pi-lens 3.8.21 → 3.8.23

package/rules/tree-sitter-queries/ruby/ruby-command-injection.yml

@@ -0,0 +1,56 @@
+# Ruby Security
+# Detects shell execution sinks frequently involved in command injection.
+id: ruby-command-injection
+name: Command Injection Sink
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: ruby
+
+message: "Potential command injection sink — avoid shell execution with untrusted input"
+
+description: |
+  Ruby shell execution APIs (`system`, `exec`, `spawn`, backticks) can execute
+  user-controlled command strings.
+
+  ✅ FIX: avoid shell interpolation and use safer APIs with strict allowlists.
+
+query: |
+  (call
+    method: (identifier) @FN
+    arguments: (argument_list) @ARGS)
+  (#match? @FN "^(system|exec|spawn|popen|capture3|capture2|capture2e)$")
+
+  (command
+    method: (identifier) @FN
+    argument: (_) @ARGS)
+  (#match? @FN "^(system|exec|spawn|popen)$")
+
+  (call_expression
+    receiver: (constant) @NS
+    method: (identifier) @FN
+    arguments: (argument_list) @ARGS)
+  (#match? @FN "^(system|exec|spawn|popen|capture3|capture2|capture2e)$")
+
+metavars:
+  - FN
+  - ARGS
+
+post_filter: ruby_command_injection_sink
+
+has_fix: false
+
+tags:
+  - ruby
+  - security
+  - command-injection
+  - cwe-78
+  - owasp-a03
+
+examples:
+  bad: |
+    system("sh -c #{params[:cmd]}")
+
+  good: |
+    Open3.capture3("git", "status")

package/rules/tree-sitter-queries/ruby/ruby-insecure-deserialization.yml

@@ -0,0 +1,47 @@
+# Ruby Security
+# Detects unsafe deserialization APIs.
+id: ruby-insecure-deserialization
+name: Insecure Deserialization
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: ruby
+
+message: "Potential insecure deserialization sink — avoid unsafe loaders"
+
+description: |
+  Deserializing untrusted data with Marshal/YAML loaders can enable code execution.
+
+  ✅ FIX: use safe serialization formats and strict schema validation.
+
+query: |
+  (call_expression
+    receiver: (constant) @MOD
+    method: (identifier) @FN
+    arguments: (argument_list (_) @DATA))
+  (#match? @MOD "^(Marshal|YAML|Psych)$")
+  (#match? @FN "^(load|unsafe_load)$")
+
+metavars:
+  - MOD
+  - FN
+  - DATA
+
+post_filter: ruby_insecure_deserialization_sink
+
+has_fix: false
+
+tags:
+  - ruby
+  - security
+  - deserialization
+  - cwe-502
+  - owasp-a08
+
+examples:
+  bad: |
+    Marshal.load(payload)
+
+  good: |
+    JSON.parse(payload)

package/rules/tree-sitter-queries/ruby/ruby-insecure-random.yml

@@ -0,0 +1,54 @@
+# Ruby Security
+# Detects non-cryptographic randomness usage.
+id: ruby-insecure-random
+name: Insecure Randomness
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: ruby
+
+message: "Insecure randomness source detected — use SecureRandom for security-sensitive values"
+
+description: |
+  Kernel.rand/Random.new are not suitable for security-sensitive tokens.
+
+  ✅ FIX: use SecureRandom.hex/base64/uuid.
+
+query: |
+  [
+    (call
+      method: (identifier) @FN
+      arguments: (argument_list) @ARGS)
+    (call_expression
+      receiver: (constant) @MOD
+      method: (identifier) @FN
+      arguments: (argument_list) @ARGS)
+  ]
+  (#match? @FN "^(rand|srand)$")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-330
+owasp:
+  - A02
+confidence: medium
+
+has_fix: false
+
+tags:
+  - ruby
+  - security
+  - randomness
+  - weak-prng
+
+examples:
+  bad: |
+    token = rand(10_000_000)
+
+  good: |
+    token = SecureRandom.hex(16)

