thuban 0.4.1 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/dist/cli.js +1 -1
  2. package/dist/package.json +63 -0
  3. package/dist/packages/crucible/banner.js +1 -1
  4. package/dist/packages/crucible/rule-loader.js +1 -1
  5. package/dist/packages/crucible/rules/code-scanner-core.json +147 -0
  6. package/dist/packages/crucible/rules/command-injection.json +411 -0
  7. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  8. package/dist/packages/crucible/rules/deserialization.json +152 -0
  9. package/dist/packages/crucible/rules/env-injection.json +46 -0
  10. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  11. package/dist/packages/crucible/rules/file-upload.json +46 -0
  12. package/dist/packages/crucible/rules/hallucination.json +22 -0
  13. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  14. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  15. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  16. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  17. package/dist/packages/crucible/rules/log-injection.json +33 -0
  18. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  19. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  20. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  21. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  22. package/dist/packages/crucible/rules/sql-injection.json +619 -0
  23. package/dist/packages/crucible/rules/ssrf.json +557 -0
  24. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  25. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  26. package/dist/packages/crucible/rules/xss.json +663 -0
  27. package/dist/packages/crucible/rules/xxe.json +66 -0
  28. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  29. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  30. package/dist/packages/scanner/drift-detector.js +1 -1
  31. package/dist/packages/scanner/export-verifier.js +1 -1
  32. package/dist/packages/scanner/license-manager.js +1 -1
  33. package/dist/packages/scanner/monitor-service.js +1 -1
  34. package/dist/packages/scanner/taint-tracker.js +1 -1
  35. package/package.json +4 -2
@@ -0,0 +1,557 @@
1
+ [
2
+ {
3
+ "id": "SSRF001",
4
+ "pattern": "\\bhttp\\s*\\.\\s*Get\\s*\\(\\s*\\w+[Uu][Rr][Ll]\\b|\\bhttp\\s*\\.\\s*Get\\s*\\(\\s*(?:target|url|endpoint|src|source)\\b",
5
+ "flags": "i",
6
+ "category": "ssrf",
7
+ "description": "SSRF — Go: http.Get() with any variable (targetURL, avatarURL, etc.)",
8
+ "language": [
9
+ "go"
10
+ ],
11
+ "severity": "high"
12
+ },
13
+ {
14
+ "id": "SSRF002",
15
+ "pattern": "\\bDownloadString\\s*\\(\\s*\\w*[Uu]rl\\b|\\bDownloadString\\s*\\(\\s*(?:url|target|endpoint)\\b",
16
+ "flags": "i",
17
+ "category": "ssrf",
18
