getdoorman 1.0.0

package/src/rules/security/injection.js

@@ -0,0 +1,1639 @@
+/**
+ * Injection Detection Rules (SEC-INJ-001 through SEC-INJ-020)
+ *
+ * Each rule scans source files for injection vulnerabilities and returns
+ * an array of findings.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isPy = (f) => f.endsWith('.py');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // ---------------------------------------------------------------
+  // SEC-INJ-001: SQL injection via string concatenation
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Concatenation',
+    description:
+      'SQL query built with string concatenation or template literals allows attacker-controlled input to alter the query structure.',
+    fix: { suggestion: 'Use parameterized queries or prepared statements instead of string interpolation.' },
+    check({ files }) {
+      const findings = [];
+      const jsPattern = /(?:query|execute|raw|\.sql)\s*\(\s*`[^`]*\$\{/;
+      const jsConcatPattern = /(?:query|execute|raw|\.sql)\s*\(\s*(?:['"][^'"]*['"]\s*\+|\w+\s*\+\s*['"])/;
+      // Match Python f-strings, .format(), string concatenation, and % formatting
+      // in execute() calls.  Exclude psycopg2-style parameterized queries where
+      // %s is a DB placeholder (execute("...%s...", (val,))).
+      const pyFString = /(?:execute|cursor\.execute|\.raw)\s*\(\s*f['"]/;
+      const pyFormat = /(?:execute|cursor\.execute|\.raw)\s*\(\s*['"].*\bformat\b/;
+      const pyConcat = /(?:execute|cursor\.execute|\.raw)\s*\(\s*['"].*\+/;
+      const pyPercent = /(?:execute|cursor\.execute|\.raw)\s*\(\s*['"].*%s.*['"]\s*%/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, jsPattern, path, this));
+          findings.push(...scanLines(content, jsConcatPattern, path, this));
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyFString, path, this));
+          findings.push(...scanLines(content, pyFormat, path, this));
+          findings.push(...scanLines(content, pyConcat, path, this));
+          findings.push(...scanLines(content, pyPercent, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-002: SQL injection via ORM raw queries
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via ORM Raw Queries',
+    description:
+      'Raw query methods in ORMs (Sequelize.query, prisma.$queryRaw, knex.raw) used with string interpolation bypass ORM protections.',
+    fix: { suggestion: 'Use tagged template literals (e.g., Prisma.sql``) or pass bind parameters as a second argument.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:sequelize\.query|prisma\.\$queryRaw(?:Unsafe)?|knex\.raw|typeorm\.query)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-003: NoSQL injection via MongoDB
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'NoSQL Injection via MongoDB',
+    description:
+      'Passing unsanitized user input to MongoDB query operators ($where, $regex) or directly to find/findOne enables NoSQL injection.',
+    fix: { suggestion: 'Validate and sanitize input. Avoid passing req.body directly to query methods. Use mongo-sanitize or express-mongo-sanitize.' },
+    check({ files }) {
+      const findings = [];
+      const wherePattern = /\$where\s*:/;
+      const regexFromInput = /\$regex\s*:\s*(?:req\.|params|query|body|input|user)/;
+      const directBody = /\.(?:find|findOne|findOneAndUpdate|updateOne|updateMany|deleteOne|deleteMany|aggregate)\s*\(\s*req\.body/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, wherePattern, path, this));
+          findings.push(...scanLines(content, regexFromInput, path, this));
+          findings.push(...scanLines(content, directBody, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-004: Command injection via exec
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via exec',
+    description:
+      'Using child_process.exec or execSync with template literals or string concatenation allows arbitrary command execution.',
+    fix: { suggestion: 'Use execFile or spawn (without shell: true) with an argument array instead of exec.' },
+    check({ files }) {
+      const findings = [];
+      const templatePattern = /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/;
+      const concatPattern = /(?:exec|execSync)\s*\(\s*(?:['"][^'"]*['"]\s*\+|\w+\s*\+\s*['"])/;
+      const pyPattern = /(?:os\.system|os\.popen|subprocess\.call|subprocess\.run|subprocess\.Popen)\s*\(\s*(?:f['"]|['"].*%|['"].*\+|['"].*\.format)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, templatePattern, path, this));
+          findings.push(...scanLines(content, concatPattern, path, this));
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-005: Command injection via shell spawn
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-005',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Shell Spawn',
+    description:
+      'Using spawn or spawnSync with shell: true and variable input allows command injection through shell metacharacters.',
+    fix: { suggestion: 'Remove shell: true and pass arguments as an array. Validate and sanitize all input.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /spawn(?:Sync)?\s*\([^)]*shell\s*:\s*true/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          // Multi-line aware: check blocks of code for spawn with shell:true
+          const lines = content.split('\n');
+          let inSpawn = false;
+          let spawnLine = 0;
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (/spawn(?:Sync)?\s*\(/.test(line)) {
+              inSpawn = true;
+              spawnLine = i;
+            }
+            if (inSpawn && /shell\s*:\s*true/.test(line)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: spawnLine + 1,
+                fix: this.fix,
+              });
+              inSpawn = false;
+            }
+            if (inSpawn && /[)}];/.test(line)) {
+              inSpawn = false;
+            }
+          }
+          // Also catch single-line occurrences
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      // Deduplicate by file+line
+      const seen = new Set();
+      return findings.filter((f) => {
+        const key = `${f.file}:${f.line}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-006: LDAP injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LDAP Injection',
