thuban 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/package.json +63 -0
- package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
- package/dist/packages/crucible/rules/command-injection.json +411 -0
- package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
- package/dist/packages/crucible/rules/deserialization.json +152 -0
- package/dist/packages/crucible/rules/env-injection.json +46 -0
- package/dist/packages/crucible/rules/eval-abuse.json +104 -0
- package/dist/packages/crucible/rules/file-upload.json +46 -0
- package/dist/packages/crucible/rules/hallucination.json +22 -0
- package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
- package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
- package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
- package/dist/packages/crucible/rules/integer-overflow.json +35 -0
- package/dist/packages/crucible/rules/log-injection.json +33 -0
- package/dist/packages/crucible/rules/mass-assignment.json +112 -0
- package/dist/packages/crucible/rules/open-redirect.json +196 -0
- package/dist/packages/crucible/rules/path-traversal.json +422 -0
- package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
- package/dist/packages/crucible/rules/sql-injection.json +597 -0
- package/dist/packages/crucible/rules/ssrf.json +557 -0
- package/dist/packages/crucible/rules/timing-attack.json +55 -0
- package/dist/packages/crucible/rules/unsafe-block.json +24 -0
- package/dist/packages/crucible/rules/xss.json +641 -0
- package/dist/packages/crucible/rules/xxe.json +66 -0
- package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
- package/dist/packages/crucible/rules/yaml-injection.json +22 -0
- package/package.json +4 -2
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "DESER001",
|
|
4
|
+
"pattern": "pickle\\.loads|ObjectInputStream|BinaryFormatter|unserialize\\s*\\(",
|
|
5
|
+
"flags": "",
|
|
6
|
+
"category": "deserialization",
|
|
7
|
+
"description": "Deserialization (expanded)",
|
|
8
|
+
"language": [
|
|
9
|
+
"js",
|
|
10
|
+
"ts",
|
|
11
|
+
"python",
|
|
12
|
+
"java",
|
|
13
|
+
"go",
|
|
14
|
+
"csharp",
|
|
15
|
+
"php",
|
|
16
|
+
"ruby",
|
|
17
|
+
"rust",
|
|
18
|
+
"kotlin"
|
|
19
|
+
],
|
|
20
|
+
"severity": "critical"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"id": "DESER002",
|
|
24
|
+
"pattern": "DataContractSerializer|JavaScriptSerializer|JsonConvert\\.DeserializeObject\\s*<(?!string)",
|
|
25
|
+
"flags": "i",
|
|
26
|
+
"category": "deserialization",
|
|
27
|
+
"description": "Deserialization (expanded)",
|
|
28
|
+
"language": [
|
|
29
|
+
"js",
|
|
30
|
+
"ts",
|
|
31
|
+
"python",
|
|
32
|
+
"java",
|
|
33
|
+
"go",
|
|
34
|
+
"csharp",
|
|
35
|
+
"php",
|
|
36
|
+
"ruby",
|
|
37
|
+
"rust",
|
|
38
|
+
"kotlin"
|
|
39
|
+
],
|
|
40
|
+
"severity": "critical"
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"id": "DESER003",
|
|
44
|
+
"pattern": "ObjectMessage|message\\.getObject\\s*\\(\\)|readObject\\s*\\(\\)",
|
|
45
|
+
"flags": "",
|
|
46
|
+
"category": "deserialization",
|
|
47
|
+
"description": "Deserialization (expanded)",
|
|
48
|
+
"language": [
|
|
49
|
+
"js",
|
|
50
|
+
"ts",
|
|
51
|
+
"python",
|
|
52
|
+
"java",
|
|
53
|
+
"go",
|
|
54
|
+
"csharp",
|
|
55
|
+
"php",
|
|
56
|
+
"ruby",
|
