thuban 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/dist/package.json +63 -0
  2. package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
  3. package/dist/packages/crucible/rules/command-injection.json +411 -0
  4. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  5. package/dist/packages/crucible/rules/deserialization.json +152 -0
  6. package/dist/packages/crucible/rules/env-injection.json +46 -0
  7. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  8. package/dist/packages/crucible/rules/file-upload.json +46 -0
  9. package/dist/packages/crucible/rules/hallucination.json +22 -0
  10. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  11. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  12. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  13. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  14. package/dist/packages/crucible/rules/log-injection.json +33 -0
  15. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  16. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  17. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  18. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  19. package/dist/packages/crucible/rules/sql-injection.json +597 -0
  20. package/dist/packages/crucible/rules/ssrf.json +557 -0
  21. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  22. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  23. package/dist/packages/crucible/rules/xss.json +641 -0
  24. package/dist/packages/crucible/rules/xxe.json +66 -0
  25. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  26. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  27. package/package.json +4 -2
@@ -0,0 +1,422 @@
1
+ [
2
+ {
3
+ "id": "PATH001",
4
+ "pattern": "include\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST|page|template|lang)|require(?:_once)?\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST)",
5
+ "flags": "i",
6
+ "category": "path_traversal",
7
+ "description": "Path traversal — broader coverage",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "high"
21
+ },
22
+ {
23
+ "id": "PATH002",
24
+ "pattern": "path\\.join\\s*\\([^)]*(?:filename|file|name|param|input|req\\.|request\\.|dir\\b|upload)|path\\.resolve\\s*\\([^)]*(?:req\\.|request\\.)",
25
+ "flags": "i",
26
+ "category": "path_traversal",
27
+ "description": "Path traversal — broader coverage",
28
+ "language": [
29
+ "js",
30
+ "ts",
31
+ "python",
32
+ "java",
33
+ "go",
34
+ "csharp",
35
+ "php",
36
+ "ruby",
37
+ "rust",
38
+ "kotlin"
39
+ ],
40
+ "severity": "high"
41
+ },
42
+ {
43
+ "id": "PATH003",
44
+ "pattern": "(?:uploadDir|baseDir|BASE_DIR|downloadDir|uploadRoot|templateRoot|configRoot)\\s*\\+\\s*|os\\.Open\\s*\\([^)]*\\+",
45
+ "flags": "i",
46
+ "category": "path_traversal",
47
+ "description": "Go path traversal: base path + user input concatenation",
48
+ "language": [
49
+ "go"
50
+ ],
51
+ "severity": "high"
52
+ },
53
+ {
54
+ "id": "PATH004",
55
+ "pattern": "File\\s*\\([^)]*(?:filename|request\\.|params\\[|getParameter)",
56
+ "flags": "i",
57
+ "category": "path_traversal",
58
+ "description": "Kotlin/Java file path",
59
+ "language": [
60
+ "kotlin",
61
+ "java"
62
+ ],
63
+ "severity": "high"
64
+ },
65
+ {
66
+ "id": "PATH005",
67
+ "pattern": "AdmZip|ZipEntry|zipEntry\\.getName\\s*\\(\\)|entry\\.getName|ZipArchive|archive\\.by_index|archive\\.len\\(\\)",
68
+ "flags": "i",
69
