getdoorman 1.0.0

package/src/rules/security/csharp.js

@@ -0,0 +1,862 @@
+/**
+ * C# Security Rules (SEC-CS-001 through SEC-CS-050)
+ *
+ * Each rule scans C# source files for security vulnerabilities.
+ */
+
+const isCS = (f) => f.endsWith('.cs');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build|bin|obj)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+function checkCS(rule, files, ...patterns) {
+  const findings = [];
+  for (const [path, content] of files) {
+    if (SKIP_PATH.test(path)) continue;
+    if (isCS(path)) {
+      for (const p of patterns) {
+        findings.push(...scanLines(content, p, path, rule));
+      }
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-CS-001: SQL injection via string concatenation in SqlCommand
+  {
+    id: 'SEC-CS-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Concatenation in SqlCommand',
+    description: 'Building SQL queries with string concatenation in SqlCommand allows SQL injection.',
+    fix: { suggestion: 'Use parameterized queries with SqlParameter instead of string concatenation.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+SqlCommand\s*\(\s*["'][^"']*["']\s*\+/,
+        /new\s+SqlCommand\s*\(\s*\$"/,
+      );
+    },
+  },
+
+  // SEC-CS-002: SQL injection via string interpolation
+  {
+    id: 'SEC-CS-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Interpolation',
+    description: 'Using string interpolation ($"...") in SQL commands allows injection.',
+    fix: { suggestion: 'Use parameterized queries with @param placeholders and cmd.Parameters.Add().' },
+    check({ files }) {
+      return checkCS(this, files,
+        /CommandText\s*=\s*\$"/,
+        /\.ExecuteSqlRaw\s*\(\s*\$"/,
+      );
+    },
+  },
+
+  // SEC-CS-003: SQL injection via string.Format
+  {
+    id: 'SEC-CS-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String.Format',
+    description: 'Using String.Format to build SQL queries enables injection attacks.',
+    fix: { suggestion: 'Use parameterized queries instead of String.Format for SQL.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /(?:SqlCommand|CommandText|ExecuteSql).*string\.Format\s*\(/i,
+      );
+    },
+  },
+
+  // SEC-CS-004: XSS via Html.Raw
+  {
+    id: 'SEC-CS-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via Html.Raw()',
+    description: 'Using Html.Raw() with user-controlled data disables HTML encoding, enabling XSS.',
+    fix: { suggestion: 'Avoid Html.Raw with user input. Use @Html.Encode or Razor auto-encoding.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Html\.Raw\s*\(/,
+      );
+    },
+  },
+
+  // SEC-CS-005: XSS via Response.Write
+  {
+    id: 'SEC-CS-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via Response.Write',
+    description: 'Writing user input directly to Response.Write without encoding enables XSS.',
+    fix: { suggestion: 'Use HttpUtility.HtmlEncode before writing to the response.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Response\.Write\s*\(\s*(?:Request|input|user|param)/,
+      );
+    },
+  },
+
+  // SEC-CS-006: Insecure deserialization - BinaryFormatter
+  {
+    id: 'SEC-CS-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Insecure Deserialization: BinaryFormatter',
+    description: 'BinaryFormatter is inherently insecure and can execute arbitrary code during deserialization.',
+    fix: { suggestion: 'Use System.Text.Json or JsonSerializer. BinaryFormatter is obsolete in .NET 5+.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+BinaryFormatter\s*\(\s*\)/,
+        /BinaryFormatter\s+\w+\s*=\s*new/,
+      );
+    },
+  },
+
+  // SEC-CS-007: Insecure deserialization - JsonConvert without type handling
+  {
+    id: 'SEC-CS-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Deserialization: TypeNameHandling',
+    description: 'JsonConvert with TypeNameHandling.All or Auto allows type injection attacks.',
+    fix: { suggestion: 'Avoid TypeNameHandling.All/Auto. Use TypeNameHandling.None (default) or a custom SerializationBinder.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /TypeNameHandling\s*=\s*TypeNameHandling\.(?:All|Auto|Objects|Arrays)/,
+      );
+    },
+  },
+
+  // SEC-CS-008: Insecure deserialization - JavaScriptSerializer
+  {
