thuban 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (209) hide show
  1. package/dist/package.json +63 -0
  2. package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
  3. package/dist/packages/crucible/rules/command-injection.json +411 -0
  4. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  5. package/dist/packages/crucible/rules/deserialization.json +152 -0
  6. package/dist/packages/crucible/rules/env-injection.json +46 -0
  7. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  8. package/dist/packages/crucible/rules/file-upload.json +46 -0
  9. package/dist/packages/crucible/rules/hallucination.json +22 -0
  10. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  11. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  12. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  13. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  14. package/dist/packages/crucible/rules/log-injection.json +33 -0
  15. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  16. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  17. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  18. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  19. package/dist/packages/crucible/rules/sql-injection.json +597 -0
  20. package/dist/packages/crucible/rules/ssrf.json +557 -0
  21. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  22. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  23. package/dist/packages/crucible/rules/xss.json +641 -0
  24. package/dist/packages/crucible/rules/xxe.json +66 -0
  25. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  26. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  27. package/dist/packages/scanner/executive-report.js +1 -1
  28. package/dist/packages/scanner/hallucination-detector.js +1 -1
  29. package/dist/packages/scanner/secret-scanner.js +1 -1
  30. package/package.json +7 -4
  31. package/dist/packages/crucible/seeds/python/seed-021 3.py +0 -37
  32. package/dist/packages/crucible/seeds/python/seed-022 3.py +0 -34
  33. package/dist/packages/crucible/seeds/python/seed-023 3.py +0 -37
  34. package/dist/packages/crucible/seeds/python/seed-024 3.py +0 -38
  35. package/dist/packages/crucible/seeds/python/seed-025 3.py +0 -40
  36. package/dist/packages/crucible/seeds/python/seed-026 3.py +0 -35
  37. package/dist/packages/crucible/seeds/python/seed-027 3.py +0 -35
  38. package/dist/packages/crucible/seeds/python/seed-028 3.py +0 -42
  39. package/dist/packages/crucible/seeds/python/seed-030 3.py +0 -37
  40. package/dist/packages/crucible/seeds/python/seed-031 3.py +0 -34
  41. package/dist/packages/crucible/seeds/python/seed-036 3.py +0 -33
  42. package/dist/packages/crucible/seeds/python/seed-037 3.py +0 -41
  43. package/dist/packages/crucible/seeds/python/seed-038 3.py +0 -33
  44. package/dist/packages/crucible/seeds/python/seed-039 3.py +0 -39
  45. package/dist/packages/crucible/seeds/python/seed-040 3.py +0 -39
  46. package/dist/packages/crucible/seeds/python/seed-041 3.py +0 -37
  47. package/dist/packages/crucible/seeds/python/seed-042 3.py +0 -38
  48. package/dist/packages/crucible/seeds/python/seed-043 3.py +0 -32
  49. package/dist/packages/crucible/seeds/python/seed-044 3.py +0 -38
  50. package/dist/packages/crucible/seeds/python/seed-045 3.py +0 -36
  51. package/dist/packages/crucible/seeds/python/seed-046 3.py +0 -33
  52. package/dist/packages/crucible/seeds/python/seed-047 3.py +0 -44
  53. package/dist/packages/crucible/seeds/python/seed-048 3.py +0 -35
  54. package/dist/packages/crucible/seeds/python/seed-049 3.py +0 -39
  55. package/dist/packages/crucible/seeds/python/seed-050 3.py +0 -39
  56. package/dist/packages/crucible/seeds/python/seed-051 3.py +0 -38
  57. package/dist/packages/crucible/seeds/python/seed-052 3.py +0 -41
  58. package/dist/packages/crucible/seeds/ruby/seed-001 3.rb +0 -15
  59. package/dist/packages/crucible/seeds/ruby/seed-002 3.rb +0 -22
  60. package/dist/packages/crucible/seeds/ruby/seed-003 3.rb +0 -25
