thuban 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/dist/package.json +63 -0
  2. package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
  3. package/dist/packages/crucible/rules/command-injection.json +411 -0
  4. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  5. package/dist/packages/crucible/rules/deserialization.json +152 -0
  6. package/dist/packages/crucible/rules/env-injection.json +46 -0
  7. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  8. package/dist/packages/crucible/rules/file-upload.json +46 -0
  9. package/dist/packages/crucible/rules/hallucination.json +22 -0
  10. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  11. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  12. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  13. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  14. package/dist/packages/crucible/rules/log-injection.json +33 -0
  15. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  16. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  17. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  18. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  19. package/dist/packages/crucible/rules/sql-injection.json +597 -0
  20. package/dist/packages/crucible/rules/ssrf.json +557 -0
  21. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  22. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  23. package/dist/packages/crucible/rules/xss.json +641 -0
  24. package/dist/packages/crucible/rules/xxe.json +66 -0
  25. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  26. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  27. package/package.json +4 -2
@@ -0,0 +1,152 @@
1
+ [
2
+ {
3
+ "id": "DESER001",
4
+ "pattern": "pickle\\.loads|ObjectInputStream|BinaryFormatter|unserialize\\s*\\(",
5
+ "flags": "",
6
+ "category": "deserialization",
7
+ "description": "Deserialization (expanded)",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "id": "DESER002",
24
+ "pattern": "DataContractSerializer|JavaScriptSerializer|JsonConvert\\.DeserializeObject\\s*<(?!string)",
25
+ "flags": "i",
26
+ "category": "deserialization",
27
+ "description": "Deserialization (expanded)",
28
+ "language": [
29
+ "js",
30
+ "ts",
31
+ "python",
32
+ "java",
33
+ "go",
34
+ "csharp",
35
+ "php",
36
+ "ruby",
37
+ "rust",
38
+ "kotlin"
39
+ ],
40
+ "severity": "critical"
41
+ },
42
+ {
43
+ "id": "DESER003",
44
+ "pattern": "ObjectMessage|message\\.getObject\\s*\\(\\)|readObject\\s*\\(\\)",
45
+ "flags": "",
46
+ "category": "deserialization",
47
+ "description": "Deserialization (expanded)",
48
+ "language": [
49
+ "js",
50
+ "ts",
51
+ "python",
52
+ "java",
53
+ "go",
54
+ "csharp",
55
+ "php",
56
+ "ruby",
57
+ "rust",
58
+ "kotlin"
59
+ ],
60
+ "severity": "critical"
61
+ },
62
+ {
63
+ "id": "DESER004",
64
+ "pattern": "new BinaryFormatter\\s*\\(\\)",
65
+ "flags": "i",
66
+ "category": "deserialization",
67
+ "description": "C# deserialization",
68
+ "language": [
69
+ "csharp"
70
+ ],
71
+ "severity": "critical"
72
+ },
73
+ {
74
+ "id": "DESER005",
75
+ "pattern": "TypeNameHandling\\.(?:All|Objects|Auto)",
76
+ "flags": "i",
77
+ "category": "deserialization",
78
+ "description": "C# deserialization",
79
+ "language": [
80
+ "csharp"
81
+ ],
82
+ "severity": "critical"
83
+ },
84
+ {
85
+ "id": "DESER006",
86
+ "pattern": "new LosFormatter\\s*\\(\\)",