+    description:
+      'LDAP search filters built with user input concatenation allow attackers to modify LDAP queries.',
+    fix: { suggestion: 'Use ldap-escape or parameterized LDAP filter construction.' },
+    check({ files }) {
+      const findings = [];
+      const templatePattern = /(?:ldap|client)\.search\s*\([^)]*`[^`]*\$\{/i;
+      const concatPattern = /(?:filter|ldapFilter|searchFilter)\s*[:=]\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path) || isPy(path)) {
+          findings.push(...scanLines(content, templatePattern, path, this));
+          findings.push(...scanLines(content, concatPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-007: XPath injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XPath Injection',
+    description:
+      'XPath expressions built with string concatenation or template literals allow attackers to manipulate XML queries.',
+    fix: { suggestion: 'Use parameterized XPath queries or validate/escape user input before embedding in XPath expressions.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:xpath\.(?:evaluate|select)|\.evaluate)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i;
+      const concatPattern = /(?:xpathQuery|xpathExpr|xpathExpression)\s*[:=]\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+          findings.push(...scanLines(content, concatPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-008: Server-side template injection (SSTI)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Server-Side Template Injection (SSTI)',
+    description:
+      'Rendering templates from user-controlled strings (ejs.render, pug.render, nunjucks.renderString) can lead to remote code execution.',
+    fix: { suggestion: 'Never pass user input as the template string. Use pre-compiled templates and pass user data as context variables.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:ejs\.render|pug\.render|nunjucks\.renderString|handlebars\.compile|mustache\.render|doT\.template)\s*\(\s*(?:req\.|params|query|body|input|user|\w*[Ii]nput|\w*[Dd]ata)/;
+      const templateFromVar = /(?:ejs\.render|pug\.render|nunjucks\.renderString)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+          findings.push(...scanLines(content, templateFromVar, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-009: Header injection (CRLF)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'HTTP Header Injection (CRLF)',
+    description:
+      'Setting HTTP headers with unsanitized user input can allow CRLF injection to add arbitrary headers or split the response.',
+    fix: { suggestion: 'Validate and sanitize header values. Strip \\r and \\n characters from any user-controlled header values.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:setHeader|writeHead|res\.set|res\.header)\s*\([^)]*(?:req\.(?:params|query|body|headers)|input|user)/i;
+      const redirectPattern = /(?:res\.redirect|res\.location)\s*\(\s*(?:req\.(?:params|query|body)|input)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+          findings.push(...scanLines(content, redirectPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-010: Log injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Log Injection',
+    description:
+      'Logging unsanitized user input (req.body, req.params, req.query) can allow log forging, log poisoning, or CRLF in log entries.',
+    fix: { suggestion: 'Sanitize or encode user input before logging. Strip newlines and control characters.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:console\.(?:log|info|warn|error|debug)|logger\.(?:log|info|warn|error|debug)|log\.(?:info|warn|error|debug))\s*\([^)]*req\.(?:body|params|query)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-011: eval() and similar dynamic code execution
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-011',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Dynamic Code Execution (eval)',
+    description:
+      'eval(), new Function(), and setTimeout/setInterval with string arguments allow arbitrary code execution.',
+    fix: { suggestion: 'Avoid eval and new Function entirely. Use JSON.parse for data, and function references for setTimeout/setInterval.' },
+    check({ files }) {
+      const findings = [];
+      const evalPattern = /\beval\s*\(/;
+      const newFunctionPattern = /new\s+Function\s*\(/;
+      const timerStringPattern = /(?:setTimeout|setInterval)\s*\(\s*['"`]/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, evalPattern, path, this));
+          findings.push(...scanLines(content, newFunctionPattern, path, this));
+          findings.push(...scanLines(content, timerStringPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-012: Regular expression injection (ReDoS)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Regular Expression Injection (ReDoS)',
+    description:
+      'Constructing RegExp from user input can cause ReDoS (catastrophic backtracking) or allow regex injection.',
+    fix: { suggestion: 'Use a safe regex library (e.g., escape-string-regexp) to escape user input before using in RegExp, or use re2.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /new\s+RegExp\s*\(\s*(?:req\.|params|query|body|input|user|\w*[Ii]nput|\w*[Pp]attern|\w*[Ss]earch)/;
+      const templatePattern = /new\s+RegExp\s*\(\s*`[^`]*\$\{/;
+      const concatPattern = /new\s+RegExp\s*\(\s*(?:['"][^'"]*['"]\s*\+|\w+\s*\+)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+          findings.push(...scanLines(content, templatePattern, path, this));
+          findings.push(...scanLines(content, concatPattern, path, this));
+        }
+      }
+      // Deduplicate by file+line
+      const seen = new Set();
+      return findings.filter((f) => {
+        const key = `${f.file}:${f.line}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-013: GraphQL injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'GraphQL Injection',
+    description:
+      'Building GraphQL queries with template literals or string concatenation allows query manipulation.',
+    fix: { suggestion: 'Use GraphQL variables and parameterized queries. Never interpolate user input into query strings.' },
+    check({ files }) {
+      const findings = [];