  61. package/dist/packages/crucible/seeds/ruby/seed-004 3.rb +0 -17
  62. package/dist/packages/crucible/seeds/ruby/seed-005 3.rb +0 -21
  63. package/dist/packages/crucible/seeds/ruby/seed-006 3.rb +0 -17
  64. package/dist/packages/crucible/seeds/ruby/seed-007 3.rb +0 -16
  65. package/dist/packages/crucible/seeds/ruby/seed-008 3.rb +0 -18
  66. package/dist/packages/crucible/seeds/ruby/seed-009 3.rb +0 -20
  67. package/dist/packages/crucible/seeds/ruby/seed-010 3.rb +0 -24
  68. package/dist/packages/crucible/seeds/ruby/seed-011 3.rb +0 -21
  69. package/dist/packages/crucible/seeds/ruby/seed-012 3.rb +0 -22
  70. package/dist/packages/crucible/seeds/ruby/seed-013 3.rb +0 -21
  71. package/dist/packages/crucible/seeds/ruby/seed-014 3.rb +0 -16
  72. package/dist/packages/crucible/seeds/ruby/seed-015 3.rb +0 -18
  73. package/dist/packages/crucible/seeds/ruby/seed-016 3.rb +0 -17
  74. package/dist/packages/crucible/seeds/ruby/seed-017 3.rb +0 -25
  75. package/dist/packages/crucible/seeds/ruby/seed-018 3.rb +0 -23
  76. package/dist/packages/crucible/seeds/ruby/seed-019 3.rb +0 -20
  77. package/dist/packages/crucible/seeds/ruby/seed-020 3.rb +0 -17
  78. package/dist/packages/crucible/seeds/ruby/seed-021 3.rb +0 -20
  79. package/dist/packages/crucible/seeds/ruby/seed-022 3.rb +0 -21
  80. package/dist/packages/crucible/seeds/ruby/seed-023 3.rb +0 -19
  81. package/dist/packages/crucible/seeds/ruby/seed-024 3.rb +0 -17
  82. package/dist/packages/crucible/seeds/ruby/seed-025 3.rb +0 -17
  83. package/dist/packages/crucible/seeds/ruby/seed-026 3.rb +0 -18
  84. package/dist/packages/crucible/seeds/ruby/seed-027 3.rb +0 -21
  85. package/dist/packages/crucible/seeds/ruby/seed-028 3.rb +0 -22
  86. package/dist/packages/crucible/seeds/ruby/seed-029 3.rb +0 -19
  87. package/dist/packages/crucible/seeds/ruby/seed-030 3.rb +0 -20
  88. package/dist/packages/crucible/seeds/ruby/seed-031 3.rb +0 -17
  89. package/dist/packages/crucible/seeds/ruby/seed-032 3.rb +0 -22
  90. package/dist/packages/crucible/seeds/ruby/seed-033 3.rb +0 -18
  91. package/dist/packages/crucible/seeds/ruby/seed-034 3.rb +0 -19
  92. package/dist/packages/crucible/seeds/ruby/seed-035 3.rb +0 -19
  93. package/dist/packages/crucible/seeds/ruby/seed-036 3.rb +0 -18
  94. package/dist/packages/crucible/seeds/ruby/seed-037 3.rb +0 -21
  95. package/dist/packages/crucible/seeds/ruby/seed-038 3.rb +0 -24
  96. package/dist/packages/crucible/seeds/ruby/seed-039 3.rb +0 -24
  97. package/dist/packages/crucible/seeds/ruby/seed-040 3.rb +0 -22
  98. package/dist/packages/crucible/seeds/ruby/seed-041 3.rb +0 -23
  99. package/dist/packages/crucible/seeds/ruby/seed-042 3.rb +0 -25
  100. package/dist/packages/crucible/seeds/ruby/seed-043 3.rb +0 -23
  101. package/dist/packages/crucible/seeds/ruby/seed-044 3.rb +0 -16
  102. package/dist/packages/crucible/seeds/ruby/seed-045 3.rb +0 -22
  103. package/dist/packages/crucible/seeds/ruby/seed-046 3.rb +0 -27
  104. package/dist/packages/crucible/seeds/ruby/seed-047 3.rb +0 -26
  105. package/dist/packages/crucible/seeds/ruby/seed-048 3.rb +0 -24
  106. package/dist/packages/crucible/seeds/ruby/seed-049 3.rb +0 -20
  107. package/dist/packages/crucible/seeds/ruby/seed-050 3.rb +0 -27
  108. package/dist/packages/crucible/seeds/rust/seed-001 3.rs +0 -25
  109. package/dist/packages/crucible/seeds/rust/seed-002 3.rs +0 -20
  110. package/dist/packages/crucible/seeds/rust/seed-003 3.rs +0 -23
  111. package/dist/packages/crucible/seeds/rust/seed-004 3.rs +0 -21
  112. package/dist/packages/crucible/seeds/rust/seed-005 3.rs +0 -21
  113. package/dist/packages/crucible/seeds/rust/seed-006 3.rs +0 -24
  114. package/dist/packages/crucible/seeds/rust/seed-007 3.rs +0 -20
  115. package/dist/packages/crucible/seeds/rust/seed-008 3.rs +0 -19
  116. package/dist/packages/crucible/seeds/rust/seed-009 3.rs +0 -28
  117. package/dist/packages/crucible/seeds/rust/seed-010 3.rs +0 -28
  118. package/dist/packages/crucible/seeds/rust/seed-011 3.rs +0 -25
