thuban 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/package.json +63 -0
- package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
- package/dist/packages/crucible/rules/command-injection.json +411 -0
- package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
- package/dist/packages/crucible/rules/deserialization.json +152 -0
- package/dist/packages/crucible/rules/env-injection.json +46 -0
- package/dist/packages/crucible/rules/eval-abuse.json +104 -0
- package/dist/packages/crucible/rules/file-upload.json +46 -0
- package/dist/packages/crucible/rules/hallucination.json +22 -0
- package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
- package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
- package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
- package/dist/packages/crucible/rules/integer-overflow.json +35 -0
- package/dist/packages/crucible/rules/log-injection.json +33 -0
- package/dist/packages/crucible/rules/mass-assignment.json +112 -0
- package/dist/packages/crucible/rules/open-redirect.json +196 -0
- package/dist/packages/crucible/rules/path-traversal.json +422 -0
- package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
- package/dist/packages/crucible/rules/sql-injection.json +597 -0
- package/dist/packages/crucible/rules/ssrf.json +557 -0
- package/dist/packages/crucible/rules/timing-attack.json +55 -0
- package/dist/packages/crucible/rules/unsafe-block.json +24 -0
- package/dist/packages/crucible/rules/xss.json +641 -0
- package/dist/packages/crucible/rules/xxe.json +66 -0
- package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
- package/dist/packages/crucible/rules/yaml-injection.json +22 -0
- package/package.json +4 -2
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "thuban",
|
|
3
|
+
"version": "0.4.2",
|
|
4
|
+
"description": "The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.",
|
|
5
|
+
"bin": {
|
|
6
|
+
"thuban": "./dist/cli.js"
|
|
7
|
+
},
|
|
8
|
+
"scripts": {
|
|
9
|
+
"scan": "node cli.js scan",
|
|
10
|
+
"test": "node cli.js scan . --json > NUL",
|
|
11
|
+
"build": "node build.js",
|
|
12
|
+
"prepublishOnly": "npm run build"
|
|
13
|
+
},
|
|
14
|
+
"keywords": [
|
|
15
|
+
"code-quality",
|
|
16
|
+
"static-analysis",
|
|
17
|
+
"ai-hallucination",
|
|
18
|
+
"hallucination-detection",
|
|
19
|
+
"ghost-code",
|
|
20
|
+
"tech-debt",
|
|
21
|
+
"ai-code-review",
|
|
22
|
+
"code-health",
|
|
23
|
+
"pre-commit",
|
|
24
|
+
"copilot",
|
|
25
|
+
"cursor",
|
|
26
|
+
"ai-safety",
|
|
27
|
+
"developer-tools",
|
|
28
|
+
"devtools",
|
|
29
|
+
"linter",
|
|
30
|
+
"code-scanner"
|
|
31
|
+
],
|
|
32
|
+
"author": "Silverwings Benefits <hello@thuban.dev>",
|
|
33
|
+
"license": "SEE LICENSE IN LICENSE",
|
|
34
|
+
"homepage": "https://thuban.dev",
|
|
35
|
+
"repository": {
|
|
36
|
+
"type": "git",
|
|
37
|
+
"url": "https://github.com/SilverwingsBenefitsGit/thuban.git"
|
|
38
|
+
},
|
|
39
|
+
"bugs": {
|
|
40
|
+
"url": "https://github.com/SilverwingsBenefitsGit/thuban/issues"