+      const templatePattern = /(?:graphql|gql|query|mutation)\s*(?:=|:|\()?\s*`[^`]*\$\{[^}]*(?:req\.|input|param|arg|user|body|query)/i;
+      const concatPattern = /(?:graphql|gql)\s*\(\s*['"][^'"]*['"]\s*\+/i;
+      const fetchPattern = /(?:body|query)\s*:\s*(?:`[^`]*(?:query|mutation)[^`]*\$\{|['"][^'"]*(?:query|mutation)[^'"]*['"]\s*\+)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, templatePattern, path, this));
+          findings.push(...scanLines(content, concatPattern, path, this));
+          findings.push(...scanLines(content, fetchPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-014: ORM dynamic column names
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'ORM Dynamic Column Names',
+    description:
+      'Using user-supplied values as column names in orderBy, groupBy, or where clauses can lead to SQL injection through the ORM.',
+    fix: { suggestion: 'Whitelist allowed column names. Map user input to known-safe column identifiers.' },
+    check({ files }) {
+      const findings = [];
+      const bracketPattern = /(?:orderBy|order|groupBy|group|where|select)\s*(?:\(|\[|:)\s*\[?\s*(?:req\.(?:body|query|params)|input|user)/i;
+      const dynamicColumn = /(?:orderBy|sortBy|groupBy)\s*\(\s*(?:req\.(?:body|query|params)|input|user)/;
+      const bracketAccess = /\[(?:req\.(?:body|query|params)|input|user)[^\]]*\]/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, bracketPattern, path, this));
+          findings.push(...scanLines(content, dynamicColumn, path, this));
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (bracketAccess.test(line) && /(?:orderBy|groupBy|where|column|field)/i.test(line)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix,
+              });
+            }
+          }
+        }
+      }
+      const seen = new Set();
+      return findings.filter((f) => {
+        const key = `${f.file}:${f.line}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-015: XXE (XML External Entity)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-015',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'XML External Entity (XXE) Injection',
+    description:
+      'Parsing XML without disabling external entities allows XXE attacks that can read local files or perform SSRF.',
+    fix: { suggestion: 'Disable external entity processing. For xml2js use {xmldec: {standalone: true}}. For libxmljs set noent: false. Consider using a safe parser.' },
+    check({ files }) {
+      const findings = [];
+      // Detect xml2js parseString without explicit entity disable
+      const xml2jsPattern = /(?:parseString|parseStringPromise|xml2js\.Parser)\s*\(/;
+      // Detect libxmljs with noent: true (unsafe)
+      const libxmljsUnsafe = /libxmljs\.parseXml(?:String)?\s*\([^)]*noent\s*:\s*true/;
+      // Detect DOMParser or generic XML parse
+      const domParserPattern = /new\s+DOMParser\s*\(\s*\)\.parseFromString\s*\([^)]*(?:req\.|input|body|user)/;
+      // Detect DOCTYPE in template literals (potential XXE payload construction)
+      const doctypePattern = /<!DOCTYPE[^>]*<!ENTITY/i;
+      // Detect expat/sax without entity handling
+      const pyXmlPattern = /(?:etree\.parse|minidom\.parse|sax\.parse|xml\.dom\.minidom|xml\.etree\.ElementTree)\s*\(/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, libxmljsUnsafe, path, this));
+          findings.push(...scanLines(content, domParserPattern, path, this));
+          findings.push(...scanLines(content, doctypePattern, path, this));
+          // xml2js: only flag if parsing user input
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (xml2jsPattern.test(line) && /(?:req\.|body|input|user|data)/.test(line)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix,
+              });
+            }
+          }
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyXmlPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-016: CSV injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-016',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'CSV Injection',
+    description:
+      'Writing user-controlled data to CSV files without escaping formula characters (=, +, -, @) enables CSV injection attacks when opened in spreadsheet software.',
+    fix: { suggestion: 'Prefix cell values with a single quote or tab character. Escape =, +, -, @ at the start of cell values.' },
+    check({ files }) {
+      const findings = [];
+      const csvWritePattern = /(?:csv|createCsvWriter|createObjectCsvWriter|csvStringify|stringify|writeToPath|fast-csv|papaparse).*(?:write|push|pipe|stringify)/i;
+      const directCsv = /(?:\.csv|\.write|createWriteStream).*(?:req\.|body|input|user|data)/i;
+      const joinComma = /\.(?:join|map)\s*\([^)]*[,'"].*(?:req\.|body|input|user)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (csvWritePattern.test(line) && /(?:req\.|body|input|user|data)/.test(line)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-017: Email header injection
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-017',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Email Header Injection',
+    description:
+      'Passing unsanitized user input to email fields (to, cc, bcc, subject) allows attackers to inject additional headers or recipients.',
+    fix: { suggestion: 'Validate email addresses with a proper regex or library. Strip newlines and carriage returns from all email header fields.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:sendMail|send|transport\.sendMail|transporter\.sendMail)\s*\(\s*\{[^}]*(?:to|cc|bcc|subject)\s*:\s*(?:req\.|params|query|body|input|user)/i;
+      const fieldAssign = /(?:to|cc|bcc|subject)\s*:\s*(?:req\.(?:body|query|params)|input|user)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (fieldAssign.test(line) && /(?:mail|email|send|smtp|nodemailer)/i.test(content.slice(Math.max(0, content.indexOf(line) - 500), content.indexOf(line) + line.length))) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix,
+              });
+            }
+          }
+        }
+      }
+      const seen = new Set();
+      return findings.filter((f) => {
+        const key = `${f.file}:${f.line}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-018: Unsafe deserialization
