evalops
diff --git a/‎rules/security/auth.yaml‎
Lines changed: 119 additions & 0 deletions b/‎rules/security/auth.yaml‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎rules/security/deserialization.yaml‎
Lines changed: 85 additions & 0 deletions b/‎rules/security/deserialization.yaml‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎rules/security/injection.yaml‎
Lines changed: 118 additions & 0 deletions b/‎rules/security/injection.yaml‎
Lines changed: 118 additions & 0 deletions
@@ -0,0 +1,119 @@
+rules:
+  # ── Missing Authentication ─────────────────────────────────────────
+  - id: sec.auth.missing
+    description: >
+      API endpoint or route handler lacking authentication middleware/decorator.
+      Framework patterns to check:
+      - Express: route handler without auth middleware argument
+      - Django: view without @login_required or LoginRequiredMixin
+      - Rails: controller without before_action :authenticate_user!
+      - Spring: endpoint without @PreAuthorize, @Secured, @RolesAllowed
+      - FastAPI: handler without Depends(get_current_user)
+      - Axum/Actix: handler without auth extractor or .layer() middleware
+      Flag state-changing endpoints (POST/PUT/DELETE) without auth as critical.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [auth, missing-auth, owasp-a07, cwe-306]
+    source: diffscope-builtin
+
+  # ── IDOR / BOLA ────────────────────────────────────────────────────
+  - id: sec.auth.idor
+    description: >
+      Insecure Direct Object Reference — user-supplied ID used in database
+      query without ownership/authorization check.
+      Pattern: request parameter (params[:id], req.params.id, path variable)
+      flows into Model.find(id) / query("WHERE id = ?", id) without also
+      filtering by authenticated user (current_user, req.user, claims.sub).
+      Safe pattern: Model.where(id: id, owner: current_user).
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [auth, idor, bola, owasp-a01, cwe-639]
+    source: diffscope-builtin
+
+  # ── Privilege Escalation ───────────────────────────────────────────
+  - id: sec.auth.privilege-escalation
+    description: >
+      Role or permission checks using client-controlled values (cookies,
+      headers, query params) instead of server-side session data.
+      Also flag: mass assignment accepting role/is_admin fields from user input,
+      skip_before_action :authenticate, .permitAll() on admin paths.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [auth, privilege-escalation, owasp-a01, cwe-269]
+    source: diffscope-builtin
+
+  # ── JWT Vulnerabilities ────────────────────────────────────────────
+  - id: sec.auth.jwt
+    description: >
+      JWT implementation flaws:
+      - jwt.decode() without signature verification (verify=False, verify_signature=False)
+      - Accepting 'none' algorithm (alg: none)
+      - Hardcoded JWT signing secrets (string literals in sign/verify calls)
+      - Missing expiry validation (not checking 'exp' claim)
+      - Using jwt.decode() instead of jwt.verify() (Node.js jsonwebtoken)
+      Safe patterns: algorithm allowlist, key from env/vault, exp validation.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs}"
+    severity: error
+    category: security
+    tags: [auth, jwt, owasp-a07, cwe-347]
+    source: diffscope-builtin
+
+  # ── Weak Password Storage ──────────────────────────────────────────
+  - id: sec.auth.weak-password-hash
+    description: >
+      Passwords hashed with weak or unsuitable algorithms.
+      Vulnerable: MD5, SHA1, SHA256 (without KDF), DES, plain ROT13.
+      Acceptable: bcrypt (cost >= 10), argon2id, scrypt, PBKDF2 (>= 600k iterations).
+      Flag hashlib.md5/sha1/sha256 used for password storage,
+      Digest::MD5/SHA1 for passwords, crypto.createHash('md5') for passwords.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [auth, password, weak-hash, owasp-a07, cwe-916]
+    source: diffscope-builtin
+
+  # ── OAuth Misconfiguration ─────────────────────────────────────────
+  - id: sec.auth.oauth
+    description: >
+      OAuth implementation flaws:
+      - Missing state parameter in authorization URL (CSRF on login)
+      - Open redirect in redirect_uri (not validating against allowlist)
+      - Storing tokens in localStorage (XSS-accessible)
+      - Not validating token audience/issuer claims
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs}"
+    severity: warning
+    category: security
+    tags: [auth, oauth, owasp-a07, cwe-352]
+    source: diffscope-builtin
+
+  # ── Session Management ─────────────────────────────────────────────
+  - id: sec.auth.session
+    description: >
+      Session security flaws:
+      - Missing HttpOnly flag on session cookies
+      - Missing Secure flag on session cookies
+      - Missing SameSite attribute (or SameSite=None without Secure)
+      - Session not regenerated after login (session fixation)
+      - Hardcoded session secrets
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: warning
+    category: security
+    tags: [auth, session, cookies, owasp-a07, cwe-384]
+    source: diffscope-builtin
+
+  # ── CSRF ───────────────────────────────────────────────────────────
+  - id: sec.auth.csrf
+    description: >
+      Missing or disabled CSRF protection on state-changing endpoints.
