init
This commit is contained in:
@@ -0,0 +1,105 @@
|
||||
# Vulnerability Code Patterns
|
||||
|
||||
Grep patterns for detecting common vulnerability patterns. Use with Grep tool.
|
||||
|
||||
## SQL Injection
|
||||
|
||||
### String concatenation in queries
|
||||
```
|
||||
(?i)(query|sql|execute)\s*\(.*\+.*\)
|
||||
(?i)(SELECT|INSERT|UPDATE|DELETE|DROP).*['"].*\+
|
||||
```
|
||||
|
||||
### Template literals in queries (JS/TS)
|
||||
```
|
||||
(?i)(query|sql|execute)\s*\(`.*\$\{
|
||||
```
|
||||
|
||||
## XSS (Cross-Site Scripting)
|
||||
|
||||
### Dangerous DOM manipulation
|
||||
```
|
||||
\.innerHTML\s*=
|
||||
dangerouslySetInnerHTML
|
||||
document\.write\(
|
||||
```
|
||||
|
||||
### Unescaped output (template engines)
|
||||
```
|
||||
\{\{\{ # Handlebars unescaped (triple braces)
|
||||
<%-\s* # EJS unescaped (vs <%= escaped)
|
||||
\|safe\b # Jinja2/Django unescaped
|
||||
v-html= # Vue unescaped
|
||||
```
|
||||
|
||||
## Command Injection
|
||||
|
||||
### Unsanitized exec/spawn
|
||||
```
|
||||
(?i)(exec|execSync|spawn|spawnSync)\s*\(.*\+
|
||||
(?i)(exec|execSync|spawn|spawnSync)\s*\(`.*\$\{
|
||||
(?i)child_process.*\(.*\$\{
|
||||
os\.system\(.*\+
|
||||
subprocess\.(call|run|Popen)\(.*\+
|
||||
```
|
||||
|
||||
## Path Traversal
|
||||
|
||||
### User input in file paths
|
||||
```
|
||||
(?i)(readFile|writeFile|createReadStream|open)\s*\(.*req\.(params|query|body)
|
||||
(?i)(readFile|writeFile)\s*\(.*\+.*\)
|
||||
```
|
||||
|
||||
## Insecure Randomness
|
||||
|
||||
### Math.random for security
|
||||
```
|
||||
Math\.random\(\).*(?i)(token|key|secret|password|session|nonce|salt)
|
||||
```
|
||||
|
||||
## Dangerous Functions
|
||||
|
||||
### eval and equivalents
|
||||
```
|
||||
\beval\s*\(
|
||||
new\s+Function\s*\(
|
||||
setTimeout\s*\(\s*['"]
|
||||
setInterval\s*\(\s*['"]
|
||||
```
|
||||
|
||||
### Deserialization
|
||||
```
|
||||
(?i)(pickle\.loads|yaml\.load\(|unserialize\()
|
||||
JSON\.parse\(.*req\.(params|query|body)
|
||||
```
|
||||
|
||||
## Authentication / Authorization
|
||||
|
||||
### Hardcoded credentials
|
||||
```
|
||||
(?i)(admin|root|password)\s*[:=]\s*['"][^'"]{4,}['"]
|
||||
```
|
||||
|
||||
### Disabled security
|
||||
```
|
||||
(?i)(verify|ssl|tls|certificate)\s*[:=]\s*(false|False|0)
|
||||
(?i)rejectUnauthorized\s*:\s*false
|
||||
NODE_TLS_REJECT_UNAUTHORIZED.*0
|
||||
```
|
||||
|
||||
## Information Disclosure
|
||||
|
||||
### Debug/verbose in production
|
||||
```
|
||||
(?i)console\.(log|debug|trace)\s*\(.*(?:password|secret|token|key|credential)
|
||||
(?i)(DEBUG|VERBOSE)\s*[:=]\s*(true|True|1)
|
||||
```
|
||||
|
||||
## False Positive Indicators
|
||||
|
||||
Skip matches containing:
|
||||
- `test`, `spec`, `mock`, `fixture`, `example`, `sample`, `demo`
|
||||
- `TODO`, `FIXME`, `HACK`
|
||||
- Variable declarations reading from env: `process.env.`, `os.getenv(`
|
||||
- Comments (lines starting with `//`, `#`, `/*`)
|
||||
Reference in New Issue
Block a user