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-018',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Unsafe Deserialization',
+    description:
+      'Using node-serialize unserialize, js-yaml.load (not safeLoad), or JSON.parse on untrusted external input without try/catch can lead to code execution or crashes.',
+    fix: { suggestion: 'Use js-yaml.safeLoad (or yaml.load with DEFAULT_SAFE_SCHEMA). Wrap JSON.parse in try/catch. Avoid node-serialize entirely.' },
+    check({ files }) {
+      const findings = [];
+      const nodeSerialize = /(?:serialize\.unserialize|unserialize)\s*\(/;
+      const yamlUnsafe = /yaml\.load\s*\([^)]*(?!.*(?:safe|SAFE|DEFAULT_SAFE))/;
+      const yamlLoad = /(?:js-yaml|yaml).*\.load\s*\(/;
+      const pyPickle = /(?:pickle\.loads?|cPickle\.loads?|shelve\.open|marshal\.loads?)\s*\(/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, nodeSerialize, path, this));
+          // Detect yaml.load that isn't safeLoad
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (COMMENT_LINE.test(line)) continue;
+            if (/yaml\.load\s*\(/.test(line) && !/safeLoad|SAFE_SCHEMA|safe_load/.test(line)) {
+              // Check if the file imports js-yaml
+              if (/require\s*\(\s*['"]js-yaml['"]\s*\)|from\s+['"]js-yaml['"]/.test(content)) {
+                findings.push({
+                  ruleId: this.id,
+                  category: this.category,
+                  severity: this.severity,
+                  title: this.title,
+                  description: this.description,
+                  confidence: this.confidence,
+                  file: path,
+                  line: i + 1,
+                  fix: this.fix,
+                });
+              }
+            }
+          }
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyPickle, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-019: Prototype pollution
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-019',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Prototype Pollution',
+    description:
+      'Using Object.assign, lodash.merge, or deep merge utilities with user input (req.body) allows attackers to inject __proto__ or constructor properties.',
+    fix: { suggestion: 'Use Object.create(null) as target, or use a safe merge library. Validate input keys and reject __proto__, constructor, and prototype.' },
+    check({ files }) {
+      const findings = [];
+      const objectAssign = /Object\.assign\s*\(\s*(?:\{[^}]*\}|[^,]+),\s*(?:req\.body|req\.query|req\.params|input|user)/;
+      const lodashMerge = /(?:_\.merge|_\.defaultsDeep|lodash\.merge|merge|deepmerge|deepExtend)\s*\(\s*[^,]+,\s*(?:req\.body|req\.query|req\.params|input|user)/;
+      const spreadFromBody = /\{\s*\.\.\.(?:req\.body|req\.query|req\.params)\s*\}/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, objectAssign, path, this));
+          findings.push(...scanLines(content, lodashMerge, path, this));
+          findings.push(...scanLines(content, spreadFromBody, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-020: Path traversal
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-020',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Path Traversal',
+    description:
+      'Using req.params, req.query, or user input directly in filesystem operations (fs.readFile, fs.writeFile, etc.) without sanitization allows directory traversal attacks.',
+    fix: { suggestion: 'Use path.resolve and verify the resolved path starts with the intended base directory. Never use user input directly in file paths.' },
+    check({ files }) {
+      const findings = [];
+      const fsOps = /(?:fs\.(?:readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream|unlink|unlinkSync|access|accessSync|stat|statSync|open|openSync|rename|renameSync|copyFile|copyFileSync|mkdir|mkdirSync|rmdir|rmdirSync|readdir|readdirSync))\s*\(\s*(?:`[^`]*\$\{[^}]*(?:req\.|params|query|body|input|user)|[^)]*(?:req\.(?:params|query|body))|[^)]*\+\s*(?:req\.(?:params|query|body)))/;
+      const pathJoinUnsafe = /path\.(?:join|resolve)\s*\([^)]*(?:req\.(?:params|query|body)|input|user)/;
+      const templatePath = /(?:fs\.\w+)\s*\(\s*`[^`]*\$\{.*(?:req\.|params|query|body)/;
+      const pyPath = /(?:open|os\.path\.join|shutil(?:\.\w+)?)\s*\(\s*(?:request\.|input|user)/;
+
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, fsOps, path, this));
+          findings.push(...scanLines(content, pathJoinUnsafe, path, this));
+          findings.push(...scanLines(content, templatePath, path, this));
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyPath, path, this));
+        }
+      }
+      // Deduplicate by file+line
+      const seen = new Set();
+      return findings.filter((f) => {
+        const key = `${f.file}:${f.line}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-021: SSRF via user-controlled URL in fetch/axios
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-021',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SSRF: fetch/axios called with user-controlled URL',
+    description: 'Making HTTP requests to URLs derived from user input enables Server-Side Request Forgery (SSRF), allowing attackers to probe internal services, cloud metadata endpoints, or exfiltrate data.',
+    fix: { suggestion: 'Validate and allowlist target URLs. Reject requests to private IP ranges and metadata endpoints.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:fetch|axios(?:\.get|\.post|\.put|\.delete|\.request)?)\s*\(\s*(?:req\.|request\.|params\.|query\.|body\.|input|user|url\s*\+|`[^`]*\$\{[^}]*(?:req|url|host|domain))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-022: SSRF via http.request with user-controlled host
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-022',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SSRF: http.request with user-controlled host option',
+    description: 'Node.js http.request/https.request called with options derived from user input allows SSRF attacks targeting internal services.',
+    fix: { suggestion: 'Validate hostname against an allowlist before making outbound requests.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /https?\.request\s*\(\s*\{[^}]*host\s*:\s*(?:req\.|params\.|query\.|body\.|input|user)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-023: ReDoS — catastrophic nested quantifiers