+ "description": "SSRF — C#: WebClient.DownloadString(variable), HttpClient BaseAddress from Uri(variable)",
19
+ "language": [
20
+ "csharp"
21
+ ],
22
+ "severity": "high"
23
+ },
24
+ {
25
+ "id": "SSRF003",
26
+ "pattern": "new\\s+System\\.Uri\\s*\\(\\s*\\w*[Uu]rl\\b|new\\s+Uri\\s*\\(\\s*\\w*(?:[Uu]rl|[Ee]ndpoint|[Ss]ervice)",
27
+ "flags": "i",
28
+ "category": "ssrf",
29
+ "description": "SSRF — C#: WebClient.DownloadString(variable), HttpClient BaseAddress from Uri(variable)",
30
+ "language": [
31
+ "csharp"
32
+ ],
33
+ "severity": "high"
34
+ },
35
+ {
36
+ "id": "SSRF004",
37
+ "pattern": "requests\\.get\\s*\\(\\s*(?:url|URL)\\b|http\\.get\\s*\\([^)]*req\\.|fetchUrl\\s*\\(.*req",
38
+ "flags": "",
39
+ "category": "ssrf",
40
+ "description": "SSRF (original patterns)",
41
+ "language": [
42
+ "js",
43
+ "ts",
44
+ "python",
45
+ "java",
46
+ "go",
47
+ "csharp",
48
+ "php",
49
+ "ruby",
50
+ "rust",
51
+ "kotlin"
52
+ ],
53
+ "severity": "high"
54
+ },
55
+ {
56
+ "id": "SSRF005",
57
+ "pattern": "got\\s*\\(\\s*(?:url|targetUrl|userUrl)|superagent\\.get\\s*\\(\\s*\\w*[Uu]rl",
58
+ "flags": "i",
59
+ "category": "ssrf",
60
+ "description": "SSRF (original patterns)",
61
+ "language": [
62
+ "js",
63
+ "ts",
64
+ "python",
65
+ "java",
66
+ "go",
67
+ "csharp",
68
+ "php",
69
+ "ruby",
70
+ "rust",
71
+ "kotlin"
72
+ ],
73
+ "severity": "high"
74
+ },
75
+ {
76
+ "id": "SSRF006",
77
+ "pattern": "new\\s+URL\\s*\\([^)]*(?:req\\.|request\\.|getParameter|FormValue)\\s*|URL\\.openConnection|URL\\.openStream",
78
+ "flags": "i",
79
+ "category": "ssrf",
80
+ "description": "SSRF (original patterns)",
81
+ "language": [
82
+ "js",
83
+ "ts",
84
+ "python",
85
+ "java",
86
+ "go",
87
+ "csharp",
88
+ "php",
89
+ "ruby",
90
+ "rust",
91
+ "kotlin"
92
+ ],
93
+ "severity": "high"
94
+ },
95
+ {
96
+ "id": "SSRF007",
97
+ "pattern": "HttpClient.*GetAsync\\s*\\(\\s*\\w*[Uu]rl|HttpClient.*PostAsync\\s*\\(\\s*\\w*[Uu]rl",
98
+ "flags": "i",
99
+ "category": "ssrf",
100
+ "description": "SSRF (original patterns)",
101
+ "language": [
102
+ "js",
103
+ "ts",
104
+ "python",
105
+ "java",
106
+ "go",
107
+ "csharp",
108
+ "php",
109
+ "ruby",
110
+ "rust",
111
+ "kotlin"
112
+ ],
113
+ "severity": "high"
114
+ },
115
+ {
116
+ "id": "SSRF008",
117
+ "pattern": "fetch\\s*\\(\\s*(?:req\\.|request\\.|url|targetUrl|webhookUrl|userUrl)",
118
+ "flags": "i",
119
+ "category": "ssrf",
120
+ "description": "fetch with user URL",
121
+ "language": [
122
+ "js",
123
+ "ts",
124
+ "python",
125
+ "java",
126
+ "go",
127
+ "csharp",
128
+ "php",
129
+ "ruby",
130
+ "rust",
131
+ "kotlin"
132
+ ],
133
+ "severity": "high"
134
+ },
135
+ {
136
+ "id": "SSRF009",
137
+ "pattern": "axios\\s*\\.\\s*(?:get|post|put|delete|request)\\s*\\(\\s*\\w*[Uu]rl",