+ "category": "path_traversal",
70
+ "description": "Zip-slip",
71
+ "language": [
72
+ "js",
73
+ "ts",
74
+ "python",
75
+ "java",
76
+ "go",
77
+ "csharp",
78
+ "php",
79
+ "ruby",
80
+ "rust",
81
+ "kotlin"
82
+ ],
83
+ "severity": "high"
84
+ },
85
+ {
86
+ "id": "PATH006",
87
+ "pattern": "Path\\.Combine\\s*\\([^)]*(?:reportName|filename|Request\\[|\\.Value\\b|name\\b)",
88
+ "flags": "i",
89
+ "category": "path_traversal",
90
+ "description": "C# path traversal (Path.Combine with user input, File.WriteAllText)",
91
+ "language": [
92
+ "csharp"
93
+ ],
94
+ "severity": "high"
95
+ },
96
+ {
97
+ "id": "PATH007",
98
+ "pattern": "File\\.(?:WriteAllText|ReadAllText|Open|ReadAllBytes)\\s*\\([^)]*(?:reportName|filename|Request\\[|\\.Value\\b|path\\b)",
99
+ "flags": "i",
100
+ "category": "path_traversal",
101
+ "description": "C# path traversal (Path.Combine with user input, File.WriteAllText)",
102
+ "language": [
103
+ "csharp"
104
+ ],
105
+ "severity": "high"
106
+ },
107
+ {
108
+ "id": "PATH008",
109
+ "pattern": "Path\\.Combine\\s*\\(\\s*\\w+(?:Root|Base|Dir)\\s*,\\s*\\w+\\s*\\)",
110
+ "flags": "i",
111
+ "category": "path_traversal",
112
+ "description": "C# path traversal via variable named 'path' that was set with Path.Combine + user input",
113
+ "language": [
114
+ "csharp"
115
+ ],
116
+ "severity": "high"
117
+ },
118
+ {
119
+ "id": "PATH009",
120
+ "pattern": "\\w+(?:Base|Dir|Path|Folder|Root)\\s*\\+\\s*\\w+(?:Name|File|Path|Input)",
121
+ "flags": "i",
122
+ "category": "path_traversal",
123
+ "description": "C# path traversal: base string + user-supplied name string concatenation",
124
+ "language": [
125
+ "csharp"
126
+ ],
127
+ "severity": "high"
128
+ },
129
+ {
130
+ "id": "PATH010",
131
+ "pattern": "File\\.(?:read|write|open|binread)\\s*\\([^)]*#\\{|File\\.(?:read|write|open|binread)\\s*\\(\\s*(?:path|params\\[|request\\.)",
132
+ "flags": "i",
133
+ "category": "path_traversal",
134
+ "description": "Ruby File.read / File.write with string interpolation (user-controlled path)",
135
+ "language": [
136
+ "ruby"
137
+ ],
138
+ "severity": "high"
139
+ },
140
+ {
141
+ "id": "PATH011",
142
+ "pattern": "[\"'\\/][\\/\\w\\-\\.]*\\/[\"']*#\\{[a-zA-Z_]\\w*\\}[\"']?",
143
+ "flags": "",
144
+ "category": "path_traversal",
145
+ "description": "Ruby path string interpolation: \"/base/path/#{user_var}\"",
146
+ "language": [
147
+ "ruby"
148
+ ],
149
+ "severity": "high"
150
+ },
151
+ {
152
+ "id": "PATH012",
153
+ "pattern": "filepath\\.Join\\s*\\([^)]*(?:tmpl|template|name|path|param|input|rel|query)\\b",
154
+ "flags": "i",
155
+ "category": "path_traversal",
156
+ "description": "Go filepath.Join / path.Join without validation",
157
+ "language": [
158
+ "go"
159
+ ],
160
+ "severity": "high"
161
+ },
162
+ {
163
+ "id": "PATH013",
164
+ "pattern": "(?:FileInputStream|FileOutputStream|FileReader|FileWriter)\\s*\\([^)]*\\+\\s*\\w|(?:FileInputStream|FileOutputStream)\\s*\\(\\w+\\s*\\+",
165
+ "flags": "i",
166
+ "category": "path_traversal",
167
+ "description": "Java FileInputStream / FileOutputStream with string concat",
168
+ "language": [
169
+ "java"
170
+ ],
171
+ "severity": "high"
172
+ },
173
+ {
174
+ "id": "PATH014",
175
+ "pattern": "format!\\s*\\(\\s*[\"'][^\"']*\\{[^}]*\\}[^\"']*[\"'][^)]*(?:config|plugin|template|user|path|name)",
176
+ "flags": "i",
177
+ "category": "path_traversal",
178