  119. package/dist/packages/crucible/seeds/rust/seed-012 3.rs +0 -31
  120. package/dist/packages/crucible/seeds/rust/seed-013 3.rs +0 -27
  121. package/dist/packages/crucible/seeds/rust/seed-014 3.rs +0 -30
  122. package/dist/packages/crucible/seeds/rust/seed-015 3.rs +0 -33
  123. package/dist/packages/crucible/seeds/rust/seed-016 3.rs +0 -22
  124. package/dist/packages/crucible/seeds/rust/seed-017 3.rs +0 -28
  125. package/dist/packages/crucible/seeds/rust/seed-018 3.rs +0 -21
  126. package/dist/packages/crucible/seeds/rust/seed-019 3.rs +0 -36
  127. package/dist/packages/crucible/seeds/rust/seed-020 3.rs +0 -27
  128. package/dist/packages/crucible/seeds/rust/seed-021 3.rs +0 -26
  129. package/dist/packages/crucible/seeds/rust/seed-022 3.rs +0 -23
  130. package/dist/packages/crucible/seeds/rust/seed-023 3.rs +0 -22
  131. package/dist/packages/crucible/seeds/rust/seed-024 3.rs +0 -24
  132. package/dist/packages/crucible/seeds/rust/seed-025 3.rs +0 -29
  133. package/dist/packages/crucible/seeds/rust/seed-026 3.rs +0 -23
  134. package/dist/packages/crucible/seeds/rust/seed-027 3.rs +0 -24
  135. package/dist/packages/crucible/seeds/rust/seed-028 3.rs +0 -25
  136. package/dist/packages/crucible/seeds/rust/seed-029 3.rs +0 -25
  137. package/dist/packages/crucible/seeds/rust/seed-030 3.rs +0 -30
  138. package/dist/packages/crucible/seeds/rust/seed-031 3.rs +0 -22
  139. package/dist/packages/crucible/seeds/rust/seed-032 3.rs +0 -25
  140. package/dist/packages/crucible/seeds/rust/seed-033 3.rs +0 -25
  141. package/dist/packages/crucible/seeds/rust/seed-034 3.rs +0 -20
  142. package/dist/packages/crucible/seeds/rust/seed-035 3.rs +0 -28
  143. package/dist/packages/crucible/seeds/rust/seed-036 3.rs +0 -26
  144. package/dist/packages/crucible/seeds/rust/seed-037 3.rs +0 -31
  145. package/dist/packages/crucible/seeds/rust/seed-038 3.rs +0 -25
  146. package/dist/packages/crucible/seeds/rust/seed-039 3.rs +0 -28
  147. package/dist/packages/crucible/seeds/rust/seed-040 3.rs +0 -27
  148. package/dist/packages/crucible/seeds/rust/seed-041 3.rs +0 -32
  149. package/dist/packages/crucible/seeds/rust/seed-042 3.rs +0 -27
  150. package/dist/packages/crucible/seeds/rust/seed-043 3.rs +0 -29
  151. package/dist/packages/crucible/seeds/rust/seed-044 3.rs +0 -25
  152. package/dist/packages/crucible/seeds/rust/seed-045 3.rs +0 -28
  153. package/dist/packages/crucible/seeds/rust/seed-046 3.rs +0 -25
  154. package/dist/packages/crucible/seeds/rust/seed-047 3.rs +0 -34
  155. package/dist/packages/crucible/seeds/rust/seed-048 3.rs +0 -21
  156. package/dist/packages/crucible/seeds/rust/seed-049 3.rs +0 -26
  157. package/dist/packages/crucible/seeds/rust/seed-050 3.rs +0 -23
  158. package/dist/packages/crucible/seeds/ts/seed-001 3.ts +0 -32
  159. package/dist/packages/crucible/seeds/ts/seed-002 3.ts +0 -34
  160. package/dist/packages/crucible/seeds/ts/seed-003 3.ts +0 -28
  161. package/dist/packages/crucible/seeds/ts/seed-004 3.ts +0 -34
  162. package/dist/packages/crucible/seeds/ts/seed-005 3.ts +0 -32
  163. package/dist/packages/crucible/seeds/ts/seed-006 3.ts +0 -31
  164. package/dist/packages/crucible/seeds/ts/seed-007 3.ts +0 -28
  165. package/dist/packages/crucible/seeds/ts/seed-008 3.ts +0 -40
  166. package/dist/packages/crucible/seeds/ts/seed-009 3.ts +0 -31
  167. package/dist/packages/crucible/seeds/ts/seed-010 3.ts +0 -33
  168. package/dist/packages/crucible/seeds/ts/seed-011 3.ts +0 -29
  169. package/dist/packages/crucible/seeds/ts/seed-012 3.ts +0 -34
  170. package/dist/packages/crucible/seeds/ts/seed-013 3.ts +0 -31
  171. package/dist/packages/crucible/seeds/ts/seed-014 3.ts +0 -36
  172. package/dist/packages/crucible/seeds/ts/seed-015 3.ts +0 -31
  173. package/dist/packages/crucible/seeds/ts/seed-016 3.ts +0 -37
  174. package/dist/packages/crucible/seeds/ts/seed-017 3.ts +0 -44
  175. package/dist/packages/crucible/seeds/ts/seed-018 3.ts +0 -33
  176. package/dist/packages/crucible/seeds/ts/seed-019 3.ts +0 -32