138
+ "flags": "i",
139
+ "category": "ssrf",
140
+ "description": "SSRF — JS/TS: axios (get/post/put), https.get, broader fetch patterns",
141
+ "language": [
142
+ "js",
143
+ "ts"
144
+ ],
145
+ "severity": "high"
146
+ },
147
+ {
148
+ "id": "SSRF010",
149
+ "pattern": "axios\\s*\\.\\s*(?:get|post|put|delete)\\s*\\(\\s*(?:url|source|endpoint|target|webhook|dataUrl|avatar|oembedUrl)\\b",
150
+ "flags": "i",
151
+ "category": "ssrf",
152
+ "description": "SSRF — JS/TS: axios (get/post/put), https.get, broader fetch patterns",
153
+ "language": [
154
+ "js",
155
+ "ts"
156
+ ],
157
+ "severity": "high"
158
+ },
159
+ {
160
+ "id": "SSRF011",
161
+ "pattern": "https?\\s*\\.\\s*get\\s*\\(\\s*\\w*[Uu]rl|\\bhttps\\s*\\.\\s*get\\s*\\(",
162
+ "flags": "",
163
+ "category": "ssrf",
164
+ "description": "SSRF — JS/TS: axios (get/post/put), https.get, broader fetch patterns",
165
+ "language": [
166
+ "js",
167
+ "ts"
168
+ ],
169
+ "severity": "high"
170
+ },
171
+ {
172
+ "id": "SSRF012",
173
+ "pattern": "fetch\\s*\\(\\s*(?:dataUrl|endpoint|source|avatarUrl|oembedUrl|callbackUrl|profileUrl)\\b",
174
+ "flags": "i",
175
+ "category": "ssrf",
176
+ "description": "SSRF — JS/TS: axios (get/post/put), https.get, broader fetch patterns",
177
+ "language": [
178
+ "js",
179
+ "ts"
180
+ ],
181
+ "severity": "high"
182
+ },
183
+ {
184
+ "id": "SSRF013",
185
+ "pattern": "httpx\\s*\\.\\s*(?:get|post|AsyncClient|Client)",
186
+ "flags": "i",
187
+ "category": "ssrf",
188
+ "description": "SSRF — Python: httpx, urllib.request, aiohttp, requests.post",
189
+ "language": [
190
+ "python"
191
+ ],
192
+ "severity": "high"
193
+ },
194
+ {
195
+ "id": "SSRF014",
196
+ "pattern": "urllib\\s*\\.\\s*request\\s*\\.\\s*urlopen\\s*\\(",
197
+ "flags": "",
198
+ "category": "ssrf",
199
+ "description": "SSRF — Python: httpx, urllib.request, aiohttp, requests.post",
200
+ "language": [
201
+ "python"
202
+ ],
203
+ "severity": "high"
204
+ },
205
+ {
206
+ "id": "SSRF015",
207
+ "pattern": "aiohttp\\s*\\.\\s*ClientSession",
208
+ "flags": "i",
209
+ "category": "ssrf",
210
+ "description": "SSRF — Python: httpx, urllib.request, aiohttp, requests.post",
211
+ "language": [
212
+ "python"
213
+ ],
214
+ "severity": "high"
215
+ },
216
+ {
217
+ "id": "SSRF016",
218
+ "pattern": "requests\\s*\\.\\s*(?:post|put|head|session)\\s*\\(\\s*\\w*[Uu]rl",
219
+ "flags": "i",
220
+ "category": "ssrf",
221
+ "description": "SSRF — Python: httpx, urllib.request, aiohttp, requests.post",
222
+ "language": [
223
+ "python"
224
+ ],
225
+ "severity": "high"
226
+ },
227
+ {
228
+ "id": "SSRF017",
229
+ "pattern": "http\\s*\\.\\s*Post\\s*\\(\\s*\\w*[Uu]rl|http\\s*\\.\\s*Post\\s*\\(\\s*(?:webhookURL|endpoint)",