|
57
|
+
"rust",
|
|
58
|
+
"kotlin"
|
|
59
|
+
],
|
|
60
|
+
"severity": "critical"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"id": "DESER004",
|
|
64
|
+
"pattern": "new BinaryFormatter\\s*\\(\\)",
|
|
65
|
+
"flags": "i",
|
|
66
|
+
"category": "deserialization",
|
|
67
|
+
"description": "C# deserialization",
|
|
68
|
+
"language": [
|
|
69
|
+
"csharp"
|
|
70
|
+
],
|
|
71
|
+
"severity": "critical"
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
"id": "DESER005",
|
|
75
|
+
"pattern": "TypeNameHandling\\.(?:All|Objects|Auto)",
|
|
76
|
+
"flags": "i",
|
|
77
|
+
"category": "deserialization",
|
|
78
|
+
"description": "C# deserialization",
|
|
79
|
+
"language": [
|
|
80
|
+
"csharp"
|
|
81
|
+
],
|
|
82
|
+
"severity": "critical"
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"id": "DESER006",
|
|
86
|
+
"pattern": "new LosFormatter\\s*\\(\\)",
|
|
87
|
+
"flags": "i",
|
|
88
|
+
"category": "deserialization",
|
|
89
|
+
"description": "C# deserialization",
|
|
90
|
+
"language": [
|
|
91
|
+
"csharp"
|
|
92
|
+
],
|
|
93
|
+
"severity": "critical"
|
|
94
|
+
},
|
|
95
|
+
{
|
|
96
|
+
"id": "DESER007",
|
|
97
|
+
"pattern": "unserialize\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE|data)",
|
|
98
|
+
"flags": "i",
|
|
99
|
+
"category": "deserialization",
|
|
100
|
+
"description": "PHP deserialization",
|
|
101
|
+
"language": [
|
|
102
|
+
"php"
|
|
103
|
+
],
|
|
104
|
+
"severity": "critical"
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"id": "DESER008",
|
|
108
|
+
"pattern": "Class\\.forName\\s*\\(",
|
|
109
|
+
"flags": "",
|
|
110
|
+
"category": "deserialization",
|
|
111
|
+
"description": "Kotlin: deserialization (Gson Class.forName, Kryo unsafe config)",
|
|
112
|
+
"language": [
|
|
113
|
+
"kotlin"
|
|
114
|
+
],
|
|
115
|
+
"severity": "critical"
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
"id": "DESER009",
|
|
119
|
+
"pattern": "kryo\\.readClassAndObject\\s*\\(|isRegistrationRequired\\s*=\\s*false",
|
|
120
|
+
"flags": "i",
|
|
121
|
+
"category": "deserialization",
|
|
122
|
+
"description": "Kotlin: deserialization (Gson Class.forName, Kryo unsafe config)",
|
|
123
|
+
"language": [
|
|
124
|
+
"kotlin"
|
|
125
|
+
],
|
|
126
|
+
"severity": "critical"
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
"id": "DESER010",
|
|
130
|
+
"pattern": "\\[\\s*\\w+\\.(?:action|method|nextStep|type)\\s*\\]",
|
|
131
|
+
"flags": "",
|
|
132
|
+
"category": "deserialization",
|
|
133
|
+
"description": "JS/TS: unsafe deserialization via dynamic property/method dispatch",
|
|
134
|
+
"language": [
|
|
135
|
+
"js",
|
|
136
|
+
"ts"
|
|
137
|
+
],
|
|
138
|
+
"severity": "critical"
|
|
139
|
+
},
|
|
140
|
+
{
|
|
141
|
+
"id": "DESER011",
|
|
142
|
+
"pattern": "plainToClass\\s*\\(\\s*\\w+\\s*,",
|
|
143
|
+
"flags": "",
|
|
144
|
+
"category": "deserialization",
|
|
145
|
+
"description": "JS/TS: unsafe deserialization via dynamic property/method dispatch",
|
|
146
|
+
"language": [
|
|
147
|
+
"js",
|
|
148
|
+
"ts"
|
|
149
|
+
],
|
|
150
|
+
"severity": "critical"
|
|
151
|
+
}
|
|
152
|
+
]
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "ENV001",
|
|
4
|
+
"pattern": "(?:println!|eprintln!)\\s*\\(\\s*\"[^\"]*(?:API_KEY|password|secret|token)[^\"]*\"",
