypto.randomUUID();"
+    },
+    {
+      "id": "CORPUS-HARDCODED-JWT",
+      "name": "Hardcoded JWT signing secret",
+      "pattern": "jwt\\.sign\\s*\\([^)]*,\\s*['\"][^'\"]{1,64}['\"]",
+      "flags": "g",
+      "description": "Signing JWTs with hardcoded string literals means the secret is embedded in source code. If the repository is leaked or the code is decompiled, all tokens can be forged.",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"],
+      "codeExample": "const jwt = require('jsonwebtoken');\nconst token = jwt.sign({ userId: 1 }, 'my-super-secret-key');",
+      "fixExample": "// Load secret from environment variable:\nconst token = jwt.sign({ userId: 1 }, process.env.JWT_SECRET);"
+    },
+    {
+      "id": "CORPUS-NO-RATE-LIMIT",
+      "name": "Auth endpoint without rate limiting",
+      "pattern": "(app|router)\\.(post|put)\\s*\\(\\s*['\"`]\\/(login|signin|auth|register|signup|reset-password|forgot-password|verify|token|oauth)['\"`]\\s*,\\s*(async\\s+)?\\(?(req|ctx)",
+      "flags": "gi",
+      "description": "Authentication endpoints without rate limiting are vulnerable to brute-force attacks, credential stuffing, and enumeration attacks.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks"],
+      "codeExample": "app.post('/login', async (req, res) => {\n  const user = await authenticate(req.body.email, req.body.password);\n});",
+      "fixExample": "// Add rate limiting middleware:\nconst rateLimit = require('express-rate-limit');\nconst authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10 });\napp.post('/login', authLimiter, async (req, res) => {\n  const user = await authenticate(req.body.email, req.body.password);\n});"
+    },
+    {
+      "id": "CORPUS-INSECURE-COOKIE",
+      "name": "Cookie without secure/httpOnly flags",
+      "pattern": "(res\\.cookie|setCookie|cookies\\.set)\\s*\\([^)]*\\{[^}]*(?!secure\\s*:\\s*true|httpOnly\\s*:\\s*true)[^}]*\\}",
+      "flags": "g",
+      "description": "Setting cookies without the secure and httpOnly flags allows session hijacking via network sniffing (no secure flag) and XSS-based cookie theft (no httpOnly flag).",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/controls/SecureCookieAttribute"],
+      "codeExample": "res.cookie('session', token, { maxAge: 900000 });",
+      "fixExample": "res.cookie('session', token, {\n  maxAge: 900000,\n  httpOnly: true,\n  secure: true,\n  sameSite: 'strict'\n});"
+    },
+    {
+      "id": "CORPUS-TIMING-ATTACK",
+      "name": "Timing attack in secret comparison",
+      "pattern": "(===|==|!==|!=)\\s*(secret|token|apiKey|password|hash|hmac|signature|digest)|\\b(secret|token|apiKey|password|hash|hmac|signature|digest)\\s*(===|==|!==|!=)",
+      "flags": "g",
+      "description": "Using standard equality operators to compare secrets enables timing attacks. The comparison short-circuits on the first mismatched character, leaking information about the secret's value.",
+      "severity": "MEDIUM",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/www-community/attacks/Timing_attack"],
+      "codeExample": "if (req.headers['x-api-key'] === apiKey) {\n  // allow access\n}",
+      "fixExample": "// Use constant-time comparison:\nconst crypto = require('crypto');\nconst isValid = crypto.timingSafeEqual(\n  Buffer.from(req.headers['x-api-key']),\n  Buffer.from(apiKey)\n);"
+    },
+    {
+      "id": "CORPUS-MASS-ASSIGNMENT",
+      "name": "Mass assignment via spread of user input",
+      "pattern": "(create|update|insert|save|findOneAndUpdate|updateOne|updateMany|findByIdAndUpdate|upsert)\\s*\\(\\s*(\\{\\s*\\.\\.\\.\\s*(req\\.|body\\.|params\\.|query\\.|user[Ii]nput)|(req\\.body|req\\.query|req\\.params)\\s*[,)])",
+      "flags": "g",
+      "description": "Mass assignment occurs when user-supplied input is directly spread into or passed to database operations, allowing attackers to set fields they should not control (e.g., isAdmin, role, balance).",
+      "severity": "HIGH",
+      "ecosystem": "npm",
+      "affectedPackages": [],
+      "references": ["https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/"],
+      "codeExample": "await User.create(req.body);\nawait User.update({ ...req.body }, { where: { id } });",
+      "fixExample": "// Explicitly pick allowed fields:\nconst { name, email } = req.body;\nawait User.create({ name, email });\n// Or use an allowlist:\nconst allowed = ['name', 'email', 'avatar'];\nconst data = Object.fromEntries(\n  Object.entries(req.body).filter(([k]) => allowed.includes(k))\n);\nawait User.create(data);"
+    }
+  ]
+}