  177. package/dist/packages/crucible/seeds/ts/seed-020 3.ts +0 -33
  178. package/dist/packages/crucible/seeds/ts/seed-021 3.ts +0 -33
  179. package/dist/packages/crucible/seeds/ts/seed-022 3.ts +0 -34
  180. package/dist/packages/crucible/seeds/ts/seed-023 3.ts +0 -33
  181. package/dist/packages/crucible/seeds/ts/seed-024 3.ts +0 -35
  182. package/dist/packages/crucible/seeds/ts/seed-025 3.ts +0 -29
  183. package/dist/packages/crucible/seeds/ts/seed-026 3.ts +0 -36
  184. package/dist/packages/crucible/seeds/ts/seed-027 3.ts +0 -30
  185. package/dist/packages/crucible/seeds/ts/seed-028 3.ts +0 -32
  186. package/dist/packages/crucible/seeds/ts/seed-029 3.ts +0 -34
  187. package/dist/packages/crucible/seeds/ts/seed-030 3.ts +0 -37
  188. package/dist/packages/crucible/seeds/ts/seed-031 3.ts +0 -31
  189. package/dist/packages/crucible/seeds/ts/seed-032 3.ts +0 -32
  190. package/dist/packages/crucible/seeds/ts/seed-033 3.ts +0 -32
  191. package/dist/packages/crucible/seeds/ts/seed-034 3.ts +0 -34
  192. package/dist/packages/crucible/seeds/ts/seed-035 3.ts +0 -29
  193. package/dist/packages/crucible/seeds/ts/seed-036 3.ts +0 -34
  194. package/dist/packages/crucible/seeds/ts/seed-037 3.ts +0 -33
  195. package/dist/packages/crucible/seeds/ts/seed-038 3.ts +0 -29
  196. package/dist/packages/crucible/seeds/ts/seed-039 3.ts +0 -35
  197. package/dist/packages/crucible/seeds/ts/seed-040 3.ts +0 -31
  198. package/dist/packages/crucible/seeds/ts/seed-041 3.ts +0 -29
  199. package/dist/packages/crucible/seeds/ts/seed-042 3.ts +0 -33
  200. package/dist/packages/crucible/seeds/ts/seed-043 3.ts +0 -32
  201. package/dist/packages/crucible/seeds/ts/seed-044 3.ts +0 -36
  202. package/dist/packages/crucible/seeds/ts/seed-045 3.ts +0 -39
  203. package/dist/packages/crucible/seeds/ts/seed-046 3.ts +0 -41
  204. package/dist/packages/crucible/seeds/ts/seed-047 3.ts +0 -33
  205. package/dist/packages/crucible/seeds/ts/seed-048 3.ts +0 -33
  206. package/dist/packages/crucible/seeds/ts/seed-049 3.ts +0 -34
  207. package/dist/packages/crucible/seeds/ts/seed-050 3.ts +0 -41
  208. package/dist/packages/crucible/seeds/ts/seed-051 3.ts +0 -34
  209. package/dist/packages/crucible/seeds/ts/seed-052 3.ts +0 -36
@@ -0,0 +1,641 @@
1
+ [
2
+ {
3
+ "id": "XSS001",
4
+ "pattern": "from\\s+mako\\s*\\.\\s*template\\s+import\\s+Template",
5
+ "flags": "",
6
+ "category": "xss",
7
+ "description": "XSS — Python: Mako Template().render() — multiline template then render (separate lines)",
8
+ "language": [
9
+ "python"
10
+ ],
11
+ "severity": "high"
12
+ },
13
+ {
14
+ "id": "XSS002",
15
+ "pattern": "innerHTML\\s*=|document\\.write\\s*\\(",
16
+ "flags": "",
17
+ "category": "xss",
18
+ "description": "XSS (original)",
19
+ "language": [
20
+ "js",
21
+ "ts",
22
+ "python",
23
+ "java",
24
+ "go",
25
+ "csharp",
26
+ "php",
27
+ "ruby",
28
+ "rust",
29
+ "kotlin"
30
+ ],
31
+ "severity": "high"
32
+ },
33
+ {
34
+ "id": "XSS003",
35
+ "pattern": "render_template_string\\s*\\(|webView.*javaScriptEnabled\\s*=\\s*true",
36
+ "flags": "i",
37
+ "category": "xss",
38
+ "description": "XSS (original)",
39
+ "language": [
40
+ "js",
41
+ "ts",
42
+ "python",
43
+ "java",
44
+ "go",
45
+ "csharp",
46
+ "php",
47
+ "ruby",
48
+ "rust",
49
+ "kotlin"
50
+ ],
51
+ "severity": "high"
52
+ },
53
+ {
54
+ "id": "XSS004",
55
+ "pattern": "dangerouslySetInnerHTML\\s*=\\s*\\{\\{?\\s*__html\\s*:",
56
+ "flags": "",
57
+ "category": "xss",
58
+ "description": "XSS — React dangerouslySetInnerHTML, Angular [innerHTML], Vue v-html",
59
+ "language": [
60
+ "js",
61
+ "ts",
62
+ "python",
63
+ "java",
64
+ "go",
65
+ "csharp",
66
+ "php",
67
+ "ruby",
68
+ "rust",
69
+ "kotlin"
70
+ ],
71
+ "severity": "high"
72
+ },
73
+ {
74
+ "id": "XSS005",
75
+ "pattern": "\\[innerHTML\\]\\s*=",
76
+ "flags": "",
77
+ "category": "xss",
78
+ "description": "XSS — React dangerouslySetInnerHTML, Angular [innerHTML], Vue v-html",
79
+ "language": [
80
+ "js",
81
+ "ts",