|
|
5
|
+
"flags": "i",
|
|
6
|
+
"category": "env_injection",
|
|
7
|
+
"description": "Rust: env var / secret injection into logs or responses",
|
|
8
|
+
"language": [
|
|
9
|
+
"rust"
|
|
10
|
+
],
|
|
11
|
+
"severity": "medium"
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
"id": "ENV002",
|
|
15
|
+
"pattern": "env::vars\\s*\\(\\s*\\)",
|
|
16
|
+
"flags": "",
|
|
17
|
+
"category": "env_injection",
|
|
18
|
+
"description": "Rust: env var / secret injection into logs or responses",
|
|
19
|
+
"language": [
|
|
20
|
+
"rust"
|
|
21
|
+
],
|
|
22
|
+
"severity": "medium"
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"id": "ENV003",
|
|
26
|
+
"pattern": "env::var\\s*\\(\\s*key\\s*\\)",
|
|
27
|
+
"flags": "",
|
|
28
|
+
"category": "env_injection",
|
|
29
|
+
"description": "Rust: env var / secret injection into logs or responses",
|
|
30
|
+
"language": [
|
|
31
|
+
"rust"
|
|
32
|
+
],
|
|
33
|
+
"severity": "medium"
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
"id": "ENV004",
|
|
37
|
+
"pattern": "json!\\s*\\(\\s*\\{[\\s\\S]*?env::var",
|
|
38
|
+
"flags": "",
|
|
39
|
+
"category": "env_injection",
|
|
40
|
+
"description": "Rust: env var / secret injection into logs or responses",
|
|
41
|
+
"language": [
|
|
42
|
+
"rust"
|
|
43
|
+
],
|
|
44
|
+
"severity": "medium"
|
|
45
|
+
}
|
|
46
|
+
]
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "EVAL001",
|
|
4
|
+
"pattern": "\\beval\\s*\\(|new\\s+Function\\s*\\(",
|
|
5
|
+
"flags": "",
|
|
6
|
+
"category": "eval_abuse",
|
|
7
|
+
"description": "eval abuse (direct and indirect)",
|
|
8
|
+
"language": [
|
|
9
|
+
"js",
|
|
10
|
+
"ts",
|
|
11
|
+
"python",
|
|
12
|
+
"java",
|
|
13
|
+
"go",
|
|
14
|
+
"csharp",
|
|
15
|
+
"php",
|
|
16
|
+
"ruby",
|
|
17
|
+
"rust",
|
|
18
|
+
"kotlin"
|
|
19
|
+
],
|
|
20
|
+
"severity": "critical"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"id": "EVAL002",
|
|
24
|
+
"pattern": "const\\s+\\w+\\s*=\\s*eval\\b|let\\s+\\w+\\s*=\\s*eval\\b|var\\s+\\w+\\s*=\\s*eval\\b",
|
|
25
|
+
"flags": "",
|
|
26
|
+
"category": "eval_abuse",
|
|
27
|
+
"description": "eval abuse (direct and indirect)",
|
|
28
|
+
"language": [
|
|
29
|
+
"js",
|
|
30
|
+
"ts",
|
|
31
|
+
"python",
|
|
32
|
+
"java",
|
|
33
|
+
"go",
|
|
34
|
+
"csharp",
|
|
35
|
+
"php",
|
|
36
|
+
"ruby",
|
|
37
|
+
"rust",
|
|
38
|
+
"kotlin"
|
|
39
|
+
],
|
|
40
|
+
"severity": "critical"
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"id": "EVAL003",
|
|
44
|
+
"pattern": "eval\\s*\\(\\s*atob\\s*\\(|eval\\s*\\(\\s*Buffer\\.from\\s*\\([^)]*base64",
|
|
45
|
+
"flags": "i",
|
|
46
|
+
"category": "eval_abuse",
|
|
47
|
+
"description": "eval() fed an encoded/decoded payload (base64 atob/Buffer.from, hex, etc.)",
|
|
48
|
+
"language": [
|
|
49
|
+
"js",
|
|
50
|
+
"ts",
|
|
51
|
+
"python",
|
|
52
|
+
"java",
|
|
53
|
+
"go",
|
|
54
|
+
"csharp",
|
|
55
|
+
"php",
|
|
56
|
+
"ruby",
|
|
57
|
+
"rust",
|
|
58
|
+
"kotlin"
|
|
59
|
+
],
|
|
60
|
+
"severity": "critical"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"id": "EVAL004",
|
|
64
|
+
"pattern": "eval\\s*\\(\\s*\\w+\\.from\\s*\\(.*['\"]hex['\"]\\)",
|
|
65
|
+
"flags": "i",
|
|
66
|
+
"category": "eval_abuse",
|
|
67
|
+