+ "description": "Rust format! macro constructing file paths from user input",
179
+ "language": [
180
+ "rust"
181
+ ],
182
+ "severity": "high"
183
+ },
184
+ {
185
+ "id": "PATH015",
186
+ "pattern": "(?:const\\s+\\w+\\s*=\\s*|let\\s+path\\s*=\\s*)format!\\s*\\(\\s*[\"'][^\"']*\\/\\{\\}[\"']",
187
+ "flags": "",
188
+ "category": "path_traversal",
189
+ "description": "Go/Rust const string + user variable for file path",
190
+ "language": [
191
+ "go",
192
+ "rust"
193
+ ],
194
+ "severity": "high"
195
+ },
196
+ {
197
+ "id": "PATH016",
198
+ "pattern": "[`\"'][.\\/][^`\"']*\\/\\$\\{(?:req\\.|request\\.|params\\.|query\\.|userInput|filename|template|plugin|name)",
199
+ "flags": "i",
200
+ "category": "path_traversal",
201
+ "description": "JS template literal path construction: `./dir/${userVar}` or `/base/${param}`",
202
+ "language": [
203
+ "js",
204
+ "ts",
205
+ "python",
206
+ "java",
207
+ "go",
208
+ "csharp",
209
+ "php",
210
+ "ruby",
211
+ "rust",
212
+ "kotlin"
213
+ ],
214
+ "severity": "high"
215
+ },
216
+ {
217
+ "id": "PATH017",
218
+ "pattern": "require(?:_once)?\\s*\\(\\s*['\"][^'\"]*['\"]\\s*\\.\\s*\\$[a-zA-Z_]|include(?:_once)?\\s*\\(\\s*['\"][^'\"]*['\"]\\s*\\.\\s*\\$[a-zA-Z_]",
219
+ "flags": "i",
220
+ "category": "path_traversal",
221
+ "description": "PHP require/include with string concatenation: require('dir/' . $var)",
222
+ "language": [
223
+ "php"
224
+ ],
225
+ "severity": "high"
226
+ },
227
+ {
228
+ "id": "PATH018",
229
+ "pattern": "File\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\+\\s*\\w|File\\s*\\(\\s*\"\\$|File\\s*\\(\\s*[\"'][^\"']*\\/\"\\s*\\+",
230
+ "flags": "i",
231
+ "category": "path_traversal",
232
+ "description": "Kotlin/Java File() with string interpolation or parameter variable",
233
+ "language": [
234
+ "kotlin",
235
+ "java"
236
+ ],
237
+ "severity": "high"
238
+ },
239
+ {
240
+ "id": "PATH019",
241
+ "pattern": "%00|\\\\x00|\\\\u0000",
242
+ "flags": "",
243
+ "category": "path_traversal",
244
+ "description": "Null byte injection pattern",
245
+ "language": [
246
+ "js",
247
+ "ts",
248
+ "python",
249
+ "java",
250
+ "go",
251
+ "csharp",
252
+ "php",
253
+ "ruby",
254
+ "rust",
255
+ "kotlin"
256
+ ],
257
+ "severity": "high"
258
+ },
259
+ {
260
+ "id": "PATH020",
261
+ "pattern": "%2e%2e|%252e|%2f%2e",
262
+ "flags": "i",
263
+ "category": "path_traversal",
264
+ "description": "URL-encoded traversal: %2e%2e or %2f",
265
+ "language": [
266
+ "js",
267
+ "ts",
268
+ "python",
269
+ "java",
270
+ "go",
271
+ "csharp",
272
+ "php",
273
+ "ruby",
274
+ "rust",
275
+ "kotlin"
276
+ ],
277
+ "severity": "high"
278
+ },
279
+ {
280
+ "id": "PATH021",
281
+ "pattern": "\\binclude\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST|page|template|lang|plugin)",
282
+ "flags": "i",
283
+ "category": "path_traversal",
284
+ "description": "PHP path traversal",
285
+ "language": [
286
+ "php"
287
+ ],
288
+ "severity": "high"
289
+ },
290
+ {
291
+ "id": "PATH022",
292
+ "pattern": "\\brequire\\s*\\(\\s*\\$(?:_GET|_POST|_REQUEST|module|lang|view|component)",
293
+ "flags": "i",
294
+ "category": "path_traversal",
295
+ "description": "PHP path traversal",
296
+ "language": [
297
+ "php"
298
+ ],
299
+ "severity": "high"
300
+ },
301
+ {
302
+ "id": "PATH023",
303
+ "pattern": "file_get_contents\\s*\\(\\s*\\$(?:_GET|_POST|url|filename|logFile)",
304
+ "flags": "i",
305
+ "category": "path_traversal",
