# Vulnerability Code Patterns

Grep patterns for detecting common vulnerability patterns. Use with Grep tool.

## SQL Injection

### String concatenation in queries
```
(?i)(query|sql|execute)\s*\(.*\+.*\)
(?i)(SELECT|INSERT|UPDATE|DELETE|DROP).*['"].*\+
```

### Template literals in queries (JS/TS)
```
(?i)(query|sql|execute)\s*\(`.*\$\{
```

## XSS (Cross-Site Scripting)

### Dangerous DOM manipulation
```
\.innerHTML\s*=
dangerouslySetInnerHTML
document\.write\(
```

### Unescaped output (template engines)
```
\{\{\{        # Handlebars unescaped (triple braces)
<%-\s*       # EJS unescaped (vs <%= escaped)
\|safe\b     # Jinja2/Django unescaped
v-html=      # Vue unescaped
```

## Command Injection

### Unsanitized exec/spawn
```
(?i)(exec|execSync|spawn|spawnSync)\s*\(.*\+
(?i)(exec|execSync|spawn|spawnSync)\s*\(`.*\$\{
(?i)child_process.*\(.*\$\{
os\.system\(.*\+
subprocess\.(call|run|Popen)\(.*\+
```

## Path Traversal

### User input in file paths
```
(?i)(readFile|writeFile|createReadStream|open)\s*\(.*req\.(params|query|body)
(?i)(readFile|writeFile)\s*\(.*\+.*\)
```

## Insecure Randomness

### Math.random for security
```
Math\.random\(\).*(?i)(token|key|secret|password|session|nonce|salt)
```

## Dangerous Functions

### eval and equivalents
```
\beval\s*\(
new\s+Function\s*\(
setTimeout\s*\(\s*['"]
setInterval\s*\(\s*['"]
```

### Deserialization
```
(?i)(pickle\.loads|yaml\.load\(|unserialize\()
JSON\.parse\(.*req\.(params|query|body)
```

## Authentication / Authorization

### Hardcoded credentials
```
(?i)(admin|root|password)\s*[:=]\s*['"][^'"]{4,}['"]
```

### Disabled security
```
(?i)(verify|ssl|tls|certificate)\s*[:=]\s*(false|False|0)
(?i)rejectUnauthorized\s*:\s*false
NODE_TLS_REJECT_UNAUTHORIZED.*0
```

## Information Disclosure

### Debug/verbose in production
```
(?i)console\.(log|debug|trace)\s*\(.*(?:password|secret|token|key|credential)
(?i)(DEBUG|VERBOSE)\s*[:=]\s*(true|True|1)
```

## False Positive Indicators

Skip matches containing:
- `test`, `spec`, `mock`, `fixture`, `example`, `sample`, `demo`
- `TODO`, `FIXME`, `HACK`
- Variable declarations reading from env: `process.env.`, `os.getenv(`
- Comments (lines starting with `//`, `#`, `/*`)