|
|
41
|
+
},
|
|
42
|
+
"engines": {
|
|
43
|
+
"node": ">=16.0.0"
|
|
44
|
+
},
|
|
45
|
+
"files": [
|
|
46
|
+
"dist/cli.js",
|
|
47
|
+
"dist/packages/scanner/*.js",
|
|
48
|
+
"dist/packages/crucible/*.js",
|
|
49
|
+
"dist/packages/crucible/seeds/**",
|
|
50
|
+
"dist/packages/crucible/.golden/",
|
|
51
|
+
"dist/packages/crucible/rules/**",
|
|
52
|
+
"dist/README.md",
|
|
53
|
+
"dist/LICENSE",
|
|
54
|
+
"dist/package.json"
|
|
55
|
+
],
|
|
56
|
+
"dependencies": {
|
|
57
|
+
"@babel/parser": "^8.0.0",
|
|
58
|
+
"docx": "^9.7.1"
|
|
59
|
+
},
|
|
60
|
+
"devDependencies": {
|
|
61
|
+
"terser": "^5.48.0"
|
|
62
|
+
}
|
|
63
|
+
}
|
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "SEC001",
|
|
4
|
+
"name": "Hardcoded API Key",
|
|
5
|
+
"type": "hardcoded_secret",
|
|
6
|
+
"pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]|['\"][a-zA-Z0-9]{32,}['\"]",
|
|
7
|
+
"flags": "",
|
|
8
|
+
"severity": "critical",
|
|
9
|
+
"message": "Possible hardcoded API key or secret detected",
|
|
10
|
+
"context": "(api[_-]?key|apikey|secret[_\\s]*key|token|credential|bearer)",
|
|
11
|
+
"contextFlags": "i",
|
|
12
|
+
"skipIfSafe": true
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
"id": "SEC001B",
|
|
16
|
+
"name": "Hardcoded API Key (bare)",
|
|
17
|
+
"type": "hardcoded_secret",
|
|
18
|
+
"pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]",
|
|
19
|
+
"flags": "",
|
|
20
|
+
"severity": "critical",
|
|
21
|
+
"message": "Possible hardcoded API key or secret detected",
|
|
22
|
+
"skipIfSafe": true
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"id": "SEC002",
|
|
26
|
+
"name": "Hardcoded Password",
|
|
27
|
+
"type": "hardcoded_secret",
|
|
28
|
+
"pattern": "password\\s*[:=]\\s*['\"][^'\"]+['\"]",
|
|
29
|
+
"flags": "i",
|
|
30
|
+
"severity": "critical",
|
|
31
|
+
"message": "Hardcoded password detected",
|
|
32
|
+
"skipIfSafe": true,
|
|
33
|
+
"skipInTests": true
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
"id": "SEC002B",
|
|
37
|
+
"name": "Hardcoded Password (JSON key)",
|
|
38
|
+
"type": "hardcoded_secret",
|
|
39
|
+
"pattern": "[\"']password[\"']\\s*:\\s*[\"'][^\"']+[\"']",
|
|
40
|
+
"flags": "i",
|
|
41
|
+
"severity": "critical",
|
|
42
|
+
"message": "Hardcoded password detected",
|
|
43
|
+
"skipIfSafe": true,
|
|
44
|
+
"skipInTests": true
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"id": "SEC003",
|
|
48
|
+
"name": "SQL Injection Risk",
|
|
49
|
+
"type": "sql_injection",
|
|
50
|
+
"pattern": "\\b(?:SELECT|INSERT\\s+INTO|UPDATE|DELETE\\s+FROM|WHERE)\\b.*(\\$\\{|\\+\\s*['\"]|\\+\\s*\\w+|f['\"].*\\{|%s|%d)",
|
|
51
|
+
"flags": "i",
|
|
52
|
+
"severity": "error",
|
|
53
|
+
"message": "Potential SQL injection - use parameterized queries"
|
|
54
|
+
},
|
|
55
|
+
{
|
|
56
|
+
"id": "SEC004",
|
|
57
|
+
"name": "eval() Usage",
|
|
58
|
+
"type": "eval_abuse",
|
|
59
|
+
"pattern": "\\beval\\s*\\(",
|
|
60
|
+
"flags": "",
|
|
61
|
+