+    id: 'SEC-CS-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Deserialization: JavaScriptSerializer',
+    description: 'JavaScriptSerializer with type resolution can be exploited for remote code execution.',
+    fix: { suggestion: 'Use System.Text.Json or Newtonsoft.Json with safe settings.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+JavaScriptSerializer\s*\(\s*new\s+SimpleTypeResolver/,
+      );
+    },
+  },
+
+  // SEC-CS-009: Command injection via Process.Start
+  {
+    id: 'SEC-CS-009',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Process.Start',
+    description: 'Passing user-controlled data to Process.Start enables arbitrary command execution.',
+    fix: { suggestion: 'Validate and sanitize input. Avoid UseShellExecute = true with user input.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Process\.Start\s*\(\s*(?:request|input|user|param|Request)/,
+      );
+    },
+  },
+
+  // SEC-CS-010: Command injection via ProcessStartInfo
+  {
+    id: 'SEC-CS-010',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via ProcessStartInfo',
+    description: 'Setting ProcessStartInfo.Arguments with user input enables command injection.',
+    fix: { suggestion: 'Validate and sanitize arguments. Set UseShellExecute = false.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Arguments\s*=\s*(?:\$"|.*\+\s*(?:request|input|user|param|Request))/,
+      );
+    },
+  },
+
+  // SEC-CS-011: Path traversal via Path.Combine
+  {
+    id: 'SEC-CS-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via Path.Combine',
+    description: 'Path.Combine with user input can be exploited if the second argument is an absolute path.',
+    fix: { suggestion: 'Use Path.GetFullPath and verify the result starts with the expected base directory.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Path\.Combine\s*\(\s*\w+\s*,\s*(?:request|input|user|param|Request)/i,
+      );
+    },
+  },
+
+  // SEC-CS-012: Path traversal via File operations
+  {
+    id: 'SEC-CS-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via File Operations',
+    description: 'File.ReadAllText, File.Open, etc. with user-controlled paths allow reading arbitrary files.',
+    fix: { suggestion: 'Validate and canonicalize paths. Ensure they remain within the expected directory.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /File\.(?:ReadAll|WriteAll|Open|Delete|Copy|Move)\w*\s*\(\s*(?:request|input|user|param|Request)/i,
+      );
+    },
+  },
+
+  // SEC-CS-013: LDAP injection
+  {
+    id: 'SEC-CS-013',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'LDAP Injection',
+    description: 'Building LDAP filters with string concatenation allows injection attacks.',
+    fix: { suggestion: 'Use parameterized LDAP queries or sanitize input with LDAP encoding.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /DirectorySearcher.*Filter\s*=\s*.*\+\s*(?:request|input|user|param|Request)/i,
+        /new\s+DirectorySearcher\s*\(\s*["'].*["']\s*\+/,
+      );
+    },
+  },
+
+  // SEC-CS-014: LDAP injection via string interpolation
+  {
+    id: 'SEC-CS-014',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'LDAP Injection via String Interpolation',
+    description: 'Using string interpolation in LDAP filters enables injection.',
+    fix: { suggestion: 'Sanitize input using LDAP encoding before including in filters.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Filter\s*=\s*\$".*\{/,
+      );
+    },
+  },
+
+  // SEC-CS-015: XXE via XmlDocument
+  {
+    id: 'SEC-CS-015',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'XXE: XmlDocument Without Safe Settings',
+    description: 'XmlDocument processes external entities by default, enabling XXE attacks.',
+    fix: { suggestion: 'Set XmlResolver = null on XmlDocument before loading XML.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+XmlDocument\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-016: XXE via XmlTextReader
+  {
+    id: 'SEC-CS-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'XXE: XmlTextReader Without Safe Settings',
+    description: 'XmlTextReader processes DTDs and external entities by default.',
+    fix: { suggestion: 'Set DtdProcessing = DtdProcessing.Prohibit on XmlReaderSettings.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+XmlTextReader\s*\(/,