"description": "eval() fed an encoded/decoded payload (base64 atob/Buffer.from, hex, etc.)",
|
|
68
|
+
"language": [
|
|
69
|
+
"js",
|
|
70
|
+
"ts",
|
|
71
|
+
"python",
|
|
72
|
+
"java",
|
|
73
|
+
"go",
|
|
74
|
+
"csharp",
|
|
75
|
+
"php",
|
|
76
|
+
"ruby",
|
|
77
|
+
"rust",
|
|
78
|
+
"kotlin"
|
|
79
|
+
],
|
|
80
|
+
"severity": "critical"
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"id": "EVAL005",
|
|
84
|
+
"pattern": "\\bexec\\s*\\(\\s*(?:code\\b|hook_code\\b|compile\\s*\\()",
|
|
85
|
+
"flags": "",
|
|
86
|
+
"category": "eval_abuse",
|
|
87
|
+
"description": "Python: exec() with user-controlled code string",
|
|
88
|
+
"language": [
|
|
89
|
+
"python"
|
|
90
|
+
],
|
|
91
|
+
"severity": "critical"
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
"id": "EVAL006",
|
|
95
|
+
"pattern": "_\\.template\\s*\\(\\s*(?:template|tpl)\\b",
|
|
96
|
+
"flags": "",
|
|
97
|
+
"category": "eval_abuse",
|
|
98
|
+
"description": "TypeScript: lodash template compilation (code execution)",
|
|
99
|
+
"language": [
|
|
100
|
+
"typescript"
|
|
101
|
+
],
|
|
102
|
+
"severity": "critical"
|
|
103
|
+
}
|
|
104
|
+
]
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "UPLOAD001",
|
|
4
|
+
"pattern": "move_uploaded_file\\s*\\([^,]+,\\s*\\$[^)]*['\"]\\s*\\.\\s*\\$_FILES",
|
|
5
|
+
"flags": "i",
|
|
6
|
+
"category": "file_upload",
|
|
7
|
+
"description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
|
|
8
|
+
"language": [
|
|
9
|
+
"php"
|
|
10
|
+
],
|
|
11
|
+
"severity": "medium"
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
"id": "UPLOAD002",
|
|
15
|
+
"pattern": "move_uploaded_file\\s*\\(\\s*\\$_FILES\\[",
|
|
16
|
+
"flags": "i",
|
|
17
|
+
"category": "file_upload",
|
|
18
|
+
"description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
|
|
19
|
+
"language": [
|
|
20
|
+
"php"
|
|
21
|
+
],
|
|
22
|
+
"severity": "medium"
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"id": "UPLOAD003",
|
|
26
|
+
"pattern": "move_uploaded_file\\s*\\([^)]*\\$(?:destination|target_file|dest|path)",
|
|
27
|
+
"flags": "i",
|
|
28
|
+
"category": "file_upload",
|
|
29
|
+
"description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
|
|
30
|
+
"language": [
|
|
31
|
+
"php"
|
|
32
|
+
],
|
|
33
|
+
"severity": "medium"
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
"id": "UPLOAD004",
|
|
37
|
+
"pattern": "\\$_FILES\\[['\"]\\w+['\"]\\]\\[['\"](?:name|tmp_name)['\"]\\]",
|
|
38
|
+
"flags": "i",
|
|
39
|
+
"category": "file_upload",
|
|
40
|
+
"description": "PHP file upload: move_uploaded_file with original filename (no extension check)",
|
|
41
|
+
"language": [
|
|
42
|
+
"php"
|
|
43
|
+
],
|
|
44
|
+
"severity": "medium"
|
|
45
|
+
}
|
|
46
|
+
]
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "HALL001",
|
|
4
|
+
"pattern": "fs\\.readFileAsync\\s*\\(|fs\\.writeFileAsync\\s*\\(|http\\.getAsync\\s*\\(",
|
|
5
|
+
"flags": "",
|
|
6
|
+
"category": "hallucination",
|
|
7
|
+
"description": "Hallucination",
|
|
8
|
+
"language": [
|
|
9
|
+
"js",
|
|
10
|
+
"ts",
|
|
11
|
+
"python",
|
|
12
|
+
"java",
|
|
13
|
+
"go",
|
|
14
|
+
"csharp",
|
|
15
|
+
"php",
|
|
16
|
+
"ruby",
|
|
17
|
+
"rust",
|
|
18
|
+
"kotlin"
|
|
19
|
+
],
|
|
20
|
+
"severity": "medium"
|
|
21
|
+
}
|
|
22
|
+
]
|