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'ReDoS: Regex with nested quantifiers susceptible to catastrophic backtracking',
+    description: 'Regex patterns with nested quantifiers (e.g., (a+)+ or (a|aa)+) can take exponential time on crafted input, causing Denial of Service.',
+    fix: { suggestion: 'Rewrite the regex to avoid ambiguous repetition. Use atomic groups or possessive quantifiers, or use a safe-regex library.' },
+    check({ files }) {
+      const findings = [];
+      // Detect patterns like (X+)+ or (X|Y)+ or (.+)+ that cause backtracking
+      const nestedQuantifier = /\/[^/]*(?:\([^)]*[+*][^)]*\)[+*?]|\([^)]*\|[^)]*\)[+*]\+)[^/]*/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (COMMENT_LINE.test(lines[i])) continue;
+            if (nestedQuantifier.test(lines[i]) && /\.test\s*\(|\.match\s*\(|\.exec\s*\(/.test(lines[i])) {
+              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, file: path, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-024: GraphQL injection — user input in query string
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-024',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'GraphQL Injection: user input interpolated into query string',
+    description: 'Interpolating user-controlled values into GraphQL query strings bypasses type safety and allows query manipulation or introspection abuse.',
+    fix: { suggestion: 'Use GraphQL variables instead of string interpolation: pass { query: QUERY_STRING, variables: { id: userInput } }.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:gql|graphql|client\.query|client\.mutate|fetch.*graphql)\s*[(`{][^`)]*\$\{[^}]*(?:req\.|params|query|body|input|user)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-025: XML/XXE injection — user input in XML parsing
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XXE Injection: XML parsed from user-controlled input without disabling external entities',
+    description: 'XML parsers that process external entities can be exploited to read local files, perform SSRF, or cause DoS (billion laughs attack).',
+    fix: { suggestion: 'Disable external entity processing: set resolveExternalEntities: false or use a safe parser like fast-xml-parser with external entity resolution disabled.' },
+    check({ files }) {
+      const findings = [];
+      const parsePattern = /(?:parseXML|parseString|xml2js|DOMParser|libxmljs|sax\.createSimpleStream|xmldom)\s*[\.(]/;
+      const userInputPattern = /req\.|body\.|params\.|query\.|input\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (COMMENT_LINE.test(lines[i])) continue;
+          if (parsePattern.test(lines[i])) {
+            const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+            if (userInputPattern.test(ctx) && !/resolveExternalEntities.*false|explicitCharkey|DOCTYPE.*SYSTEM.*false/i.test(ctx)) {
+              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, file: path, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-026: Server-side template injection (EJS)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-026',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SSTI: EJS template rendered with user-controlled template string',
+    description: 'Passing user input as the template string to ejs.render() allows arbitrary JavaScript execution on the server.',
+    fix: { suggestion: 'Never pass user input as the template string. Use ejs.render(STATIC_TEMPLATE, userDataAsVariables) instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /ejs\.render\s*\(\s*(?:req\.|params\.|query\.|body\.|input|user|`[^`]*\$\{)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-027: Server-side template injection (Pug/Jade)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-027',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SSTI: Pug template compiled from user-controlled input',
+    description: 'pug.compile() or pug.render() with user-supplied template strings allows arbitrary code execution.',
+    fix: { suggestion: 'Always compile from static template strings. Pass user data only as local variables to the render function.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /pug\.(?:compile|render|renderFile)\s*\(\s*(?:req\.|params\.|query\.|body\.|input|user)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-028: Server-side template injection (Handlebars)
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-028',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SSTI: Handlebars template compiled from user-controlled input',
+    description: 'Handlebars.compile() called with user input allows template injection leading to remote code execution.',
+    fix: { suggestion: 'Compile Handlebars templates from static strings at startup. Use the compiled function with user data as context only.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Handlebars\.compile\s*\(\s*(?:req\.|params\.|query\.|body\.|input|user)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-029: HTTP parameter pollution
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-029',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'HTTP Parameter Pollution: no HPP middleware configured',
+    description: 'Without hpp middleware, submitting duplicate query parameters can overwrite expected values, bypassing validation or causing unexpected behavior.',
+    fix: { suggestion: 'Use the "hpp" npm package: app.use(hpp()). It deduplicates query parameters and keeps only the last value.' },
+    check({ files }) {
+      const findings = [];
+      const hasExpress = [...files.values()].some(c => /require\s*\(\s*['"]express['"]\)|from\s+['"]express['"]/i.test(c));
+      const hasHPP = [...files.values()].some(c => /require\s*\(\s*['"]hpp['"]\)|from\s+['"]hpp['"]/i.test(c));
+      // helmet() provides comprehensive security headers; treat apps using
+      // helmet as having addressed parameter pollution at the framework level.
+      const hasHelmet = [...files.values()].some(c => /require\s*\(\s*['"]helmet['"]\)|from\s+['"]helmet['"]/i.test(c));
+      // Require an Express app with actual route definitions — not just an
+      // import — so utility modules and minimal setup files are not flagged.