package/rules/tree-sitter-queries/ruby/ruby-weak-hash.yml

@@ -0,0 +1,50 @@
+# Ruby Security
+# Detects weak digest algorithm usage.
+id: ruby-weak-hash
+name: Weak Hash Primitive
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: ruby
+
+message: "Weak hash primitive detected (MD5/SHA1) — use SHA-256+ for security-sensitive contexts"
+
+description: |
+  Digest::MD5 and Digest::SHA1 are not suitable for secure hashing.
+
+  ✅ FIX: use Digest::SHA256 or stronger algorithms.
+
+query: |
+  (call_expression
+    receiver: (constant) @MOD
+    method: (identifier) @FN
+    arguments: (argument_list) @ARGS)
+  (#match? @MOD "^(Digest::MD5|Digest::SHA1)$")
+  (#match? @FN "^(hexdigest|digest|base64digest)$")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-327
+owasp:
+  - A02
+confidence: high
+
+has_fix: false
+
+tags:
+  - ruby
+  - security
+  - crypto
+  - weak-hash
+
+examples:
+  bad: |
+    Digest::MD5.hexdigest(data)
+
+  good: |
+    Digest::SHA256.hexdigest(data)

package/rules/tree-sitter-queries/rust/rust-lock-held-across-await.yml

@@ -0,0 +1,59 @@
+# Rust Concurrency
+# Detects lock guards obtained via lock().await and additional await in same block.
+id: rust-lock-held-across-await
+name: Lock Held Across Await
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: rust
+
+message: "Lock guard may be held across await — release lock before awaiting other work"
+
+description: |
+  Awaiting while holding a mutex guard can cause contention and deadlocks.
+
+  ✅ FIX: limit lock scope, clone needed data, then await outside lock lifetime.
+
+query: |
+  (block
+    (let_declaration
+      pattern: (identifier) @GUARD
+      value: (await_expression
+        expression: (call_expression
+          function: (field_expression
+            field: (field_identifier) @LOCKFN))))
+    (_)*
+    (await_expression) @LATER_AWAIT)
+  (#eq? @LOCKFN "lock")
+
+metavars:
+  - GUARD
+  - LOCKFN
+  - LATER_AWAIT
+
+cwe:
+  - CWE-833
+owasp:
+  - A09
+confidence: low
+
+has_fix: false
+
+tags:
+  - rust
+  - concurrency
+  - mutex
+  - async
+
+examples:
+  bad: |
+    let guard = state.lock().await;
+    do_network().await;
+
+  good: |
+    {
+        let guard = state.lock().await;
+        update(&guard);
+    }
+    do_network().await;

package/rules/tree-sitter-queries/typescript/ts-command-injection.yml

@@ -0,0 +1,60 @@
+# JS/TS Security
+# Detects command execution sinks via child_process APIs.
+id: ts-command-injection
+name: Command Injection Sink
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: typescript
+
+message: "Potential command injection sink — avoid child_process command execution with untrusted input"
+
+description: |
+  child_process command APIs (`exec`, `execSync`) execute shell commands and are
+  vulnerable when command strings include untrusted input.
+
+  ✅ FIX: prefer `spawn`/`execFile` with explicit argument arrays and strict allowlists.
+
+query: |
+  [
+    (call_expression
+      function: (member_expression
+        object: (identifier) @MOD
+        property: (property_identifier) @FN)
+      arguments: (arguments) @ARGS)
+    (call_expression
+      function: (member_expression
+        object: (member_expression
+          object: (identifier) @MOD
+          property: (property_identifier) @NS)
+        property: (property_identifier) @FN)
+      arguments: (arguments) @ARGS)
+  ]
+  (#eq? @MOD "child_process")
+  (#match? @FN "^(exec|execSync)$")
+
+metavars:
+  - MOD
+  - NS
+  - FN
+  - ARGS
+
+post_filter: ts_command_injection_sink
+
+has_fix: false
+
+tags:
+  - javascript
+  - typescript
+  - security
+  - command-injection
+  - cwe-78
+  - owasp-a03
+
+examples:
+  bad: |
+    child_process.exec(userInput)
+
+  good: |
+    spawn("git", ["status"])

package/rules/tree-sitter-queries/typescript/ts-detached-async-call.yml

@@ -0,0 +1,56 @@
+# JS/TS Concurrency
+# Detects detached async/suspicious promise calls used as bare statements.
+id: ts-detached-async-call
+name: Detached Async Call
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: typescript
+
+message: "Detached async call — ensure this Promise is awaited or explicitly handled"
+
+description: |
+  Bare async calls can drop errors and cause race conditions when results are ignored.
+
+  ✅ FIX: await the call, return the promise, or explicitly handle it with .catch/.then.
+
+query: |
+  (expression_statement
+    (call_expression
+      function: [
+        (identifier) @FN
+        (member_expression
+          property: (property_identifier) @FN)
+      ]
+      arguments: (arguments) @ARGS))
+  (#match? @FN "(Async$|fetch$|request$)")
+
+metavars:
+  - FN
+  - ARGS
+
+post_filter: ts_detached_async_call
+
+cwe:
+  - CWE-703
+owasp:
+  - A09
+confidence: medium
+
+has_fix: false
+
+tags:
+  - javascript
+  - typescript
+  - concurrency
+  - async
+
+examples:
+  bad: |
+    fetch(url)
+    saveAsync(record)
+
+  good: |
+    await fetch(url)
+    await saveAsync(record)