+      Flag: @csrf_exempt (Django), .csrf().disable() (Spring), skip_before_action
+      :verify_authenticity_token (Rails), missing csurf middleware (Express).
+      Also flag state-changing operations on GET endpoints.
+      Not applicable to: pure API endpoints using Bearer tokens (not cookies).
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: warning
+    category: security
+    tags: [auth, csrf, owasp-a01, cwe-352]
+    source: diffscope-builtin
@@ -0,0 +1,85 @@
+rules:
+  # ── Unsafe Deserialization ─────────────────────────────────────────
+  - id: sec.deser.unsafe
+    description: >
+      Native deserialization of untrusted data, potentially enabling RCE.
+      Language-specific dangerous functions:
+      - Python: pickle.load/loads, cPickle, dill, shelve, marshal.load,
+        yaml.load (without SafeLoader), yaml.unsafe_load, jsonpickle.decode,
+        torch.load (PyTorch), HuggingFace unsafe download
+      - Java: ObjectInputStream.readObject/readUnshared, XMLDecoder,
+        XStream.fromXML (pre-1.4.7), BinaryFormatter
+      - Ruby: YAML.load (use safe_load), Marshal.load,
+        JSON.parse(create_additions: true)
+      - JavaScript: node-serialize unserialize(), funcster, js-yaml !!js/function,
+        cryo.parse()
+      - PHP: unserialize()
+      - .NET: BinaryFormatter.Deserialize, TypeNameHandling != None,
+        JavaScriptSerializer with TypeResolver
+      - Go: gob.Decode on untrusted input
+      Safe alternatives: JSON, yaml.safe_load, ObjectInputStream with allowlist.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [deserialization, rce, owasp-a08, cwe-502]
+    source: diffscope-builtin
+
+  # ── SSRF (Server-Side Request Forgery) ─────────────────────────────
+  - id: sec.ssrf
+    description: >
+      User-controlled input used to construct outbound HTTP request URLs.
+      Sinks: requests.get(url), fetch(url), axios.get(url), http.Get(url),
+      reqwest::get(url), HttpURLConnection(url), Net::HTTP.get(URI(url)),
+      RestTemplate.getForObject(url), WebClient.get().uri(url).
+      Check for: URL parameters, redirect targets, webhook URLs, image URLs,
+      callback URLs built from user input.
+      Bypass awareness: DNS rebinding, redirect following, encoding tricks
+      (hex IP, octal IP, IPv6 mapped), scheme abuse (file://, gopher://).
+      Sanitizers: URL allowlisting, DNS resolution + IP blocklist validation,
+      disabling redirects, blocking internal IP ranges
+      (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254).
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php,scala}"
+    severity: error
+    category: security
+    tags: [ssrf, owasp-a10, cwe-918]
+    source: diffscope-builtin
+
+  # ── XXE (XML External Entity) ──────────────────────────────────────
+  - id: sec.xxe
+    description: >
+      XML parsing without disabling external entity resolution.
+      Sinks: DocumentBuilderFactory, SAXParser, XMLReader, etree.parse,
+      lxml.etree.parse, xml.sax.parse without disabling external entities.
+      Fix: set feature "http://apache.org/xml/features/disallow-doctype-decl" true,
+      or use defusedxml (Python), set XMLConstants.FEATURE_SECURE_PROCESSING.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [xxe, xml, owasp-a05, cwe-611]
+    source: diffscope-builtin
+
+  # ── Open Redirect ──────────────────────────────────────────────────
+  - id: sec.redirect.open
+    description: >
+      Unvalidated redirect using user-controlled URL.
+      Sinks: redirect(req.params.url), res.redirect(req.query.next),
+      HttpResponseRedirect(request.GET['url']), redirect_to(params[:url]).