+      const hasRoutes = [...files.values()].some(c => /\.(?:get|post|put|patch|delete)\s*\(\s*['"]\//.test(c));
+      if (hasExpress && hasRoutes && !hasHPP && !hasHelmet) {
+        findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-030: Mass assignment vulnerability
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-030',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mass Assignment: Object.assign or spread with req.body onto model',
+    description: 'Directly assigning req.body to a model object allows attackers to set unexpected fields (e.g., isAdmin, role, price), leading to privilege escalation.',
+    fix: { suggestion: 'Use an allowlist: const safe = { name: req.body.name, email: req.body.email }. Never spread or Object.assign(model, req.body) directly.' },
+    check({ files }) {
+      const findings = [];
+      const spreadPattern = /\{\s*\.\.\.\s*req\.body|\.\.\.\s*req\.body\s*[,}]/;
+      const assignPattern = /Object\.assign\s*\(\s*\w+\s*,\s*req\.body/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, spreadPattern, path, this));
+          findings.push(...scanLines(content, assignPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-031: Insecure random for tokens/sessions
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-031',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Random: Math.random() used for security tokens',
+    description: 'Math.random() is not cryptographically secure and should never be used for session IDs, CSRF tokens, API keys, or any security-sensitive values.',
+    fix: { suggestion: 'Use crypto.randomBytes(32).toString("hex") or crypto.randomUUID() for security tokens.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Math\.random\s*\(\s*\)/;
+      const tokenContext = /token|session|secret|password|key|nonce|csrf|auth|id\s*=/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (COMMENT_LINE.test(lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 3)).join('\n');
+            if (tokenContext.test(ctx)) {
+              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, file: path, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-032: Timing attack in string comparison
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-032',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Timing Attack: non-constant-time string comparison for secrets',
+    description: 'Using === or == to compare tokens, API keys, or HMAC signatures leaks secret length via timing differences. Use crypto.timingSafeEqual().',
+    fix: { suggestion: 'Use crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b)) for comparing any secret or token values.' },
+    check({ files }) {
+      const findings = [];
+      const secretContext = /token|hmac|signature|secret|apiKey|api_key|hash/i;
+      const eqPattern = /(?:===|==|!==|!=)\s*(?:req\.|token|secret|hash|sig)|(?:req\.|token|secret|hash|sig)[^=]*(?:===|==)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (COMMENT_LINE.test(lines[i])) continue;
+          if (secretContext.test(lines[i]) && eqPattern.test(lines[i]) && !/timingSafeEqual/.test(lines[i])) {
+            findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, file: path, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-033: Missing HTTPS enforcement
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-033',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing HTTPS enforcement: no HTTP-to-HTTPS redirect middleware',
+    description: 'Express app without enforce-https or similar middleware allows plain HTTP connections, exposing credentials and session tokens to eavesdropping.',
+    fix: { suggestion: 'Use the enforce-https or express-sslify package, or add middleware: if (req.headers["x-forwarded-proto"] !== "https") return res.redirect("https://...").' },
+    check({ files }) {
+      const findings = [];
+      const hasExpressServer = [...files.values()].some(c => /app\.listen\s*\(|createServer/.test(c) && /require.*express|from.*express/.test(c));
+      const hasHttpsEnforce = [...files.values()].some(c => /enforce-https|express-sslify|x-forwarded-proto.*https|requireHTTPS|forceSSL/i.test(c));
+      if (hasExpressServer && !hasHttpsEnforce) {
+        findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-034: Clickjacking — missing X-Frame-Options
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-034',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Clickjacking: no X-Frame-Options or CSP frame-ancestors header set',
+    description: 'Without X-Frame-Options or Content-Security-Policy frame-ancestors, the application can be embedded in an iframe, enabling clickjacking attacks.',
+    fix: { suggestion: 'Use helmet.js with frameguard option: app.use(helmet.frameguard({ action: "deny" })).' },
+    check({ files }) {
+      const findings = [];
+      // Only fire on the main app file — one that creates an express() instance and calls app.listen
+      const hasExpressApp = [...files.values()].some(c =>
+        /(?:require\s*\(\s*['"]express['"]\s*\)|from\s+['"]express['"])/.test(c) &&
+        /(?:app\.listen\s*\(|express\s*\(\s*\))/.test(c)
+      );
+      const hasFrameProtection = [...files.values()].some(c => /X-Frame-Options|frameguard|frame-ancestors|helmet\s*\(\s*\)|helmet\(\)/i.test(c));
+      if (hasExpressApp && !hasFrameProtection) {
+        findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-035: Regex used as user input without validation
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-035',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'User-controlled input passed to RegExp constructor',
+    description: 'Creating a RegExp from user input without validation allows ReDoS attacks and may expose internal application behavior.',
+    fix: { suggestion: 'Escape user input with a regex-escape library before passing to RegExp, or validate against an allowlist of patterns.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /new\s+RegExp\s*\(\s*(?:req\.|params\.|query\.|body\.|input|user)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-036: LDAP injection via string concatenation
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-036',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'LDAP Injection via unsanitized user input in LDAP query',
+    description: 'Building LDAP filter strings with user input without escaping special characters allows LDAP injection attacks.',
+    fix: { suggestion: 'Escape LDAP special characters in user input: replace (, ), \\, *, NUL with their escaped equivalents before including in filter strings.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:ldap|ldapjs|activedirectory).*(?:search|filter|bind)\s*\([^)]*(?:req\.|params|query|body|input|\+\s*\w)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-037: eval() with user-controlled input
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-037',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'eval() called with user-controlled input — arbitrary code execution',
+    description: 'eval() with any user-supplied string allows remote code execution. This is one of the most dangerous patterns in JavaScript.',
+    fix: { suggestion: 'Remove eval() entirely. Use JSON.parse() for data, or refactor to avoid dynamic evaluation.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\beval\s*\(\s*(?:req\.|params\.|query\.|body\.|input|user|`[^`]*\$\{)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-038: Prototype pollution via merge/assign
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-038',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Prototype Pollution: deep merge with user-controlled object',
+    description: 'Deeply merging user-supplied objects without filtering __proto__ or constructor keys can pollute Object.prototype, affecting all objects in the application.',