82
+ "python",
83
+ "java",
84
+ "go",
85
+ "csharp",
86
+ "php",
87
+ "ruby",
88
+ "rust",
89
+ "kotlin"
90
+ ],
91
+ "severity": "high"
92
+ },
93
+ {
94
+ "id": "XSS006",
95
+ "pattern": "v-html\\s*=",
96
+ "flags": "",
97
+ "category": "xss",
98
+ "description": "XSS — React dangerouslySetInnerHTML, Angular [innerHTML], Vue v-html",
99
+ "language": [
100
+ "js",
101
+ "ts",
102
+ "python",
103
+ "java",
104
+ "go",
105
+ "csharp",
106
+ "php",
107
+ "ruby",
108
+ "rust",
109
+ "kotlin"
110
+ ],
111
+ "severity": "high"
112
+ },
113
+ {
114
+ "id": "XSS007",
115
+ "pattern": "\\$\\s*\\([^)]+\\)\\s*\\.\\s*html\\s*\\(\\s*\\w",
116
+ "flags": "",
117
+ "category": "xss",
118
+ "description": "XSS — jQuery .html() with variable, outerHTML, Handlebars triple-stache, marked()",
119
+ "language": [
120
+ "js",
121
+ "ts",
122
+ "python",
123
+ "java",
124
+ "go",
125
+ "csharp",
126
+ "php",
127
+ "ruby",
128
+ "rust",
129
+ "kotlin"
130
+ ],
131
+ "severity": "high"
132
+ },
133
+ {
134
+ "id": "XSS008",
135
+ "pattern": "\\.outerHTML\\s*=",
136
+ "flags": "",
137
+ "category": "xss",
138
+ "description": "XSS — jQuery .html() with variable, outerHTML, Handlebars triple-stache, marked()",
139
+ "language": [
140
+ "js",
141
+ "ts",
142
+ "python",
143
+ "java",
144
+ "go",
145
+ "csharp",
146
+ "php",
147
+ "ruby",
148
+ "rust",
149
+ "kotlin"
150
+ ],
151
+ "severity": "high"
152
+ },
153
+ {
154
+ "id": "XSS009",
155
+ "pattern": "\\{\\{\\{[^}]+\\}\\}\\}",
156
+ "flags": "",
157
+ "category": "xss",
158
+ "description": "XSS — jQuery .html() with variable, outerHTML, Handlebars triple-stache, marked()",
159
+ "language": [
160
+ "js",
161
+ "ts",
162
+ "python",
163
+ "java",
164
+ "go",
165
+ "csharp",
166
+ "php",
167
+ "ruby",
168
+ "rust",
169
+ "kotlin"
170
+ ],
171
+ "severity": "high"
172
+ },
173
+ {
174
+ "id": "XSS010",
175
+ "pattern": "marked\\s*\\(\\s*\\w",
176
+ "flags": "",
177
+ "category": "xss",
178
+ "description": "XSS — jQuery .html() with variable, outerHTML, Handlebars triple-stache, marked()",
179
+ "language": [
180
+ "js",
181
+ "ts",
182
+ "python",
183
+ "java",
184
+ "go",
185
+ "csharp",
186
+ "php",
187
+ "ruby",
188
+ "rust",
189
+ "kotlin"
190
+ ],
191
+ "severity": "high"
192
+ },
193
+ {
194
+ "id": "XSS011",
195
+ "pattern": "res\\s*\\.\\s*(?:send|end|write)\\s*\\(\\s*`[^`]*\\$\\{",
196
+ "flags": "",
197
+ "category": "xss",
198
+ "description": "XSS — Express res.send/res.end/res.write with template literal containing user input",
199
+ "language": [
200
+ "js",
201
+ "ts",
202
+ "python",
203
+ "java",
204
+ "go",
205
+ "csharp",
206
+ "php",
207
+ "ruby",
208
+ "rust",
209
+ "kotlin"
210
+ ],
211
+ "severity": "high"
212
+ },
213
+ {
214
+ "id": "XSS012",
215
+ "pattern": "make_response\\s*\\(\\s*f['\"]|HttpResponse\\s*\\(\\s*f['\"]",
216
+ "flags": "",
217
+ "category": "xss",
218
+ "description": "XSS — Python: Flask make_response, Django HttpResponse, FastAPI HTMLResponse with f-string; Mako Template; Jinja2 |safe",
219
+ "language": [
220
+ "python"
221
+ ],
222
+ "severity": "high"
223
+ },
224
+ {
225
+ "id": "XSS013",
226
+ "pattern": "HTMLResponse\\s*\\(\\s*content\\s*=\\s*f['\"]",
227
+ "flags": "",
228
+ "category": "xss",
229
+ "description": "XSS — Python: Flask make_response, Django HttpResponse, FastAPI HTMLResponse with f-string; Mako Template; Jinja2 |safe",
230
+ "language": [
231
+ "python"
232
+ ],
233
+ "severity": "high"
234
+ },
235
+ {
236
+ "id": "XSS014",
237
+ "pattern": "Template\\s*\\([^)]*\\)\\s*\\.render\\s*\\(",
238
+ "flags": "",
239
+ "category": "xss",
240
+ "description": "XSS — Python: Flask make_response, Django HttpResponse, FastAPI HTMLResponse with f-string; Mako Template; Jinja2 |safe",
241
+ "language": [
242
+ "python"
243
+ ],
244
+ "severity": "high"
245
+ },
246
+ {
247
+ "id": "XSS015",
248
+ "pattern": "\\|\\s*safe\\b",
249
+ "flags": "",
250
+ "category": "xss",
251
+ "description": "XSS — Python: Flask make_response, Django HttpResponse, FastAPI HTMLResponse with f-string; Mako Template; Jinja2 |safe",