"severity": "error",
|
|
62
|
+
"message": "eval() is dangerous and should be avoided"
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"id": "SEC004B",
|
|
66
|
+
"name": "eval() Usage (unicode-escaped)",
|
|
67
|
+
"type": "eval_abuse",
|
|
68
|
+
"pattern": "\\\\u0065\\\\u0076\\\\u0061\\\\u006[cC]",
|
|
69
|
+
"flags": "",
|
|
70
|
+
"severity": "error",
|
|
71
|
+
"message": "Obfuscated eval() usage (unicode escapes) is dangerous and should be avoided"
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
"id": "SEC005",
|
|
75
|
+
"name": "innerHTML/document.write Assignment",
|
|
76
|
+
"type": "xss",
|
|
77
|
+
"pattern": "\\.innerHTML\\s*=|\\bdocument\\.write\\s*\\(",
|
|
78
|
+
"flags": "",
|
|
79
|
+
"severity": "warning",
|
|
80
|
+
"message": "innerHTML/document.write can cause XSS - consider using textContent or sanitization"
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"id": "SEC006",
|
|
84
|
+
"name": "Disabled Security",
|
|
85
|
+
"type": "insecure_config",
|
|
86
|
+
"pattern": "rejectUnauthorized\\s*:\\s*false|verify\\s*=\\s*False|InsecureSkipVerify\\s*:\\s*true",
|
|
87
|
+
"flags": "",
|
|
88
|
+
"severity": "error",
|
|
89
|
+
"message": "SSL certificate validation disabled"
|
|
90
|
+
},
|
|
91
|
+
{
|
|
92
|
+
"id": "SEC007",
|
|
93
|
+
"name": "Exposed .env Reference",
|
|
94
|
+
"type": "insecure_config",
|
|
95
|
+
"pattern": "\\.env['\"]",
|
|
96
|
+
"flags": "",
|
|
97
|
+
"severity": "warning",
|
|
98
|
+
"message": "Direct .env file manipulation - ensure not exposed",
|
|
99
|
+
"context": "fs\\.(read|write)|path\\.join|open\\s*\\(|os\\.Open",
|
|
100
|
+
"contextFlags": "i"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"id": "SEC008",
|
|
104
|
+
"name": "Unsafe Block (Rust)",
|
|
105
|
+
"type": "memory_safety",
|
|
106
|
+
"pattern": "\\bunsafe\\s*\\{",
|
|
107
|
+
"flags": "",
|
|
108
|
+
"severity": "warning",
|
|
109
|
+
"message": "Rust unsafe block - verify memory safety guarantees"
|
|
110
|
+
},
|
|
111
|
+
{
|
|
112
|
+
"id": "SEC009",
|
|
113
|
+
"name": "Shell Execution (PHP/Ruby)",
|
|
114
|
+
"type": "command_injection",
|
|
115
|
+
"pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|`[^`]+`",
|
|
116
|
+
"flags": "",
|
|
117
|
+
"severity": "error",
|
|
118
|
+
"message": "Shell execution function - command injection risk if input unsanitized"
|
|
119
|
+
},
|
|
120
|
+
{
|
|
121
|
+
"id": "SEC010",
|
|
122
|
+
"name": "Prototype Pollution",
|
|
123
|
+
"type": "prototype_pollution",
|
|
124
|
+
"pattern": "\\[\\s*['\"]__proto__['\"]\\s*\\]|\\.__proto__\\s*(=|\\[)|constructor\\s*\\[\\s*['\"]prototype['\"]\\s*\\]|constructor\\.prototype\\s*(=|\\[)|['\"]__proto__['\"]\\s*:",
|
|
125
|
+
"flags": "",
|
|
126
|
+
"severity": "error",
|
|
127
|
+
"message": "Possible prototype pollution via __proto__/constructor.prototype"
|
|
128
|
+
}
|
|
129
|
+
]
|
|
@@ -0,0 +1,411 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "CMD001",
|
|
4
|
+