+    fix: { suggestion: 'Use a safe merge library that strips __proto__, constructor, and prototype keys. Or use Object.create(null) as the merge target.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:merge|deepMerge|assign|extend|defaults)\s*\(\s*(?:\w+\s*,\s*)*req\.body/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-039: Open redirect via user-controlled URL
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-039',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Open Redirect: res.redirect() with user-controlled URL',
+    description: 'Redirecting to a URL from user input without validation allows phishing attacks by crafting URLs like example.com/redirect?to=evil.com.',
+    fix: { suggestion: 'Validate redirect URLs against an allowlist of safe destinations. Reject URLs containing external origins.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /res\.redirect\s*\(\s*(?:req\.|params\.|query\.|body\.|input|url\s*\+|`[^`]*\$\{[^}]*(?:req|url|redirect))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // ---------------------------------------------------------------
+  // SEC-INJ-040: Path traversal via directory listing
+  // ---------------------------------------------------------------
+  {
+    id: 'SEC-INJ-040',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal: express.static serving user-controlled path',
+    description: 'Using express.static with user-controlled directory paths allows directory traversal to read arbitrary files.',
+    fix: { suggestion: 'Use path.resolve() and verify the resolved path starts with the expected base directory before serving.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /express\.static\s*\(\s*(?:req\.|params\.|query\.|body\.|input|path\.join\s*\([^)]*(?:req\.|params\.))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// Additional injection/security rules SEC-INJ-041 through SEC-INJ-072
+
+// SEC-INJ-041: SQL injection via template literal in raw query
+rules.push({
+  id: 'SEC-INJ-041', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'SQL Injection via template literal in query string',
+  check({ files }) {
+    const findings = [];
+    const p = /['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER)\s[^'"`]*\$\{/i;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-041', category: 'security', severity: 'critical', title: 'SQL built with template literal — injection risk', description: 'Template literals in SQL strings allow injection when they contain user input. Use parameterized queries.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-042: Unvalidated redirect target in 301/302
+rules.push({
+  id: 'SEC-INJ-042', category: 'security', severity: 'medium', confidence: 'likely',
+  title: 'Unvalidated redirect with status code',
+  check({ files }) {
+    const findings = [];
+    const p = /res\.(?:redirect|status\s*\(\s*30[12]\s*\)\.(?:header|redirect))\s*\([^)]*(?:req\.|params\.|query\.|body\.)/;
+    // HTTPS enforcement redirects (redirect to https:// + req.hostname) are safe
+    const httpsEnforce = /res\.redirect\s*\(\s*\d+\s*,\s*['"]https:\/\/['"]\s*\+\s*req\.hostname/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i]) && !httpsEnforce.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-042', category: 'security', severity: 'medium', title: 'Unvalidated redirect — open redirect enables phishing', description: 'Validate redirect destinations against a list of allowed URLs before redirecting.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-043: HTML injection via innerHTML
+rules.push({
+  id: 'SEC-INJ-043', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'innerHTML set with dynamic value — XSS risk',
+  check({ files }) {
+    const findings = [];
+    const p = /\.innerHTML\s*\+?=\s*(?!\s*['"])/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/DOMPurify|sanitize|escape/i.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-043', category: 'security', severity: 'high', title: 'innerHTML assigned dynamic value — potential XSS', description: 'Setting innerHTML with unsanitized values enables XSS. Use textContent for plain text, or DOMPurify.sanitize() for HTML content.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-044: document.write with dynamic content
+rules.push({
+  id: 'SEC-INJ-044', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'document.write() with dynamic content — XSS risk',
+  check({ files }) {
+    const findings = [];
+    const p = /document\.write\s*\(\s*(?!['"])/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-044', category: 'security', severity: 'high', title: 'document.write() with variable content — XSS and parse rewrite risk', description: 'document.write() with variable content can inject scripts. It also rewrites the entire document in some contexts. Use DOM APIs instead.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-045: Unsafe deserialization with yaml.load
+rules.push({
+  id: 'SEC-INJ-045', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'yaml.load() with untrusted input — code execution risk',
+  check({ files }) {
+    const findings = [];
+    const p = /yaml\.load\s*\(/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/yaml\.safeLoad|yaml\.load.*\{.*schema/i.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-045', category: 'security', severity: 'critical', title: 'yaml.load() allows code execution — use yaml.safeLoad()', description: 'js-yaml\'s yaml.load() can execute arbitrary JavaScript via !!js/function tags. Use yaml.safeLoad() or load() with { schema: FAILSAFE_SCHEMA }.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-046: express-fileupload with parseNested enabled
+rules.push({
+  id: 'SEC-INJ-046', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'express-fileupload with parseNested: true — prototype pollution',
+  check({ files }) {
+    const findings = [];
+    const p = /fileUpload\s*\(\s*\{[^}]*parseNested\s*:\s*true/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-046', category: 'security', severity: 'critical', title: 'express-fileupload parseNested:true — CVE-2020-7699 prototype pollution', description: 'Setting parseNested: true in express-fileupload enables prototype pollution attacks. Remove this option or upgrade to a patched version.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-047: HTTP Response Splitting
+rules.push({
+  id: 'SEC-INJ-047', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'HTTP Response Splitting: user input in response header',
+  check({ files }) {
+    const findings = [];
+    const p = /res\.(?:set|header|setHeader)\s*\([^,]+,\s*(?:req\.|params\.|query\.|body\.|input|user)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-047', category: 'security', severity: 'high', title: 'User input in HTTP response header — CRLF injection / response splitting', description: 'User input in response headers enables HTTP response splitting if the input contains CRLF characters. Validate and strip newlines from header values.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-048: Unsafe shell execution with variables
+rules.push({
+  id: 'SEC-INJ-048', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'Shell command constructed with variable interpolation',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:execSync|exec|system|popen)\s*\(\s*`[^`]*\$\{/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-048', category: 'security', severity: 'critical', title: 'Shell command with template literal — command injection risk', description: 'Interpolating variables into shell command strings enables command injection. Use execFile with argument arrays instead.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-049: JSON.parse without try/catch on user input
+rules.push({