87
+ "flags": "i",
88
+ "category": "deserialization",
89
+ "description": "C# deserialization",
90
+ "language": [
91
+ "csharp"
92
+ ],
93
+ "severity": "critical"
94
+ },
95
+ {
96
+ "id": "DESER007",
97
+ "pattern": "unserialize\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE|data)",
98
+ "flags": "i",
99
+ "category": "deserialization",
100
+ "description": "PHP deserialization",
101
+ "language": [
102
+ "php"
103
+ ],
104
+ "severity": "critical"
105
+ },
106
+ {
107
+ "id": "DESER008",
108
+ "pattern": "Class\\.forName\\s*\\(",
109
+ "flags": "",
110
+ "category": "deserialization",
111
+ "description": "Kotlin: deserialization (Gson Class.forName, Kryo unsafe config)",
112
+ "language": [
113
+ "kotlin"
114
+ ],
115
+ "severity": "critical"
116
+ },
117
+ {
118
+ "id": "DESER009",
119
+ "pattern": "kryo\\.readClassAndObject\\s*\\(|isRegistrationRequired\\s*=\\s*false",
120
+ "flags": "i",
121
+ "category": "deserialization",
122
+ "description": "Kotlin: deserialization (Gson Class.forName, Kryo unsafe config)",
123
+ "language": [
124
+ "kotlin"
125
+ ],
126
+ "severity": "critical"
127
+ },
128
+ {
129
+ "id": "DESER010",
130
+ "pattern": "\\[\\s*\\w+\\.(?:action|method|nextStep|type)\\s*\\]",
131
+ "flags": "",
132
+ "category": "deserialization",
133
+ "description": "JS/TS: unsafe deserialization via dynamic property/method dispatch",
134
+ "language": [
135
+ "js",
136
+ "ts"
137
+ ],
138
+ "severity": "critical"
139
+ },
140
+ {
141
+ "id": "DESER011",
142
+ "pattern": "plainToClass\\s*\\(\\s*\\w+\\s*,",
143
+ "flags": "",
144
+ "category": "deserialization",
145
+ "description": "JS/TS: unsafe deserialization via dynamic property/method dispatch",
146
+ "language": [
147
+ "js",
148
+ "ts"
149
+ ],
150
+ "severity": "critical"
151
+ }
152
+ ]
@@ -0,0 +1,46 @@
1
+ [
2
+ {
3
+ "id": "ENV001",
4
+ "pattern": "(?:println!|eprintln!)\\s*\\(\\s*\"[^\"]*(?:API_KEY|password|secret|token)[^\"]*\"",
5
+ "flags": "i",
6
+ "category": "env_injection",
7
+ "description": "Rust: env var / secret injection into logs or responses",
8
+ "language": [
9
+ "rust"
10
+ ],
11
+ "severity": "medium"
12
+ },
13
+ {
14
+ "id": "ENV002",
15
+ "pattern": "env::vars\\s*\\(\\s*\\)",
16
+ "flags": "",
17
+ "category": "env_injection",
18
+ "description": "Rust: env var / secret injection into logs or responses",
19
+ "language": [
20
+ "rust"
21
+ ],
22
+ "severity": "medium"
23
+ },
24
+ {
25
+ "id": "ENV003",
26
+ "pattern": "env::var\\s*\\(\\s*key\\s*\\)",
27
+ "flags": "",
28
+ "category": "env_injection",
29
+ "description": "Rust: env var / secret injection into logs or responses",
30
+ "language": [
31
+ "rust"
32
+ ],
33
+ "severity": "medium"
34
+ },
35
+ {
36
+ "id": "ENV004",
37
+ "pattern": "json!\\s*\\(\\s*\\{[\\s\\S]*?env::var",
38
+ "flags": "",
39
+ "category": "env_injection",
40
+ "description": "Rust: env var / secret injection into logs or responses",
41
+ "language": [
42
+ "rust"
43
+ ],
44
+ "severity": "medium"
45
+ }
46
+ ]
@@ -0,0 +1,104 @@
1
+ [
2
+ {
3
+ "id": "EVAL001",
4
+ "pattern": "\\beval\\s*\\(|new\\s+Function\\s*\\(",
5
+ "flags": "",
6
+ "category": "eval_abuse",
7
+ "description": "eval abuse (direct and indirect)",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "id": "EVAL002",
24
+ "pattern": "const\\s+\\w+\\s*=\\s*eval\\b|let\\s+\\w+\\s*=\\s*eval\\b|var\\s+\\w+\\s*=\\s*eval\\b",