"pattern": "exec(?:Sync|FileSync)?\\s*\\([^)]*\\+|os\\.system\\s*\\(|exec\\.Command\\s*\\([^)]*\\+",
|
|
5
|
+
"flags": "",
|
|
6
|
+
"category": "command_injection",
|
|
7
|
+
"description": "Command injection (original)",
|
|
8
|
+
"language": [
|
|
9
|
+
"js",
|
|
10
|
+
"ts",
|
|
11
|
+
"python",
|
|
12
|
+
"java",
|
|
13
|
+
"go",
|
|
14
|
+
"csharp",
|
|
15
|
+
"php",
|
|
16
|
+
"ruby",
|
|
17
|
+
"rust",
|
|
18
|
+
"kotlin"
|
|
19
|
+
],
|
|
20
|
+
"severity": "critical"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"id": "CMD002",
|
|
24
|
+
"pattern": "spawn\\s*\\([^)]*shell\\s*:\\s*true",
|
|
25
|
+
"flags": "",
|
|
26
|
+
"category": "command_injection",
|
|
27
|
+
"description": "Command injection — JS/TS: spawn with shell:true, execa",
|
|
28
|
+
"language": [
|
|
29
|
+
"js",
|
|
30
|
+
"ts"
|
|
31
|
+
],
|
|
32
|
+
"severity": "critical"
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
"id": "CMD003",
|
|
36
|
+
"pattern": "execa(?:\\.command)?\\s*\\(",
|
|
37
|
+
"flags": "",
|
|
38
|
+
"category": "command_injection",
|
|
39
|
+
"description": "Command injection — JS/TS: spawn with shell:true, execa",
|
|
40
|
+
"language": [
|
|
41
|
+
"js",
|
|
42
|
+
"ts"
|
|
43
|
+
],
|
|
44
|
+
"severity": "critical"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"id": "CMD004",
|
|
48
|
+
"pattern": "subprocess\\s*\\.\\s*(?:call|check_output|Popen|run)\\s*\\([^)]*shell\\s*=\\s*True",
|
|
49
|
+
"flags": "",
|
|
50
|
+
"category": "command_injection",
|
|
51
|
+
"description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
|
|
52
|
+
"language": [
|
|
53
|
+
"python"
|
|
54
|
+
],
|
|
55
|
+
"severity": "critical"
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"id": "CMD005",
|
|
59
|
+
"pattern": "os\\s*\\.\\s*popen\\s*\\(",
|
|
60
|
+
"flags": "",
|
|
61
|
+
"category": "command_injection",
|
|
62
|
+
"description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
|
|
63
|
+
"language": [
|
|
64
|
+
"python"
|
|
65
|
+
],
|
|
66
|
+
"severity": "critical"
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
"id": "CMD006",
|
|
70
|
+
"pattern": "\\.exec_command\\s*\\(",
|
|
71
|
+
"flags": "",
|
|
72
|
+
"category": "command_injection",
|
|
73
|
+
"description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
|
|
74
|
+
"language": [
|
|
75
|
+
"python"
|
|
76
|
+
],
|
|
77
|
+
"severity": "critical"
|
|
78
|
+
},
|
|
79
|
+
{
|
|
80
|
+
"id": "CMD007",
|
|
81
|
+
"pattern": "`[^`]*#\\{[^}]+\\}[^`]*`",
|
|
82
|
+
"flags": "",
|
|
83
|
+
"category": "command_injection",
|
|
84
|
+
"description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
|
|
85
|
+
"language": [
|
|
86
|
+
"ruby"
|
|
87
|
+
],
|
|
88
|
+
"severity": "critical"
|
|
89
|
+
},
|
|
90
|
+
{
|
|
91
|
+
"id": "CMD008",
|
|
92
|
+
"pattern": "\\b(?:system|exec)\\s*\\(\\s*[\"'`]?[^\"'`\\n]*#\\{|\\b(?:system|exec)\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\+",
|
|
93
|
+
"flags": "",
|
|
94
|
+
"category": "command_injection",
|
|
95
|
+