230
+ "flags": "i",
231
+ "category": "ssrf",
232
+ "description": "SSRF — Go: http.Post, http.NewRequest + client.Do",
233
+ "language": [
234
+ "go"
235
+ ],
236
+ "severity": "high"
237
+ },
238
+ {
239
+ "id": "SSRF018",
240
+ "pattern": "http\\s*\\.\\s*NewRequest\\s*\\([^)]*,\\s*\\w*(?:[Uu]rl|[Ee]ndpoint)",
241
+ "flags": "",
242
+ "category": "ssrf",
243
+ "description": "SSRF — Go: http.Post, http.NewRequest + client.Do",
244
+ "language": [
245
+ "go"
246
+ ],
247
+ "severity": "high"
248
+ },
249
+ {
250
+ "id": "SSRF019",
251
+ "pattern": "HttpRequest\\s*\\.\\s*newBuilder\\s*\\(\\s*\\)\\s*\\.\\s*uri\\s*\\(",
252
+ "flags": "",
253
+ "category": "ssrf",
254
+ "description": "SSRF — Java: Java 11 HttpClient / HttpRequest.newBuilder",
255
+ "language": [
256
+ "java"
257
+ ],
258
+ "severity": "high"
259
+ },
260
+ {
261
+ "id": "SSRF020",
262
+ "pattern": "OkHttpClient\\s*\\(\\s*\\)|Request\\s*\\.\\s*Builder\\s*\\(\\s*\\)\\s*\\.\\s*url\\s*\\(",
263
+ "flags": "",
264
+ "category": "ssrf",
265
+ "description": "SSRF — Kotlin: OkHttpClient, Ktor httpClient, URL().readBytes, URL composed from host/port",
266
+ "language": [
267
+ "kotlin"
268
+ ],
269
+ "severity": "high"
270
+ },
271
+ {
272
+ "id": "SSRF021",
273
+ "pattern": "httpClient\\s*\\.\\s*get\\s*\\(\\s*\\w*[Uu]rl|httpClient\\s*\\.\\s*get\\s*\\(\\s*\"",
274
+ "flags": "",
275
+ "category": "ssrf",
276
+ "description": "SSRF — Kotlin: OkHttpClient, Ktor httpClient, URL().readBytes, URL composed from host/port",
277
+ "language": [
278
+ "kotlin"
279
+ ],
280
+ "severity": "high"
281
+ },
282
+ {
283
+ "id": "SSRF022",
284
+ "pattern": "URL\\s*\\([^)]*\\)\\s*\\.\\s*(?:readBytes|readText|openStream|openConnection)",
285
+ "flags": "",
286
+ "category": "ssrf",
287
+ "description": "SSRF — Kotlin: OkHttpClient, Ktor httpClient, URL().readBytes, URL composed from host/port",
288
+ "language": [
289
+ "kotlin"
290
+ ],
291
+ "severity": "high"
292
+ },
293
+ {
294
+ "id": "SSRF023",
295
+ "pattern": "new\\s+WebClient\\s*\\(\\s*\\)\\s*\\.\\s*(?:DownloadString|DownloadData|OpenRead)",
296
+ "flags": "",
297
+ "category": "ssrf",
298
+ "description": "SSRF — C#: WebClient.DownloadString, WebRequest.Create",
299
+ "language": [
300
+ "csharp"
301
+ ],
302
+ "severity": "high"
303
+ },
304
+ {
305
+ "id": "SSRF024",
306
+ "pattern": "WebRequest\\s*\\.\\s*Create\\s*\\(\\s*\\w*[Uu]rl|WebRequest\\s*\\.\\s*Create\\s*\\(\\s*\\w*(?:endpoint|target)",
307
+ "flags": "i",
308
+ "category": "ssrf",
309
+ "description": "SSRF — C#: WebClient.DownloadString, WebRequest.Create",
310
+ "language": [
311
+ "csharp"
312
+ ],
313
+ "severity": "high"
314
+ },
315
+ {
316
+ "id": "SSRF025",
317
+ "pattern": "file_get_contents\\s*\\(\\s*\\$[a-zA-Z_]",