package/rules/tree-sitter-queries/typescript/ts-insecure-random.yml

@@ -0,0 +1,54 @@
+# JS/TS Security
+# Detects non-cryptographic randomness usage.
+id: ts-insecure-random
+name: Insecure Randomness
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: typescript
+
+message: "Insecure randomness source detected — use crypto.getRandomValues or secure RNG APIs"
+
+description: |
+  Math.random is not suitable for security-sensitive tokens and identifiers.
+
+  ✅ FIX: use crypto.getRandomValues / crypto.randomUUID / secure server-side RNG.
+
+query: |
+  (call_expression
+    function: (member_expression
+      object: (identifier) @OBJ
+      property: (property_identifier) @FN)
+    arguments: (arguments) @ARGS)
+  (#eq? @OBJ "Math")
+  (#eq? @FN "random")
+
+metavars:
+  - OBJ
+  - FN
+  - ARGS
+
+post_filter: ts_insecure_random_source
+
+cwe:
+  - CWE-330
+owasp:
+  - A02
+confidence: medium
+
+has_fix: false
+
+tags:
+  - javascript
+  - typescript
+  - security
+  - randomness
+  - weak-prng
+
+examples:
+  bad: |
+    const token = Math.random().toString(36)
+
+  good: |
+    const token = crypto.randomUUID()

package/rules/tree-sitter-queries/typescript/ts-ssrf.yml

@@ -0,0 +1,53 @@
+# JS/TS Security
+# Detects outbound HTTP sinks invoked with dynamic URL expressions.
+id: ts-ssrf
+name: SSRF Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: typescript
+
+message: "Potential SSRF sink — validate and allowlist outbound URLs"
+
+description: |
+  Outbound requests with untrusted URL input can lead to server-side request forgery.
+
+  ✅ FIX: validate URL host/scheme and allowlist external targets.
+
+query: |
+  [
+    (call_expression
+      function: (identifier) @FN
+      arguments: (arguments [(identifier) (member_expression) (call_expression)] @URL))
+    (call_expression
+      function: (member_expression
+        object: (identifier) @OBJ
+        property: (property_identifier) @FN)
+      arguments: (arguments [(identifier) (member_expression) (call_expression)] @URL))
+  ]
+  (#match? @FN "^(fetch|get|post|put|patch|delete|request)$")
+
+metavars:
+  - OBJ
+  - FN
+  - URL
+
+post_filter: ts_ssrf_sink
+
+has_fix: false
+
+tags:
+  - javascript
+  - typescript
+  - security
+  - ssrf
+  - cwe-918
+  - owasp-a10
+
+examples:
+  bad: |
+    await fetch(userUrl)
+
+  good: |
+    if (ALLOWED_HOSTS.has(url.host)) await fetch(url.toString())

package/rules/tree-sitter-queries/typescript/ts-weak-hash.yml

@@ -0,0 +1,54 @@
+# JS/TS Security
+# Detects weak hash algorithm selection in crypto hashing APIs.
+id: ts-weak-hash
+name: Weak Hash Primitive
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: typescript
+
+message: "Weak hash primitive selected (md5/sha1) — use sha256+ for security-sensitive contexts"
+
+description: |
+  Using MD5/SHA1 in cryptographic hashing contexts is insecure.
+
+  ✅ FIX: use SHA-256 or stronger algorithms.
+
+query: |
+  (call_expression
+    function: (member_expression
+      property: (property_identifier) @FN)
+    arguments: (arguments
+      (string (string_fragment) @ALG)
+      (_)*))
+  (#eq? @FN "createHash")
+  (#match? @ALG "^(md5|sha1)$")
+
+metavars:
+  - FN
+  - ALG
+
+post_filter: ts_weak_hash_algorithm
+
+cwe:
+  - CWE-327
+owasp:
+  - A02
+confidence: high
+
+has_fix: false
+
+tags:
+  - javascript
+  - typescript
+  - security
+  - crypto
+  - weak-hash
+
+examples:
+  bad: |
+    const hash = crypto.createHash("md5").update(data).digest("hex")
+
+  good: |
+    const hash = crypto.createHash("sha256").update(data).digest("hex")