+      );
+    },
+  },
+
+  // SEC-CS-017: Weak crypto - MD5
+  {
+    id: 'SEC-CS-017',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Cryptographic Hash: MD5',
+    description: 'MD5 is cryptographically broken and must not be used for security purposes.',
+    fix: { suggestion: 'Use SHA256 or SHA512 for hashing. Use PBKDF2, bcrypt, or Argon2 for passwords.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /MD5\.Create\s*\(\s*\)/,
+        /new\s+MD5CryptoServiceProvider\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-018: Weak crypto - SHA1
+  {
+    id: 'SEC-CS-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Cryptographic Hash: SHA1',
+    description: 'SHA1 has known collision attacks and should not be used for security.',
+    fix: { suggestion: 'Use SHA256 or SHA512 instead of SHA1.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /SHA1\.Create\s*\(\s*\)/,
+        /new\s+SHA1(?:Managed|CryptoServiceProvider)\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-019: Weak crypto - DES
+  {
+    id: 'SEC-CS-019',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Encryption: DES',
+    description: 'DES has a 56-bit key and is trivially breakable.',
+    fix: { suggestion: 'Use AES (Aes.Create()) instead of DES.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /DES\.Create\s*\(\s*\)/,
+        /new\s+DESCryptoServiceProvider\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-020: Weak crypto - TripleDES
+  {
+    id: 'SEC-CS-020',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'Weak Encryption: TripleDES',
+    description: 'TripleDES is deprecated and slower than AES with comparable security.',
+    fix: { suggestion: 'Use AES (Aes.Create()) instead of TripleDES.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /TripleDES\.Create\s*\(\s*\)/,
+        /new\s+TripleDESCryptoServiceProvider\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-021: Insecure random - System.Random
+  {
+    id: 'SEC-CS-021',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Random: System.Random',
+    description: 'System.Random is predictable and must not be used for security-sensitive operations.',
+    fix: { suggestion: 'Use System.Security.Cryptography.RandomNumberGenerator for cryptographic randomness.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+Random\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-022: Missing Authorize attribute
+  {
+    id: 'SEC-CS-022',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing [Authorize] on Controller',
+    description: 'Controllers without [Authorize] allow unauthenticated access to all actions.',
+    fix: { suggestion: 'Add [Authorize] attribute to controllers or actions that require authentication.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /public\s+class\s+\w+Controller\s*:\s*Controller(?!Base)/,
+      );
+    },
+  },
+
+  // SEC-CS-023: AllowAnonymous on sensitive endpoint
+  {
+    id: 'SEC-CS-023',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'AllowAnonymous on Potentially Sensitive Endpoint',
+    description: '[AllowAnonymous] bypasses authentication. Ensure it is intentional.',
+    fix: { suggestion: 'Review endpoints with [AllowAnonymous] to ensure they should be publicly accessible.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\[AllowAnonymous\]/,
+      );
+    },
+  },
+
+  // SEC-CS-024: Missing ValidateAntiForgeryToken
+  {
+    id: 'SEC-CS-024',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing [ValidateAntiForgeryToken]',
+    description: 'POST actions without [ValidateAntiForgeryToken] are vulnerable to CSRF attacks.',
+    fix: { suggestion: 'Add [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions, or use AutoValidateAntiforgeryToken globally.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\[HttpPost\]/,
+      );
+    },
+  },
+
+  // SEC-CS-025: Missing ValidateAntiForgeryToken on PUT/DELETE
+  {
+    id: 'SEC-CS-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing CSRF Protection on State-Changing Action',
+    description: 'PUT/DELETE actions without anti-forgery token validation are vulnerable to CSRF.',