252
+ "language": [
253
+ "python"
254
+ ],
255
+ "severity": "high"
256
+ },
257
+ {
258
+ "id": "XSS016",
259
+ "pattern": "ERB\\s*\\.\\s*new\\s*\\(",
260
+ "flags": "",
261
+ "category": "xss",
262
+ "description": "XSS — Ruby: ERB.new with user-controlled template",
263
+ "language": [
264
+ "ruby"
265
+ ],
266
+ "severity": "high"
267
+ },
268
+ {
269
+ "id": "XSS017",
270
+ "pattern": "<\\?=\\s*\\$[a-zA-Z_]",
271
+ "flags": "",
272
+ "category": "xss",
273
+ "description": "XSS — PHP: short echo tags",
274
+ "language": [
275
+ "php"
276
+ ],
277
+ "severity": "high"
278
+ },
279
+ {
280
+ "id": "XSS018",
281
+ "pattern": "io\\s*\\.\\s*WriteString\\s*\\(\\s*w\\b",
282
+ "flags": "",
283
+ "category": "xss",
284
+ "description": "XSS — Go: io.WriteString to ResponseWriter, template.HTML() cast bypassing escaping",
285
+ "language": [
286
+ "go"
287
+ ],
288
+ "severity": "high"
289
+ },
290
+ {
291
+ "id": "XSS019",
292
+ "pattern": "template\\s*\\.\\s*HTML\\s*\\(",
293
+ "flags": "",
294
+ "category": "xss",
295
+ "description": "XSS — Go: io.WriteString to ResponseWriter, template.HTML() cast bypassing escaping",
296
+ "language": [
297
+ "go"
298
+ ],
299
+ "severity": "high"
300
+ },
301
+ {
302
+ "id": "XSS020",
303
+ "pattern": "Response\\s*\\.\\s*Write\\s*\\(",
304
+ "flags": "",
305
+ "category": "xss",
306
+ "description": "XSS — C#: Response.Write, HtmlString, Html.Raw, Content(\"text/html\")",
307
+ "language": [
308
+ "csharp"
309
+ ],
310
+ "severity": "high"
311
+ },
312
+ {
313
+ "id": "XSS021",
314
+ "pattern": "new\\s+HtmlString\\s*\\(|Html\\s*\\.\\s*Raw\\s*\\(",
315
+ "flags": "",
316
+ "category": "xss",
317
+ "description": "XSS — C#: Response.Write, HtmlString, Html.Raw, Content(\"text/html\")",
318
+ "language": [
319
+ "csharp"
320
+ ],
321
+ "severity": "high"
322
+ },
323
+ {
324
+ "id": "XSS022",
325
+ "pattern": "return\\s+Content\\s*\\([^,]+,\\s*[\"']text\\/html[\"']",
326
+ "flags": "",
327
+ "category": "xss",
328
+ "description": "XSS — C#: Response.Write, HtmlString, Html.Raw, Content(\"text/html\")",
329
+ "language": [
330
+ "csharp"
331
+ ],
332
+ "severity": "high"
333
+ },
334
+ {
335
+ "id": "XSS023",
336
+ "pattern": "webView\\s*\\.\\s*loadData\\s*\\(|webView\\s*\\.\\s*loadDataWithBaseURL\\s*\\(",
337
+ "flags": "",
338
+ "category": "xss",
339
+ "description": "XSS — Kotlin: WebView.loadData, loadDataWithBaseURL, allowUniversalAccessFromFileURLs, Ktor respondText",
340
+ "language": [
341
+ "kotlin"
342
+ ],
343
+ "severity": "high"
344
+ },
345
+ {
346
+ "id": "XSS024",
347
+ "pattern": "allowUniversalAccessFromFileURLs\\s*=\\s*true",
348
+ "flags": "",
349
+ "category": "xss",
350
+ "description": "XSS — Kotlin: WebView.loadData, loadDataWithBaseURL, allowUniversalAccessFromFileURLs, Ktor respondText",
351
+ "language": [
352
+ "kotlin"
353
+ ],
354
+ "severity": "high"
355
+ },
356
+ {
357
+ "id": "XSS025",
358
+ "pattern": "call\\s*\\.\\s*respondText\\s*\\([^)]*text\\/html",
359
+ "flags": "",
360
+ "category": "xss",
361
+ "description": "XSS — Kotlin: WebView.loadData, loadDataWithBaseURL, allowUniversalAccessFromFileURLs, Ktor respondText",
362
+ "language": [
363
+ "kotlin"
364
+ ],
365
+ "severity": "high"
366
+ },
367
+ {
368
+ "id": "XSS026",
369
+ "pattern": "req\\s*\\.\\s*getHeader\\s*\\(|out\\s*\\.\\s*println\\s*\\([^)]*getParameter",
370
+ "flags": "",
371
+ "category": "xss",
372
+ "description": "XSS — Java: req.getHeader reflection, PrintWriter with getParameter or string concat",
373
+ "language": [
374
+ "java"
375
+ ],
376
+ "severity": "high"
377
+ },
378
+ {
379
+ "id": "XSS027",
380
+ "pattern": "out\\s*\\.\\s*(?:print|println)\\s*\\([^)]*[\"'<][^)]*\\+\\s*\\w|pw\\s*\\.\\s*write\\s*\\([^)]*\\+",
381
+ "flags": "",
382
+ "category": "xss",
383
+ "description": "XSS — Java: out.print/println/pw.write with string concatenation (variable + HTML)",
384
+ "language": [
385
+ "java"
386
+ ],
387
+ "severity": "high"