306
+ "description": "PHP path traversal",
307
+ "language": [
308
+ "php"
309
+ ],
310
+ "severity": "high"
311
+ },
312
+ {
313
+ "id": "PATH024",
314
+ "pattern": "readfile\\s*\\(\\s*\\$(?:base|path|file)",
315
+ "flags": "i",
316
+ "category": "path_traversal",
317
+ "description": "PHP path traversal",
318
+ "language": [
319
+ "php"
320
+ ],
321
+ "severity": "high"
322
+ },
323
+ {
324
+ "id": "PATH025",
325
+ "pattern": "\\bfopen\\s*\\(\\s*\\$(?:filepath|path|report)\\s*,",
326
+ "flags": "i",
327
+ "category": "path_traversal",
328
+ "description": "PHP path traversal",
329
+ "language": [
330
+ "php"
331
+ ],
332
+ "severity": "high"
333
+ },
334
+ {
335
+ "id": "PATH026",
336
+ "pattern": "file_get_contents\\s*\\(\\s*['\"][^\\\"']*['\"]\\s*\\.\\s*\\$(?:filename|file|name|logFile|log)",
337
+ "flags": "i",
338
+ "category": "path_traversal",
339
+ "description": "PHP path traversal: file_get_contents with string concat to user var",
340
+ "language": [
341
+ "php"
342
+ ],
343
+ "severity": "high"
344
+ },
345
+ {
346
+ "id": "PATH027",
347
+ "pattern": "os\\.Open\\s*\\(\\s*\\w+(?:Dir|Root|Base|Path)\\s*\\+\\s*\\w+",
348
+ "flags": "i",
349
+ "category": "path_traversal",
350
+ "description": "Go path traversal",
351
+ "language": [
352
+ "go"
353
+ ],
354
+ "severity": "high"
355
+ },
356
+ {
357
+ "id": "PATH028",
358
+ "pattern": "ioutil\\.ReadFile\\s*\\(\\s*\\w+(?:Root|Base|Dir|Path)\\s*\\+\\s*\\w+",
359
+ "flags": "i",
360
+ "category": "path_traversal",
361
+ "description": "Go path traversal",
362
+ "language": [
363
+ "go"
364
+ ],
365
+ "severity": "high"
366
+ },
367
+ {
368
+ "id": "PATH029",
369
+ "pattern": "os\\.ReadFile\\s*\\(\\s*\\w+(?:Root|Base|Dir|Path)\\s*\\+\\s*\\w+",
370
+ "flags": "i",
371
+ "category": "path_traversal",
372
+ "description": "Go path traversal",
373
+ "language": [
374
+ "go"
375
+ ],
376
+ "severity": "high"
377
+ },
378
+ {
379
+ "id": "PATH030",
380
+ "pattern": "os\\.Create\\s*\\(\\s*\\w+(?:Base|Dir|Root|Path)\\s*\\+\\s*\\w+",
381
+ "flags": "i",
382
+ "category": "path_traversal",
383
+ "description": "Go path traversal",
384
+ "language": [
385
+ "go"
386
+ ],
387
+ "severity": "high"
388
+ },
389
+ {
390
+ "id": "PATH031",
391
+ "pattern": "os\\.Remove\\s*\\(\\s*\\w+(?:Root|Base|Dir)\\s*\\+\\s*\\w+",
392
+ "flags": "i",
393
+ "category": "path_traversal",
394
+ "description": "Go path traversal",
395
+ "language": [
396
+ "go"
397
+ ],
398
+ "severity": "high"
399
+ },
400
+ {
401
+ "id": "PATH032",
402
+ "pattern": "filepath\\.Join\\s*\\([^)]*(?:extractBase|uploadRoot|configRoot|templateRoot|reportBase)\\s*,",
403
+ "flags": "i",
404
+ "category": "path_traversal",
405
+ "description": "Go path traversal",
406
+ "language": [
407
+ "go"
408
+ ],
409
+ "severity": "high"
410
+ },
411
+ {
412
+ "id": "PATH033",
413
+ "pattern": "\\.resolve\\s*\\(\\s*\\w*(?:Name|name|file|path|template)\\w*\\s*\\)",
414
+ "flags": "i",
415
+ "category": "path_traversal",
416
+ "description": "Java: path traversal via Path.resolve(userInput)",
417
+ "language": [
418
+ "java"
419
+ ],
420
+ "severity": "high"
421
+ }
422
+ ]
@@ -0,0 +1,22 @@
1
+ [
2
+ {
3
+ "id": "PROTO001",
4
+ "pattern": "__proto__|\\[\"__proto__\"\\]",
5
+ "flags": "",
6
+ "category": "prototype_pollution",
7
+ "description": "Prototype pollution",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "high"
21
+ }
22
+ ]