+    fix: { suggestion: 'Add [ValidateAntiForgeryToken] or use the AutoValidateAntiforgeryToken filter.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\[Http(?:Put|Delete|Patch)\]/,
+      );
+    },
+  },
+
+  // SEC-CS-026: Missing Required attribute
+  {
+    id: 'SEC-CS-026',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation Attributes',
+    description: 'Model properties without [Required], [StringLength] may accept invalid input.',
+    fix: { suggestion: 'Add data annotation attributes like [Required], [StringLength], [Range] to model properties.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /public\s+string\s+\w+\s*\{\s*get\s*;\s*set\s*;\s*\}/,
+      );
+    },
+  },
+
+  // SEC-CS-027: Missing StringLength attribute
+  {
+    id: 'SEC-CS-027',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing String Length Validation',
+    description: 'String properties without [StringLength] can accept arbitrarily long input.',
+    fix: { suggestion: 'Add [StringLength(maxLength)] to string properties to prevent oversized input.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /public\s+string\s+(?:Name|Title|Description|Comment|Message|Input|Query|Search)\s*\{/i,
+      );
+    },
+  },
+
+  // SEC-CS-028: Hardcoded connection string
+  {
+    id: 'SEC-CS-028',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Connection String',
+    description: 'Database connection strings with credentials hardcoded in source code.',
+    fix: { suggestion: 'Store connection strings in appsettings.json or use environment variables with User Secrets in development.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /(?:connectionString|ConnectionString)\s*=\s*["'](?:Server|Data Source|Host).*(?:Password|Pwd)=/i,
+      );
+    },
+  },
+
+  // SEC-CS-029: Hardcoded credentials
+  {
+    id: 'SEC-CS-029',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Credentials',
+    description: 'Passwords or API keys hardcoded in source code risk exposure.',
+    fix: { suggestion: 'Use IConfiguration, environment variables, or Azure Key Vault for secrets.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /(?:password|apiKey|secret|token)\s*=\s*["'][^"']{4,}["']/i,
+      );
+    },
+  },
+
+  // SEC-CS-030: ViewBag/ViewData for sensitive data
+  {
+    id: 'SEC-CS-030',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Sensitive Data in ViewBag/ViewData',
+    description: 'Passing sensitive data through ViewBag or ViewData can expose it in views.',
+    fix: { suggestion: 'Use strongly-typed view models and avoid passing sensitive data to views.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /ViewBag\.(?:Password|Secret|Token|Key|Credential)/i,
+        /ViewData\s*\[\s*["'](?:password|secret|token|key|credential)["']\s*\]/i,
+      );
+    },
+  },
+
+  // SEC-CS-031: Missing HTTPS redirect
+  {
+    id: 'SEC-CS-031',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing HTTPS Redirect',
+    description: 'Without UseHttpsRedirection, HTTP requests may not be redirected to HTTPS.',
+    fix: { suggestion: 'Add app.UseHttpsRedirection() in the request pipeline.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /app\.UseRouting\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-032: Insecure cookie - missing Secure
+  {
+    id: 'SEC-CS-032',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Cookie: Secure Flag Disabled',
+    description: 'Cookies with Secure = false can be sent over unencrypted HTTP connections.',
+    fix: { suggestion: 'Set cookie.Secure = true, especially for authentication cookies.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.Secure\s*=\s*false/,
+      );
+    },
+  },
+
+  // SEC-CS-033: Insecure cookie - missing HttpOnly
+  {
+    id: 'SEC-CS-033',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure Cookie: HttpOnly Disabled',
+    description: 'Cookies without HttpOnly can be accessed by JavaScript, increasing XSS impact.',
+    fix: { suggestion: 'Set cookie.HttpOnly = true for session and authentication cookies.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.HttpOnly\s*=\s*false/,
+      );
+    },
+  },
+
+  // SEC-CS-034: Missing CORS policy
+  {
+    id: 'SEC-CS-034',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Permissive CORS Policy',