388
+ },
389
+ {
390
+ "id": "XSS028",
391
+ "pattern": "fmt\\s*\\.\\s*Fprintf\\s*\\(\\s*w\\s*,",
392
+ "flags": "",
393
+ "category": "xss",
394
+ "description": "XSS — Go: fmt.Fprintf(w, \"...%s...\", userVar) — format string with w as target",
395
+ "language": [
396
+ "go"
397
+ ],
398
+ "severity": "high"
399
+ },
400
+ {
401
+ "id": "XSS029",
402
+ "pattern": "fmt\\s*\\.\\s*Fprint\\s*\\(\\s*w\\s*,",
403
+ "flags": "",
404
+ "category": "xss",
405
+ "description": "XSS — Go: fmt.Fprint(w, ...) with user data",
406
+ "language": [
407
+ "go"
408
+ ],
409
+ "severity": "high"
410
+ },
411
+ {
412
+ "id": "XSS030",
413
+ "pattern": "return\\s+make_response\\s*\\(html\\b|return\\s+HTMLResponse\\s*\\(content\\s*=\\s*html\\b",
414
+ "flags": "",
415
+ "category": "xss",
416
+ "description": "XSS — Python: make_response/HTMLResponse with variable html built from f-string (multiline pattern)",
417
+ "language": [
418
+ "python"
419
+ ],
420
+ "severity": "high"
421
+ },
422
+ {
423
+ "id": "XSS031",
424
+ "pattern": "\"[^\"]*#\\{[^}]+\\}[^\"]*\"|'[^']*#\\{[^}]+\\}[^']*'",
425
+ "flags": "",
426
+ "category": "xss",
427
+ "description": "XSS — Ruby: Sinatra route returning string with interpolation #{...}",
428
+ "language": [
429
+ "ruby"
430
+ ],
431
+ "severity": "high"
432
+ },
433
+ {
434
+ "id": "XSS032",
435
+ "pattern": "call\\s*\\.\\s*respondText\\s*\\(\\s*\\w",
436
+ "flags": "",
437
+ "category": "xss",
438
+ "description": "XSS — Kotlin: call.respondText with HTML variable (not just ContentType inline)",
439
+ "language": [
440
+ "kotlin"
441
+ ],
442
+ "severity": "high"
443
+ },
444
+ {
445
+ "id": "XSS033",
446
+ "pattern": "ErrorMessage\\s*=\\s*\\$['\"]",
447
+ "flags": "",
448
+ "category": "xss",
449
+ "description": "XSS — C#: @Html.Raw rendered from model property (ErrorMessage / body variable)",
450
+ "language": [
451
+ "csharp"
452
+ ],
453
+ "severity": "high"
454
+ },
455
+ {
456
+ "id": "XSS034",
457
+ "pattern": "echo\\s+.*\\$(?:_POST|_GET|_REQUEST|_COOKIE|comment|username|data|error)",
458
+ "flags": "i",
459
+ "category": "xss",
460
+ "description": "XSS - PHP echo with $_POST/$_GET",
461
+ "language": [
462
+ "php"
463
+ ],
464
+ "severity": "high"
465
+ },
466
+ {
467
+ "id": "XSS035",
468
+ "pattern": "(?:print_r|var_dump)\\s*\\(\\s*\\$_(?:REQUEST|GET|POST)",
469
+ "flags": "i",
470
+ "category": "xss",
471
+ "description": "XSS - PHP print_r/var_dump user input",
472
+ "language": [
473
+ "php"
474
+ ],
475
+ "severity": "high"
476
+ },
477
+ {
478
+ "id": "XSS036",
479
+ "pattern": "echo\\s+[\"'][^\"']*[\"']\\s*\\.\\s*\\$[a-zA-Z_]",
480
+ "flags": "i",
481
+ "category": "xss",
482
+ "description": "XSS - concatenation into HTML echo",
483
+ "language": [
484
+ "js",
485
+ "ts",
486
+ "python",
487
+ "java",
488
+ "go",
489
+ "csharp",
490
+ "php",
491
+ "ruby",
492
+ "rust",
493
+ "kotlin"
494
+ ],
495
+ "severity": "high"
496
+ },
497
+ {
498
+ "id": "XSS037",
499
+ "pattern": "(?:w\\.Write|fmt\\.Fprintf\\s*\\(\\s*w)[^;]*(?:r\\.URL\\.Query\\(\\)|r\\.FormValue|r\\.Header)",
500
+ "flags": "i",
501
+ "category": "xss",
502
+ "description": "XSS - Go w.Write/fmt.Fprintf with user input",
503
+ "language": [
504
+ "go"
505
+ ],
506
+ "severity": "high"
507
+ },
508
+ {
509
+ "id": "XSS038",
510
+ "pattern": "evaluateJavascript\\s*\\(|webView\\.loadUrl\\s*\\(|addJavascriptInterface\\s*\\(",
511
+ "flags": "i",
512
+ "category": "xss",
513
+ "description": "XSS - Kotlin WebView evaluateJavascript",
514
+ "language": [
515
+ "kotlin"
516
+ ],
517
+ "severity": "high"
518
+ },
519
+ {
520
+ "id": "XSS039",
521
+ "pattern": "\\.html_safe\\b|raw\\s*\\(",
522
+ "flags": "",
523
+ "category": "xss",
524
+ "description": "XSS - Ruby on Rails raw/html_safe with user content",
525
+ "language": [
526
+ "ruby"
527
+ ],
528
+ "severity": "high"
529
+ },
530
+ {
531
+ "id": "XSS040",
532
+ "pattern": "Response\\.Write\\s*\\([^)]*(?:Request\\.|QueryString|Form\\[)",
533
+ "flags": "i",
534
+ "category": "xss",
535