"description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
|
|
96
|
+
"language": [
|
|
97
|
+
"ruby"
|
|
98
|
+
],
|
|
99
|
+
"severity": "critical"
|
|
100
|
+
},
|
|
101
|
+
{
|
|
102
|
+
"id": "CMD009",
|
|
103
|
+
"pattern": "\\bIO\\.popen\\s*\\(|Open3\\.\\w+\\s*\\(",
|
|
104
|
+
"flags": "",
|
|
105
|
+
"category": "command_injection",
|
|
106
|
+
"description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
|
|
107
|
+
"language": [
|
|
108
|
+
"ruby"
|
|
109
|
+
],
|
|
110
|
+
"severity": "critical"
|
|
111
|
+
},
|
|
112
|
+
{
|
|
113
|
+
"id": "CMD010",
|
|
114
|
+
"pattern": "Runtime\\s*\\.\\s*getRuntime\\s*\\(\\s*\\)\\s*\\.\\s*exec\\s*\\(",
|
|
115
|
+
"flags": "",
|
|
116
|
+
"category": "command_injection",
|
|
117
|
+
"description": "Command injection — Java/Kotlin: Runtime.exec, ProcessBuilder",
|
|
118
|
+
"language": [
|
|
119
|
+
"kotlin",
|
|
120
|
+
"java"
|
|
121
|
+
],
|
|
122
|
+
"severity": "critical"
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
"id": "CMD011",
|
|
126
|
+
"pattern": "new\\s+ProcessBuilder\\s*\\(",
|
|
127
|
+
"flags": "",
|
|
128
|
+
"category": "command_injection",
|
|
129
|
+
"description": "Command injection — Java/Kotlin: Runtime.exec, ProcessBuilder",
|
|
130
|
+
"language": [
|
|
131
|
+
"kotlin",
|
|
132
|
+
"java"
|
|
133
|
+
],
|
|
134
|
+
"severity": "critical"
|
|
135
|
+
},
|
|
136
|
+
{
|
|
137
|
+
"id": "CMD012",
|
|
138
|
+
"pattern": "Process\\s*\\.\\s*Start\\s*\\(|new\\s+ProcessStartInfo\\s*[({]",
|
|
139
|
+
"flags": "",
|
|
140
|
+
"category": "command_injection",
|
|
141
|
+
"description": "Command injection — C#: Process.Start / ProcessStartInfo",
|
|
142
|
+
"language": [
|
|
143
|
+
"csharp"
|
|
144
|
+
],
|
|
145
|
+
"severity": "critical"
|
|
146
|
+
},
|
|
147
|
+
{
|
|
148
|
+
"id": "CMD013",
|
|
149
|
+
"pattern": "Command\\s*::\\s*new\\s*\\(",
|
|
150
|
+
"flags": "",
|
|
151
|
+
"category": "command_injection",
|
|
152
|
+
"description": "Command injection — Rust: Command::new",
|
|
153
|
+
"language": [
|
|
154
|
+
"rust"
|
|
155
|
+
],
|
|
156
|
+
"severity": "critical"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"id": "CMD014",
|
|
160
|
+
"pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|\\bpopen\\s*\\(",
|
|
161
|
+
"flags": "",
|
|
162
|
+
"category": "command_injection",
|
|
163
|
+
"description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
|
|
164
|
+
"language": [
|
|
165
|
+
"php"
|
|
166
|
+
],
|
|
167
|
+
"severity": "critical"
|
|
168
|
+
},
|
|
169
|
+
{
|
|
170
|
+
"id": "CMD015",
|
|
171
|
+
"pattern": "\\bsystem\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\.\\s*\\$|\\bsystem\\s*\\(\\s*\\$",
|
|
172
|
+
"flags": "",
|
|
173
|
+
"category": "command_injection",
|
|
174
|
+
"description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
|
|
175
|
+
"language": [
|
|
176
|
+
"php"
|
|
177
|
+
],
|
|
178
|
+
"severity": "critical"
|
|
179
|
+
},
|
|
180
|
+
{
|
|
181
|
+
"id": "CMD016",
|
|
182
|
+