+    description: 'AllowAnyOrigin enables any website to make cross-origin requests.',
+    fix: { suggestion: 'Specify allowed origins explicitly with WithOrigins().' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.AllowAnyOrigin\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-035: CORS with credentials and any origin
+  {
+    id: 'SEC-CS-035',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'CORS: Credentials with Any Origin',
+    description: 'AllowCredentials with AllowAnyOrigin is a severe misconfiguration.',
+    fix: { suggestion: 'Never combine AllowCredentials with AllowAnyOrigin. Specify allowed origins.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.AllowCredentials\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-036: Regex without timeout
+  {
+    id: 'SEC-CS-036',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Regex Without Timeout',
+    description: 'Regex without a timeout can cause catastrophic backtracking and denial of service.',
+    fix: { suggestion: 'Use the Regex constructor overload with a TimeSpan timeout parameter.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+Regex\s*\(\s*["'][^"']+["']\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-037: Regex with user input
+  {
+    id: 'SEC-CS-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Regex with User-Controlled Pattern',
+    description: 'Creating Regex from user input allows ReDoS attacks via crafted patterns.',
+    fix: { suggestion: 'Validate or escape user input with Regex.Escape(). Always set a timeout.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /new\s+Regex\s*\(\s*(?:request|input|user|param|Request)/i,
+      );
+    },
+  },
+
+  // SEC-CS-038: Assembly.Load with user input
+  {
+    id: 'SEC-CS-038',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Dynamic Assembly Loading with User Input',
+    description: 'Loading assemblies from user-controlled paths enables arbitrary code execution.',
+    fix: { suggestion: 'Validate assembly names against an allowlist. Avoid loading assemblies from user input.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Assembly\.(?:Load|LoadFrom|LoadFile)\s*\(\s*(?:request|input|user|param|Request)/i,
+      );
+    },
+  },
+
+  // SEC-CS-039: Activator.CreateInstance with user input
+  {
+    id: 'SEC-CS-039',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Dynamic Type Instantiation with User Input',
+    description: 'Activator.CreateInstance with user-controlled type names can instantiate malicious types.',
+    fix: { suggestion: 'Validate type names against an allowlist.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Activator\.CreateInstance\s*\(\s*(?:Type\.GetType\s*\(|.*(?:request|input|user|param))/i,
+      );
+    },
+  },
+
+  // SEC-CS-040: Information exposure via exception
+  {
+    id: 'SEC-CS-040',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Information Exposure via Exception Details',
+    description: 'Returning exception details to users can expose internal implementation details.',
+    fix: { suggestion: 'Log the full exception internally. Return generic error messages to users.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /return\s+(?:Ok|Content|Json)\s*\(\s*(?:ex|exception)\.(?:Message|StackTrace|ToString)/i,
+      );
+    },
+  },
+
+  // SEC-CS-041: Missing model validation
+  {
+    id: 'SEC-CS-041',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing ModelState Validation',
+    description: 'Not checking ModelState.IsValid may process invalid input.',
+    fix: { suggestion: 'Check ModelState.IsValid at the start of controller actions, or use [ApiController] for automatic validation.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /public\s+(?:async\s+)?(?:Task<)?(?:IActionResult|ActionResult).*\(/,
+      );
+    },
+  },
+
+  // SEC-CS-042: Open redirect
+  {
+    id: 'SEC-CS-042',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Open Redirect',
+    description: 'Redirecting to user-supplied URLs without validation enables phishing.',
+    fix: { suggestion: 'Use LocalRedirect() or Url.IsLocalUrl() to validate redirect targets.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /Redirect\s*\(\s*(?:request|input|user|param|Request|returnUrl|url)/i,