25
+ "flags": "",
26
+ "category": "eval_abuse",
27
+ "description": "eval abuse (direct and indirect)",
28
+ "language": [
29
+ "js",
30
+ "ts",
31
+ "python",
32
+ "java",
33
+ "go",
34
+ "csharp",
35
+ "php",
36
+ "ruby",
37
+ "rust",
38
+ "kotlin"
39
+ ],
40
+ "severity": "critical"
41
+ },
42
+ {
43
+ "id": "EVAL003",
44
+ "pattern": "eval\\s*\\(\\s*atob\\s*\\(|eval\\s*\\(\\s*Buffer\\.from\\s*\\([^)]*base64",
45
+ "flags": "i",
46
+ "category": "eval_abuse",
47
+ "description": "eval() fed an encoded/decoded payload (base64 atob/Buffer.from, hex, etc.)",
48
+ "language": [
49
+ "js",
50
+ "ts",
51
+ "python",
52
+ "java",
53
+ "go",
54
+ "csharp",
55
+ "php",
56
+ "ruby",
57
+ "rust",
58
+ "kotlin"
59
+ ],
60
+ "severity": "critical"
61
+ },
62
+ {
63
+ "id": "EVAL004",
64
+ "pattern": "eval\\s*\\(\\s*\\w+\\.from\\s*\\(.*['\"]hex['\"]\\)",
65
+ "flags": "i",
66
+ "category": "eval_abuse",
67
+ "description": "eval() fed an encoded/decoded payload (base64 atob/Buffer.from, hex, etc.)",
68
+ "language": [
69
+ "js",
70
+ "ts",
71
+ "python",
72
+ "java",
73
+ "go",
74
+ "csharp",
75
+ "php",
76
+ "ruby",
77
+ "rust",
78
+ "kotlin"
79
+ ],
80
+ "severity": "critical"
81
+ },
82
+ {
83
+ "id": "EVAL005",
84
+ "pattern": "\\bexec\\s*\\(\\s*(?:code\\b|hook_code\\b|compile\\s*\\()",
85
+ "flags": "",
86
+ "category": "eval_abuse",
87
+ "description": "Python: exec() with user-controlled code string",
88
+ "language": [
89
+ "python"
90
+ ],
91
+ "severity": "critical"
92
+ },
93
+ {
94
+ "id": "EVAL006",
95
+ "pattern": "_\\.template\\s*\\(\\s*(?:template|tpl)\\b",
96
+ "flags": "",
97
+ "category": "eval_abuse",
98
+ "description": "TypeScript: lodash template compilation (code execution)",
99
+ "language": [
100
+ "typescript"
101
+ ],
102
+ "severity": "critical"
103
+ }
104
+ ]
@@ -0,0 +1,46 @@
1
+ [
2
+ {
3
+ "id": "UPLOAD001",
4
+ "pattern": "move_uploaded_file\\s*\\([^,]+,\\s*\\$[^)]*['\"]\\s*\\.\\s*\\$_FILES",
5
+ "flags": "i",
6
+ "category": "file_upload",
7
+ "description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
8
+ "language": [
9
+ "php"
10
+ ],
11
+ "severity": "medium"
12
+ },
13
+ {
14
+ "id": "UPLOAD002",
15
+ "pattern": "move_uploaded_file\\s*\\(\\s*\\$_FILES\\[",
16
+ "flags": "i",
17
+ "category": "file_upload",
18
+ "description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
19
+ "language": [
20
+ "php"
21
+ ],
22
+ "severity": "medium"
23
+ },
24
+ {
25
+ "id": "UPLOAD003",
26
+ "pattern": "move_uploaded_file\\s*\\([^)]*\\$(?:destination|target_file|dest|path)",
27
+ "flags": "i",
28
+ "category": "file_upload",
29
+ "description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
30
+ "language": [
31
+ "php"
32
+ ],
33
+ "severity": "medium"
34
+ },
35
+ {
36
+ "id": "UPLOAD004",
37
+ "pattern": "\\$_FILES\\[['\"]\\w+['\"]\\]\\[['\"](?:name|tmp_name)['\"]\\]",
38
+ "flags": "i",
39
+ "category": "file_upload",
40
+ "description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
41
+ "language": [
42
+ "php"
43
+ ],
44
+ "severity": "medium"
45
+ }
46
+ ]
@@ -0,0 +1,22 @@
1
+ [
2
+ {
3
+ "id": "HALL001",
4
+ "pattern": "fs\\.readFileAsync\\s*\\(|fs\\.writeFileAsync\\s*\\(|http\\.getAsync\\s*\\(",
5
+ "flags": "",
6
+ "category": "hallucination",
7
+ "description": "Hallucination",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "medium"
21
+ }
22
+ ]