"pattern": "`[^`]*\\$(?:_GET|_POST|_REQUEST|_COOKIE|\\w+)[^`]*`",
|
|
183
|
+
"flags": "",
|
|
184
|
+
"category": "command_injection",
|
|
185
|
+
"description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
|
|
186
|
+
"language": [
|
|
187
|
+
"php"
|
|
188
|
+
],
|
|
189
|
+
"severity": "critical"
|
|
190
|
+
},
|
|
191
|
+
{
|
|
192
|
+
"id": "CMD017",
|
|
193
|
+
"pattern": "exec\\s*\\.\\s*Command\\s*\\([^)]*fmt\\.Sprintf|exec\\s*\\.\\s*Command\\s*\\([^)]*parts\\b",
|
|
194
|
+
"flags": "",
|
|
195
|
+
"category": "command_injection",
|
|
196
|
+
"description": "Command injection — Go: exec.Command with fmt.Sprintf, user-split args, or /bin/sh -c pattern",
|
|
197
|
+
"language": [
|
|
198
|
+
"go"
|
|
199
|
+
],
|
|
200
|
+
"severity": "critical"
|
|
201
|
+
},
|
|
202
|
+
{
|
|
203
|
+
"id": "CMD018",
|
|
204
|
+
"pattern": "exec\\s*\\.\\s*Command\\s*\\(\\s*[\"']\\/bin\\/(?:sh|bash)[\"']\\s*,\\s*[\"']-c[\"']",
|
|
205
|
+
"flags": "",
|
|
206
|
+
"category": "command_injection",
|
|
207
|
+
"description": "Command injection — Go: exec.Command with fmt.Sprintf, user-split args, or /bin/sh -c pattern",
|
|
208
|
+
"language": [
|
|
209
|
+
"go"
|
|
210
|
+
],
|
|
211
|
+
"severity": "critical"
|
|
212
|
+
},
|
|
213
|
+
{
|
|
214
|
+
"id": "CMD019",
|
|
215
|
+
"pattern": "\\bexec\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\.\\s*\\$|\\bexec\\s*\\(\\s*\\$",
|
|
216
|
+
"flags": "",
|
|
217
|
+
"category": "command_injection",
|
|
218
|
+
"description": "Command injection — PHP: exec() with user input",
|
|
219
|
+
"language": [
|
|
220
|
+
"php"
|
|
221
|
+
],
|
|
222
|
+
"severity": "critical"
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"id": "CMD020",
|
|
226
|
+
"pattern": "ProcessStartInfo\\s*\\{[^}]*Arguments\\s*=\\s*\\$[\"']",
|
|
227
|
+
"flags": "i",
|
|
228
|
+
"category": "command_injection",
|
|
229
|
+
"description": "C# command injection: ProcessStartInfo / Process.Start with user input",
|
|
230
|
+
"language": [
|
|
231
|
+
"csharp"
|
|
232
|
+
],
|
|
233
|
+
"severity": "critical"
|
|
234
|
+
},
|
|
235
|
+
{
|
|
236
|
+
"id": "CMD021",
|
|
237
|
+
"pattern": "Arguments\\s*=\\s*\\$[\"'][^\"']*\\{(?:host|cmd|args|input|filename|email|script)",
|
|
238
|
+
"flags": "i",
|
|
239
|
+
"category": "command_injection",
|
|
240
|
+
"description": "C# command injection: ProcessStartInfo / Process.Start with user input",
|
|
241
|
+
"language": [
|
|
242
|
+
"csharp"
|
|
243
|
+
],
|
|
244
|
+
"severity": "critical"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"id": "CMD022",
|
|
248
|
+
"pattern": "new ProcessStartInfo\\s*\\(\\s*[\"'][^\"']*(?:bash|sh|cmd)[\"']",
|
|
249
|
+
"flags": "i",
|
|
250
|
+
"category": "command_injection",
|
|
251
|
+
"description": "C# command injection: ProcessStartInfo / Process.Start with user input",
|
|
252
|
+
"language": [
|
|
253
|
+
"csharp"
|
|
254
|
+
],
|
|
255
|
+
"severity": "critical"
|
|
256
|
+
},
|
|
257
|
+
{
|
|
258
|
+
"id": "CMD023",
|
|
259
|
+
"pattern": "`[^`]*#\\{[^`]*`",
|