318
+ "flags": "",
319
+ "category": "ssrf",
320
+ "description": "SSRF — PHP: file_get_contents, curl_init/curl_exec",
321
+ "language": [
322
+ "php"
323
+ ],
324
+ "severity": "high"
325
+ },
326
+ {
327
+ "id": "SSRF026",
328
+ "pattern": "curl_init\\s*\\(\\s*\\$[a-zA-Z_]|curl_exec\\s*\\(\\s*\\$[a-zA-Z_]",
329
+ "flags": "",
330
+ "category": "ssrf",
331
+ "description": "SSRF — PHP: file_get_contents, curl_init/curl_exec",
332
+ "language": [
333
+ "php"
334
+ ],
335
+ "severity": "high"
336
+ },
337
+ {
338
+ "id": "SSRF027",
339
+ "pattern": "Net\\s*::\\s*HTTP\\s*\\.\\s*(?:get|get_response|start)",
340
+ "flags": "i",
341
+ "category": "ssrf",
342
+ "description": "SSRF — Ruby: Net::HTTP, HTTParty, Faraday, URI.open, RestClient",
343
+ "language": [
344
+ "ruby"
345
+ ],
346
+ "severity": "high"
347
+ },
348
+ {
349
+ "id": "SSRF028",
350
+ "pattern": "HTTParty\\s*\\.\\s*(?:get|post)\\s*\\(",
351
+ "flags": "i",
352
+ "category": "ssrf",
353
+ "description": "SSRF — Ruby: Net::HTTP, HTTParty, Faraday, URI.open, RestClient",
354
+ "language": [
355
+ "ruby"
356
+ ],
357
+ "severity": "high"
358
+ },
359
+ {
360
+ "id": "SSRF029",
361
+ "pattern": "Faraday\\s*\\.\\s*new\\s*\\(",
362
+ "flags": "i",
363
+ "category": "ssrf",
364
+ "description": "SSRF — Ruby: Net::HTTP, HTTParty, Faraday, URI.open, RestClient",
365
+ "language": [
366
+ "ruby"
367
+ ],
368
+ "severity": "high"
369
+ },
370
+ {
371
+ "id": "SSRF030",
372
+ "pattern": "URI\\s*\\.\\s*open\\s*\\(\\s*\\w*[Uu]rl|URI\\s*\\.\\s*open\\s*\\(\\s*(?:resource|source|target)",
373
+ "flags": "i",
374
+ "category": "ssrf",
375
+ "description": "SSRF — Ruby: Net::HTTP, HTTParty, Faraday, URI.open, RestClient",
376
+ "language": [
377
+ "ruby"
378
+ ],
379
+ "severity": "high"
380
+ },
381
+ {
382
+ "id": "SSRF031",
383
+ "pattern": "RestClient\\s*\\.\\s*(?:get|post)\\s*\\(",
384
+ "flags": "i",
385
+ "category": "ssrf",
386
+ "description": "SSRF — Ruby: Net::HTTP, HTTParty, Faraday, URI.open, RestClient",
387
+ "language": [
388
+ "ruby"
389
+ ],
390
+ "severity": "high"
391
+ },
392
+ {
393
+ "id": "SSRF032",
394
+ "pattern": "reqwest\\s*::\\s*(?:get|Client)",
395
+ "flags": "i",
396
+ "category": "ssrf",
397
+ "description": "SSRF — Rust: reqwest::get, reqwest Client builder",
398
+ "language": [
399
+ "rust"
400
+ ],
401
+ "severity": "high"
402
+ },
403
+ {
404
+ "id": "SSRF033",
405
+ "pattern": "client\\s*\\.\\s*(?:get|post)\\s*\\(\\s*&?\\s*(?:url|user_url|req\\.|payload\\.)",
406
+ "flags": "",
407
+ "category": "ssrf",
408
+ "description": "SSRF — Rust: reqwest::get, reqwest Client builder",
409
+ "language": [
410
+ "rust"
411
+ ],
412
+ "severity": "high"
413
+ },
414
+ {
415
+ "id": "SSRF034",