+ "description": "C# XSS: Response.Write with user input",
536
+ "language": [
537
+ "csharp"
538
+ ],
539
+ "severity": "high"
540
+ },
541
+ {
542
+ "id": "XSS041",
543
+ "pattern": "context\\.Response\\.Write\\s*\\([^)]*(?:\\+\\s*\\w|\\bname\\b|\\bq\\b)",
544
+ "flags": "i",
545
+ "category": "xss",
546
+ "description": "C# XSS: Response.Write with user input",
547
+ "language": [
548
+ "csharp"
549
+ ],
550
+ "severity": "high"
551
+ },
552
+ {
553
+ "id": "XSS042",
554
+ "pattern": "Response\\.Write\\s*\\(\"[^\"]*\"\\s*\\+",
555
+ "flags": "i",
556
+ "category": "xss",
557
+ "description": "C# XSS: Response.Write with user input",
558
+ "language": [
559
+ "csharp"
560
+ ],
561
+ "severity": "high"
562
+ },
563
+ {
564
+ "id": "XSS043",
565
+ "pattern": "render\\s+html:\\s*\\w+\\.html_safe",
566
+ "flags": "i",
567
+ "category": "xss",
568
+ "description": "Ruby XSS: html_safe / raw()",
569
+ "language": [
570
+ "ruby"
571
+ ],
572
+ "severity": "high"
573
+ },
574
+ {
575
+ "id": "XSS044",
576
+ "pattern": "echo\\s+[\"'][^\"']*[\"']\\s*\\.\\s*\\$(?:_GET|_POST|name|query|msg|error|comment)",
577
+ "flags": "i",
578
+ "category": "xss",
579
+ "description": "PHP XSS: echo without htmlspecialchars",
580
+ "language": [
581
+ "php"
582
+ ],
583
+ "severity": "high"
584
+ },
585
+ {
586
+ "id": "XSS045",
587
+ "pattern": "<\\?=\\s*\\$(?:username|profile|bio|color|font|theme|src|href)",
588
+ "flags": "i",
589
+ "category": "xss",
590
+ "description": "PHP XSS: echo without htmlspecialchars",
591
+ "language": [
592
+ "php"
593
+ ],
594
+ "severity": "high"
595
+ },
596
+ {
597
+ "id": "XSS046",
598
+ "pattern": "fmt\\.Fprintf\\s*\\(\\s*w[^)]*r\\.URL\\.Query\\(\\)\\.Get\\b",
599
+ "flags": "i",
600
+ "category": "xss",
601
+ "description": "Go XSS",
602
+ "language": [
603
+ "go"
604
+ ],
605
+ "severity": "high"
606
+ },
607
+ {
608
+ "id": "XSS047",
609
+ "pattern": "fmt\\.Fprintf\\s*\\(\\s*w[^)]*r\\.FormValue\\b",
610
+ "flags": "i",
611
+ "category": "xss",
612
+ "description": "Go XSS",
613
+ "language": [
614
+ "go"
615
+ ],
616
+ "severity": "high"
617
+ },
618
+ {
619
+ "id": "XSS048",
620
+ "pattern": "template\\.HTML\\s*\\([^)]*\\+\\s*\\w",
621
+ "flags": "i",
622
+ "category": "xss",
623
+ "description": "Go XSS",
624
+ "language": [
625
+ "go"
626
+ ],
627
+ "severity": "high"
628
+ },
629
+ {
630
+ "id": "XSS049",
631
+ "pattern": "res\\s*\\.\\s*send\\s*\\(\\s*['\"`].*\\+",
632
+ "flags": "",
633
+ "category": "xss",
634
+ "description": "XSS — Express res.send() with string concatenation containing user input",
635
+ "language": [
636
+ "js",
637
+ "ts"
638
+ ],
639
+ "severity": "high"
640
+ }
641
+ ]
@@ -0,0 +1,66 @@
1
+ [
2
+ {
3
+ "id": "XXE001",
4
+ "pattern": "XMLReaderFactory|DocumentBuilderFactory|XmlReader.*DtdProcessing",
5
+ "flags": "",
6
+ "category": "xxe",
7
+ "description": "XXE",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "id": "XXE002",
24
+ "pattern": "DtdProcessing\\s*=\\s*DtdProcessing\\.Parse",
25
+ "flags": "i",
26
+ "category": "xxe",
27
+ "description": "C# XXE: XmlDocument/XmlReader",
28
+ "language": [
29
+ "csharp"
30
+ ],
31
+ "severity": "critical"
32
+ },
33
+ {
34
+ "id": "XXE003",
35
+ "pattern": "XmlResolver\\s*=\\s*new XmlUrlResolver\\s*\\(\\)",
36
+ "flags": "i",
37
+ "category": "xxe",
38
+ "description": "C# XXE: XmlDocument/XmlReader",
39
+ "language": [
40
+ "csharp"
41
+ ],
42
+ "severity": "critical"
43
+ },
44
+ {
45
+ "id": "XXE004",
46
+ "pattern": "new XPathDocument\\s*\\(",
47
+ "flags": "i",
48
+ "category": "xxe",
49
+ "description": "C# XXE: XPathDocument (no resolver set = default unsafe on older .NET)",
50
+ "language": [
51
+ "csharp"
52
+ ],
53
+ "severity": "critical"
54
+ },
55
+ {
56
+ "id": "XXE005",
57
+ "pattern": "SAXParserFactory\\.newInstance\\s*\\(\\s*\\)",
58
+ "flags": "",
59
+ "category": "xxe",
60
+ "description": "Java: XXE via SAXParserFactory without secure processing",
61
+ "language": [
62
+ "java"
63
+ ],
64
+ "severity": "critical"
65
+ }
66
+ ]