|
260
|
+
"flags": "",
|
|
261
|
+
"category": "command_injection",
|
|
262
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
263
|
+
"language": [
|
|
264
|
+
"ruby"
|
|
265
|
+
],
|
|
266
|
+
"severity": "critical"
|
|
267
|
+
},
|
|
268
|
+
{
|
|
269
|
+
"id": "CMD024",
|
|
270
|
+
"pattern": "\\bsystem\\s*\\([^)]*#\\{",
|
|
271
|
+
"flags": "i",
|
|
272
|
+
"category": "command_injection",
|
|
273
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
274
|
+
"language": [
|
|
275
|
+
"ruby"
|
|
276
|
+
],
|
|
277
|
+
"severity": "critical"
|
|
278
|
+
},
|
|
279
|
+
{
|
|
280
|
+
"id": "CMD025",
|
|
281
|
+
"pattern": "\\bexec\\s*\\([^)]*#\\{",
|
|
282
|
+
"flags": "i",
|
|
283
|
+
"category": "command_injection",
|
|
284
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
285
|
+
"language": [
|
|
286
|
+
"ruby"
|
|
287
|
+
],
|
|
288
|
+
"severity": "critical"
|
|
289
|
+
},
|
|
290
|
+
{
|
|
291
|
+
"id": "CMD026",
|
|
292
|
+
"pattern": "Open3\\.capture2\\s*\\(.*(?:#\\{|cmd)",
|
|
293
|
+
"flags": "i",
|
|
294
|
+
"category": "command_injection",
|
|
295
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
296
|
+
"language": [
|
|
297
|
+
"ruby"
|
|
298
|
+
],
|
|
299
|
+
"severity": "critical"
|
|
300
|
+
},
|
|
301
|
+
{
|
|
302
|
+
"id": "CMD027",
|
|
303
|
+
"pattern": "IO\\.popen\\s*\\([^)]*#\\{",
|
|
304
|
+
"flags": "i",
|
|
305
|
+
"category": "command_injection",
|
|
306
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
307
|
+
"language": [
|
|
308
|
+
"ruby"
|
|
309
|
+
],
|
|
310
|
+
"severity": "critical"
|
|
311
|
+
},
|
|
312
|
+
{
|
|
313
|
+
"id": "CMD028",
|
|
314
|
+
"pattern": "\\bspawn\\s*\\([^)]*#\\{",
|
|
315
|
+
"flags": "i",
|
|
316
|
+
"category": "command_injection",
|
|
317
|
+
"description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
|
|
318
|
+
"language": [
|
|
319
|
+
"ruby"
|
|
320
|
+
],
|
|
321
|
+
"severity": "critical"
|
|
322
|
+
},
|
|
323
|
+
{
|
|
324
|
+
"id": "CMD029",
|
|
325
|
+
"pattern": "\\bexec\\s*\\(\\s*[\"'][^\"']*[\"']?\\s*\\.\\s*\\$(?:_GET|_POST|host|cmd|ip)",
|
|
326
|
+
"flags": "i",
|
|
327
|
+
"category": "command_injection",
|
|
328
|
+
"description": "PHP command injection",
|
|
329
|
+
"language": [
|
|
330
|
+
"php"
|
|
331
|
+
],
|
|
332
|
+
"severity": "critical"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"id": "CMD030",
|
|
336
|
+
"pattern": "shell_exec\\s*\\([^)]*\\$(?:_GET|_POST|domain|ip|host|cmd|server)",
|
|
337
|
+
"flags": "i",
|
|
338
|
+
"category": "command_injection",
|
|
339
|
+
"description": "PHP command injection",
|
|
340
|
+
"language": [
|
|
341
|
+
"php"
|
|
342
|
+
],
|
|
343
|
+
"severity": "critical"
|
|
344
|
+
},
|
|
345
|
+
{
|
|
346
|
+
"id": "CMD031",
|
|
347
|
+
"pattern": "\\bsystem\\s*\\([^)]*\\$(?:_GET|_POST|src|dest|format|file)",
|
|
348
|
+
"flags": "i",
|
|
349
|
+
"category": "command_injection",
|
|
350
|
+
"description": "PHP command injection",
|
|
351
|
+
"language": [
|
|
352
|
+
"php"
|
|
353
|
+