416
+ "pattern": "new WebClient\\s*\\(\\)|WebRequest\\.Create\\s*\\(\\s*\\w*[Uu]rl",
417
+ "flags": "i",
418
+ "category": "ssrf",
419
+ "description": "C# SSRF: WebClient, HttpClient, WebRequest",
420
+ "language": [
421
+ "csharp"
422
+ ],
423
+ "severity": "high"
424
+ },
425
+ {
426
+ "id": "SSRF035",
427
+ "pattern": "client\\.DownloadString\\s*\\(\\s*\\w*[Uu]rl",
428
+ "flags": "i",
429
+ "category": "ssrf",
430
+ "description": "C# SSRF: WebClient, HttpClient, WebRequest",
431
+ "language": [
432
+ "csharp"
433
+ ],
434
+ "severity": "high"
435
+ },
436
+ {
437
+ "id": "SSRF036",
438
+ "pattern": "_httpClient\\.(?:GetAsync|PostAsync)\\s*\\(\\s*\\w*[Uu]rl",
439
+ "flags": "i",
440
+ "category": "ssrf",
441
+ "description": "C# SSRF: WebClient, HttpClient, WebRequest",
442
+ "language": [
443
+ "csharp"
444
+ ],
445
+ "severity": "high"
446
+ },
447
+ {
448
+ "id": "SSRF037",
449
+ "pattern": "Net::HTTP\\.get_response\\s*\\(",
450
+ "flags": "i",
451
+ "category": "ssrf",
452
+ "description": "Ruby SSRF: Net::HTTP, HTTParty, Faraday, RestClient, URI.open",
453
+ "language": [
454
+ "ruby"
455
+ ],
456
+ "severity": "high"
457
+ },
458
+ {
459
+ "id": "SSRF038",
460
+ "pattern": "HTTParty\\.(?:get|post)\\s*\\(\\s*\\w*(?:[Uu]rl|callback|target)",
461
+ "flags": "i",
462
+ "category": "ssrf",
463
+ "description": "Ruby SSRF: Net::HTTP, HTTParty, Faraday, RestClient, URI.open",
464
+ "language": [
465
+ "ruby"
466
+ ],
467
+ "severity": "high"
468
+ },
469
+ {
470
+ "id": "SSRF039",
471
+ "pattern": "Faraday\\.new\\s*\\(\\s*url:\\s*\\w*(?:[Uu]rl|source_url|feed_url)",
472
+ "flags": "i",
473
+ "category": "ssrf",
474
+ "description": "Ruby SSRF: Net::HTTP, HTTParty, Faraday, RestClient, URI.open",
475
+ "language": [
476
+ "ruby"
477
+ ],
478
+ "severity": "high"
479
+ },
480
+ {
481
+ "id": "SSRF040",
482
+ "pattern": "RestClient\\.(?:get|post)\\s*\\(\\s*\\w*(?:[Uu]rl|target|host)",
483
+ "flags": "i",
484
+ "category": "ssrf",
485
+ "description": "Ruby SSRF: Net::HTTP, HTTParty, Faraday, RestClient, URI.open",
486
+ "language": [
487
+ "ruby"
488
+ ],
489
+ "severity": "high"
490
+ },
491
+ {
492
+ "id": "SSRF041",
493
+ "pattern": "URI\\.open\\s*\\(\\s*\\w*(?:[Uu]rl|resource_url|avatar_url)",
494
+ "flags": "i",
495
+ "category": "ssrf",
496
+ "description": "Ruby SSRF: Net::HTTP, HTTParty, Faraday, RestClient, URI.open",
497
+ "language": [
498
+ "ruby"
499
+ ],
500
+ "severity": "high"
501
+ },
502
+ {
503
+ "id": "SSRF042",
504
+ "pattern": "file_get_contents\\s*\\(\\s*\\$(?:_GET|_POST|url|imageUrl)\\b",
505
+ "flags": "i",
506
+ "category": "ssrf",
507
+ "description": "PHP SSRF",
508
+ "language": [
509
+ "php"
510
+ ],
511
+ "severity": "high"
512
+ },
513
+ {