+  id: 'SEC-INJ-049', category: 'security', severity: 'medium', confidence: 'likely',
+  title: 'JSON.parse on user input without error handling — DoS risk',
+  check({ files }) {
+    const findings = [];
+    const p = /JSON\.parse\s*\(\s*(?:req\.|body\.|params\.|query\.|input|user)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), i).join('\n');
+          if (!/try\s*\{/.test(ctx)) findings.push({ ruleId: 'SEC-INJ-049', category: 'security', severity: 'medium', title: 'JSON.parse on user input without try/catch — malformed input throws and may crash', description: 'JSON.parse throws on invalid input. Wrap in try/catch to prevent uncaught exceptions from crashing the server.', file: path, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-050: Arbitrary file read via path parameter
+rules.push({
+  id: 'SEC-INJ-050', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'File read using user-controlled filename — path traversal',
+  check({ files }) {
+    const findings = [];
+    const p = /fs\.(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:req\.|params\.|query\.|body\.|input)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-050', category: 'security', severity: 'critical', title: 'fs.readFile with user-supplied path — path traversal to /etc/passwd etc.', description: 'Reading files with user-controlled paths allows directory traversal. Validate paths against an allowlist and use path.resolve() with containment check.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-051: Regex DoS via user-controlled regex
+rules.push({
+  id: 'SEC-INJ-051', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'User input used in RegExp constructor — ReDoS risk',
+  check({ files }) {
+    const findings = [];
+    const p = /new\s+RegExp\s*\(\s*(?:req\.|params\.|query\.|body\.|input)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-051', category: 'security', severity: 'high', title: 'RegExp constructed from user input — ReDoS vulnerability', description: 'Crafted input can create pathological regex patterns that hang the server. Escape user input with a regex-escape library before passing to RegExp().', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-052: Subprocess injection via template literal
+rules.push({
+  id: 'SEC-INJ-052', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'subprocess injection via template in spawn/fork',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:spawn|fork|execFile)\s*\(\s*`[^`]*\$\{/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-052', category: 'security', severity: 'critical', title: 'spawn/fork with template literal argument — command injection', description: 'Use separate command and args array: spawn(cmd, [arg1, arg2]) instead of template literals.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-053: NoSQL injection via user-controlled filter
+rules.push({
+  id: 'SEC-INJ-053', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Potential NoSQL injection via user-controlled query filter',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:find|findOne|findById|updateOne|deleteOne)\s*\(\s*(?:req\.|body\.|params\.|query\.)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-053', category: 'security', severity: 'high', title: 'NoSQL query with direct user input — NoSQL injection risk', description: 'Validate and sanitize query parameters before passing to NoSQL find/update operations. Use allowlist filtering.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-054: Unsafe use of vm.runInNewContext with user data
+rules.push({
+  id: 'SEC-INJ-054', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'vm.runInNewContext/runInContext with user data — sandbox escape risk',
+  check({ files }) {
+    const findings = [];
+    const p = /vm\.(?:runInNewContext|runInContext|runInThisContext)\s*\(\s*(?:req\.|body\.|params\.|query\.|userInput|input)/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-054', category: 'security', severity: 'critical', title: 'vm.runInContext with user input — sandbox bypass possible', description: 'Node.js vm module does not provide a secure sandbox. Use a separate process or dedicated sandbox library.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-055: Unsafe deserialization with node-serialize
+rules.push({
+  id: 'SEC-INJ-055', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'node-serialize package used — RCE via deserialization',
+  check({ files, stack }) {
+    const findings = [];
+    if (!stack.dependencies?.['node-serialize']) return findings;
+    const p = /require\(['"]node-serialize['"]\)|from\s+['"]node-serialize['"]/;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      if (p.test(content)) findings.push({ ruleId: 'SEC-INJ-055', category: 'security', severity: 'critical', title: 'node-serialize allows arbitrary code execution via IIFE in serialized data', description: 'Remove node-serialize. Use JSON.parse/stringify for data serialization instead.', file: path, fix: null });
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-056: Twig/Nunjucks template injection
+rules.push({
+  id: 'SEC-INJ-056', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Template engine rendered with user-controlled template string',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:nunjucks|twig|swig|mustache)\.(?:render|renderString)\s*\(\s*(?:req\.|body\.|params\.|query\.)/i;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-056', category: 'security', severity: 'high', title: 'Template engine renderString with user input — SSTI risk', description: 'Never render user-controlled strings as templates. Pre-compile templates from trusted sources only.', file: path, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-057: HTTP Host header injection
+rules.push({
+  id: 'SEC-INJ-057', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Trust of HTTP Host header without validation',
+  check({ files }) {
+    const findings = [];
+    const p = /req\.(?:headers\.host|hostname|host)\s*(?:!==|===|==|!=|in|includes|\+|`)/;
+    // HTTPS enforcement patterns that construct redirect URLs with req.hostname are safe
+    const httpsRedirect = /['"]https:\/\/['"]\s*\+\s*req\.hostname/;
+    // Comparisons against req.headers['x-forwarded-proto'] in the same context are HTTPS enforcement
+    const protoCheck = /x-forwarded-proto/i;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (COMMENT_LINE.test(lines[i])) continue;
+        if (p.test(lines[i]) && !httpsRedirect.test(lines[i])) {
+          // Check if the surrounding context (nearby lines) is an HTTPS enforcement block
+          const context = lines.slice(Math.max(0, i - 5), i + 3).join('\n');
+          if (protoCheck.test(context)) continue;
+          findings.push({ ruleId: 'SEC-INJ-057', category: 'security', severity: 'high', title: 'HTTP Host header used in logic — host header injection risk', description: 'Validate the Host header against an allowlist of known hostnames. Do not use it for URL construction.', file: path, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-INJ-058: XPath injection via string concatenation
+rules.push({
+  id: 'SEC-INJ-058', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'XPath query constructed with user input — XPath injection',
+  check({ files }) {
+    const findings = [];
+    const p = /xpath.*(?:req\.|body\.|params\.|query\.)|(?:req\.|body\.|params\.|query\.).*xpath/i;
+    for (const [path, content] of files) {
+      if (SKIP_PATH.test(path) || !isJS(path)) continue;
+      if (p.test(content)) findings.push({ ruleId: 'SEC-INJ-058', category: 'security', severity: 'high', title: 'XPath expression with user input — XPath injection risk', description: 'Use parameterized XPath queries or escape special characters in XPath expressions.', file: path, fix: null });
+    }
+    return findings;
+  },
+});