+      );
+    },
+  },
+
+  // SEC-CS-043: Insecure SSL/TLS
+  {
+    id: 'SEC-CS-043',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'TLS Certificate Validation Disabled',
+    description: 'Disabling certificate validation allows man-in-the-middle attacks.',
+    fix: { suggestion: 'Remove ServerCertificateValidationCallback that returns true. Use proper CA certificates.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /ServerCertificateValidationCallback\s*=\s*\(\s*\w+\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*\)\s*=>\s*true/,
+        /ServicePointManager\.ServerCertificateValidationCallback\s*\+?=\s*delegate\s*\{[^}]*return\s+true/,
+      );
+    },
+  },
+
+  // SEC-CS-044: Logging sensitive data
+  {
+    id: 'SEC-CS-044',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Sensitive Data in Log Output',
+    description: 'Logging passwords, tokens, or keys exposes sensitive data in log files.',
+    fix: { suggestion: 'Redact sensitive fields before logging.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /_?logger\.(?:Log|Info|Debug|Warn|Error|Fatal)\w*\s*\(.*(?:password|token|secret|key|credential)/i,
+      );
+    },
+  },
+
+  // SEC-CS-045: Hardcoded encryption key
+  {
+    id: 'SEC-CS-045',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Encryption Key',
+    description: 'Encryption keys hardcoded in source code can be extracted from assemblies.',
+    fix: { suggestion: 'Use Azure Key Vault, DPAPI, or configuration management for encryption keys.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.Key\s*=\s*(?:Encoding\.\w+\.GetBytes\s*\(\s*["']|new\s+byte\s*\[\s*\]\s*\{)/,
+      );
+    },
+  },
+
+  // SEC-CS-046: Weak password hashing
+  {
+    id: 'SEC-CS-046',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Password Hashing',
+    description: 'Using MD5 or SHA for password hashing is insecure without salting and stretching.',
+    fix: { suggestion: 'Use PasswordHasher<T>, bcrypt, or Argon2 for password hashing.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /(?:MD5|SHA\d+)\.(?:Create|ComputeHash).*(?:password|passwd)/i,
+      );
+    },
+  },
+
+  // SEC-CS-047: Server header exposure
+  {
+    id: 'SEC-CS-047',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Server Header Exposed',
+    description: 'Exposing server version headers helps attackers identify vulnerabilities.',
+    fix: { suggestion: 'Remove or suppress server version headers using UseKestrel options.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /AddServerHeader\s*=\s*true/,
+      );
+    },
+  },
+
+  // SEC-CS-048: Mass assignment
+  {
+    id: 'SEC-CS-048',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Mass Assignment Vulnerability',
+    description: 'Binding request data directly to domain models without [Bind] can allow overposting.',
+    fix: { suggestion: 'Use [Bind(Include = ...)] or separate view models/DTOs to control which properties are bound.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /public\s+(?:async\s+)?(?:Task<)?IActionResult\s+\w+\s*\(\s*(?!\[Bind)[A-Z]\w+\s+\w+\s*\)/,
+      );
+    },
+  },
+
+  // SEC-CS-049: Insecure file upload
+  {
+    id: 'SEC-CS-049',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure File Upload',
+    description: 'Saving uploaded files without validating content type, extension, and size is dangerous.',
+    fix: { suggestion: 'Validate file extension, content type, and size. Store outside web root with generated names.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /IFormFile.*\.CopyTo\s*\(/,
+        /\.SaveAs\s*\(\s*(?:Path\.Combine|Server\.MapPath)/,
+      );
+    },
+  },
+
+  // SEC-CS-050: Entity Framework raw SQL
+  {
+    id: 'SEC-CS-050',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via Entity Framework Raw SQL',
+    description: 'Using FromSqlRaw or ExecuteSqlRaw with string interpolation bypasses EF parameterization.',
+    fix: { suggestion: 'Use FromSqlInterpolated or ExecuteSqlInterpolated which auto-parameterize interpolated strings.' },
+    check({ files }) {
+      return checkCS(this, files,
+        /\.FromSqlRaw\s*\(\s*\$"/,
+        /\.ExecuteSqlRaw\s*\(\s*\$"/,
+      );
+    },
+  },
+];
+
+export default rules;