],
|
|
354
|
+
"severity": "critical"
|
|
355
|
+
},
|
|
356
|
+
{
|
|
357
|
+
"id": "CMD032",
|
|
358
|
+
"pattern": "passthru\\s*\\([^)]*\\$(?:_POST|_GET|archive|zip|dest)",
|
|
359
|
+
"flags": "i",
|
|
360
|
+
"category": "command_injection",
|
|
361
|
+
"description": "PHP command injection",
|
|
362
|
+
"language": [
|
|
363
|
+
"php"
|
|
364
|
+
],
|
|
365
|
+
"severity": "critical"
|
|
366
|
+
},
|
|
367
|
+
{
|
|
368
|
+
"id": "CMD033",
|
|
369
|
+
"pattern": "popen\\s*\\(\\s*[\"'][^\"']*[\"']?\\s*\\.\\s*\\$(?:_GET|pattern|logfile)",
|
|
370
|
+
"flags": "i",
|
|
371
|
+
"category": "command_injection",
|
|
372
|
+
"description": "PHP command injection",
|
|
373
|
+
"language": [
|
|
374
|
+
"php"
|
|
375
|
+
],
|
|
376
|
+
"severity": "critical"
|
|
377
|
+
},
|
|
378
|
+
{
|
|
379
|
+
"id": "CMD034",
|
|
380
|
+
"pattern": "exec\\.Command\\s*\\(\\s*[\"'][^\"']*(?:bash|sh)[\"'][^)]*\"-c\"",
|
|
381
|
+
"flags": "i",
|
|
382
|
+
"category": "command_injection",
|
|
383
|
+
"description": "Go command injection",
|
|
384
|
+
"language": [
|
|
385
|
+
"go"
|
|
386
|
+
],
|
|
387
|
+
"severity": "critical"
|
|
388
|
+
},
|
|
389
|
+
{
|
|
390
|
+
"id": "CMD035",
|
|
391
|
+
"pattern": "exec\\.Command\\s*\\(\\s*[\"'][^\"']*(?:sh|bash)[\"'][^)]*cmdStr",
|
|
392
|
+
"flags": "i",
|
|
393
|
+
"category": "command_injection",
|
|
394
|
+
"description": "Go command injection",
|
|
395
|
+
"language": [
|
|
396
|
+
"go"
|
|
397
|
+
],
|
|
398
|
+
"severity": "critical"
|
|
399
|
+
},
|
|
400
|
+
{
|
|
401
|
+
"id": "CMD036",
|
|
402
|
+
"pattern": "cmd\\s*:=\\s*exec\\.Command\\s*\\([^)]*\\+",
|
|
403
|
+
"flags": "i",
|
|
404
|
+
"category": "command_injection",
|
|
405
|
+
"description": "Go command injection",
|
|
406
|
+
"language": [
|
|
407
|
+
"go"
|
|
408
|
+
],
|
|
409
|
+
"severity": "critical"
|
|
410
|
+
}
|
|
411
|
+
]
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "CMISUSE001",
|
|
4
|
+
"pattern": "use\\s+md5\\b|md5::compute|ecb_encrypt|AesCipher|nonce\\s*=\\s*0\\b",
|
|
5
|
+
"flags": "i",
|
|
6
|
+
"category": "crypto_misuse",
|
|
7
|
+
"description": "crypto_misuse (Rust-specific)",
|
|
8
|
+
"language": [
|
|
9
|
+
"rust"
|
|
10
|
+
],
|
|
11
|
+
"severity": "medium"
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
"id": "CMISUSE002",
|
|
15
|
+
"pattern": "\\bxor_encrypt\\b|\\bxor_decrypt\\b|\\brot13\\b|\\bcaesar_cipher\\b",
|
|
16
|
+
"flags": "i",
|
|
17
|
+
"category": "crypto_misuse",
|
|
18
|
+
"description": "Rust: crypto misuse (homegrown ciphers)",
|
|
19
|
+
"language": [
|
|
20
|
+
"rust"
|
|
21
|
+
],
|
|
22
|
+
"severity": "medium"
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"id": "CMISUSE003",
|
|
26
|
+
"pattern": "struct\\s+Rc4\\b|\\brc4\\b",
|
|
27
|
+
"flags": "i",
|
|
28
|
+
"category": "crypto_misuse",
|
|
29
|
+
"description": "Rust: crypto misuse (homegrown ciphers)",
|
|
30
|
+
"language": [
|
|
31
|
+
"rust"
|
|
32
|
+
],
|
|
33
|
+
"severity": "medium"
|
|
34
|
+
}
|
|
35
|
+
]
|