514
+ "id": "SSRF043",
515
+ "pattern": "curl_init\\s*\\(\\s*\\$(?:_POST|_GET|url|target|webhook_url)",
516
+ "flags": "i",
517
+ "category": "ssrf",
518
+ "description": "PHP SSRF",
519
+ "language": [
520
+ "php"
521
+ ],
522
+ "severity": "high"
523
+ },
524
+ {
525
+ "id": "SSRF044",
526
+ "pattern": "http\\.Get\\s*\\(\\s*\\w*(?:[Uu]rl|[Tt]arget|[Ee]ndpoint|[Ww]ebhook|[Aa]vatar)",
527
+ "flags": "i",
528
+ "category": "ssrf",
529
+ "description": "Go SSRF",
530
+ "language": [
531
+ "go"
532
+ ],
533
+ "severity": "high"
534
+ },
535
+ {
536
+ "id": "SSRF045",
537
+ "pattern": "http\\.Post\\s*\\(\\s*\\w*(?:[Uu]rl|[Ww]ebhook)",
538
+ "flags": "i",
539
+ "category": "ssrf",
540
+ "description": "Go SSRF",
541
+ "language": [
542
+ "go"
543
+ ],
544
+ "severity": "high"
545
+ },
546
+ {
547
+ "id": "SSRF046",
548
+ "pattern": "http\\.NewRequest\\s*\\(\\s*\"GET\"\\s*,\\s*\\w*(?:[Uu]rl|[Ee]ndpoint)",
549
+ "flags": "i",
550
+ "category": "ssrf",
551
+ "description": "Go SSRF",
552
+ "language": [
553
+ "go"
554
+ ],
555
+ "severity": "high"
556
+ }
557
+ ]
@@ -0,0 +1,55 @@
1
+ [
2
+ {
3
+ "id": "TIME001",
4
+ "pattern": "token\\s*==\\s*validToken|return\\s+token\\s*==\\s*",
5
+ "flags": "",
6
+ "category": "timing_attack",
7
+ "description": "Timing attack",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "medium"
21
+ },
22
+ {
23
+ "id": "TIME002",
24
+ "pattern": "bytes\\.Equal\\s*\\(\\s*expected\\s*,\\s*received\\s*\\)",
25
+ "flags": "i",
26
+ "category": "timing_attack",
27
+ "description": "Go timing attack",
28
+ "language": [
29
+ "go"
30
+ ],
31
+ "severity": "medium"
32
+ },
33
+ {
34
+ "id": "TIME003",
35
+ "pattern": "token\\s*!=\\s*validAPIToken\\b",
36
+ "flags": "",
37
+ "category": "timing_attack",
38
+ "description": "Go timing attack",
39
+ "language": [
40
+ "go"
41
+ ],
42
+ "severity": "medium"
43
+ },
44
+ {
45
+ "id": "TIME004",
46
+ "pattern": "\\w*[Tt]oken\\s*!=\\s*\\w*[Tt]oken\\b",
47
+ "flags": "",
48
+ "category": "timing_attack",
49
+ "description": "Go: timing attack via != comparison of tokens; open redirect via decoded state",
50
+ "language": [
51
+ "go"
52
+ ],
53
+ "severity": "medium"
54
+ }
55
+ ]
@@ -0,0 +1,24 @@
1
+ [
2
+ {
3
+ "id": "UNSAFE001",
4
+ "pattern": "unsafe\\s*\\{|mem::transmute",
5
+ "flags": "",
6
+ "category": "unsafe_block",
7
+ "description": "Unsafe blocks (Rust)",
8
+ "language": [
9
+ "rust"
10
+ ],
11
+ "severity": "medium"
12
+ },
13
+ {
14
+ "id": "UNSAFE002",
15
+ "pattern": "unsafe\\s+impl\\s+(?:Send|Sync)\\b",
16
+ "flags": "",
17
+ "category": "unsafe_block",
18
+ "description": "Rust: unsafe impl Send/Sync for non-thread-safe types",
19
+ "language": [
20
+ "rust"
21
+ ],
22
+ "severity": "medium"
23
+ }
24
+ ]