+      Sanitizers: allowlist of permitted domains/paths, relative-URL-only validation.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: warning
+    category: security
+    tags: [redirect, open-redirect, owasp-a01, cwe-601]
+    source: diffscope-builtin
+
+  # ── CORS Misconfiguration ──────────────────────────────────────────
+  - id: sec.cors.misconfigured
+    description: >
+      Overly permissive CORS configuration.
+      Flag: Access-Control-Allow-Origin: * with credentials,
+      reflecting the Origin header without validation,
+      regex-based origin matching with bypass potential.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: warning
+    category: security
+    tags: [cors, owasp-a05, cwe-942]
+    source: diffscope-builtin
@@ -0,0 +1,118 @@
+rules:
+  # ── SQL Injection ──────────────────────────────────────────────────
+  - id: sec.injection.sql
+    description: >
+      User-controlled input concatenated or interpolated into a SQL query string
+      instead of using parameterized queries / prepared statements.
+      Sinks: cursor.execute(f"..."), db.Query(fmt.Sprintf(...)), connection.query(str),
+      ActiveRecord.where("... #{...}"), sqlx::query(format!(...)), SqlCommand(str).
+      Sanitizers: parameterized queries (?/$1 placeholders), ORM filters, sqlx::query! macro.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php,scala}"
+    severity: error
+    category: security
+    tags: [injection, sql-injection, owasp-a03, cwe-89]
+    source: diffscope-builtin
+
+  - id: sec.injection.sql.nosql
+    description: >
+      NoSQL injection via unsanitized input in MongoDB/DynamoDB/Elasticsearch queries.
+      Check for $where, $regex, $gt/$lt operators built from user input,
+      or JSON query objects constructed from request parameters.
+    scope: "**/*.{py,js,ts,rb,go,java}"
+    severity: error
+    category: security
+    tags: [injection, nosql-injection, owasp-a03, cwe-943]
+    source: diffscope-builtin
+
+  # ── Command Injection ──────────────────────────────────────────────
+  - id: sec.injection.command
+    description: >
+      User-controlled input passed to OS command execution functions.
+      Sinks: os.system(), subprocess.Popen(shell=True), exec.Command("sh","-c",str),
+      child_process.exec(str), Runtime.exec(str), system(str), Process.spawn(str).
+      Sanitizers: argument arrays (not shell strings), shlex.quote(), allowlist validation.
+      Flag shell=True with non-literal command strings.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php,bash,sh}"
+    severity: error
+    category: security
+    tags: [injection, command-injection, owasp-a03, cwe-78]
+    source: diffscope-builtin
+
+  # ── XSS (Cross-Site Scripting) ─────────────────────────────────────
+  - id: sec.injection.xss
+    description: >
+      User-controlled content rendered as HTML without output encoding.
+      Sinks: innerHTML, outerHTML, document.write(), dangerouslySetInnerHTML,
+      raw(), .html_safe, mark_safe(), Markup(), bypassSecurityTrust*().
+      Safe alternatives: textContent, createElement, framework auto-escaping.
+      Check template files for unescaped output: {{! }}, |safe, -%>, <%==.
+    scope: "**/*.{js,jsx,ts,tsx,html,erb,ejs,hbs,vue,svelte,py,rb,php,java}"
+    severity: error
+    category: security
+    tags: [injection, xss, owasp-a03, cwe-79]
+    source: diffscope-builtin
+
+  # ── Template Injection (SSTI) ──────────────────────────────────────
+  - id: sec.injection.template
+    description: >
+      Server-side template injection via user input in template strings.
+      Sinks: Jinja2 Template(user_input), Flask render_template_string(user_input),
+      Mako Template(user_input), ERB.new(user_input), Razor @Html.Raw(user_input).
+      Check for user input flowing into template compilation (not just rendering).
+    scope: "**/*.{py,rb,js,ts,java,cs,go}"
+    severity: error
+    category: security
+    tags: [injection, ssti, template-injection, owasp-a03, cwe-1336]
+    source: diffscope-builtin
+
+  # ── LDAP Injection ─────────────────────────────────────────────────
+  - id: sec.injection.ldap
+    description: >
+      User input interpolated into LDAP search filters without escaping.
+      Sinks: DirContext.search(), InitialDirContext.search(), LdapContext methods.
+      Sanitizers: LDAP filter encoding, allowlist validation of search terms.
+    scope: "**/*.{java,kt,cs,py,php}"
+    severity: error
+    category: security
+    tags: [injection, ldap-injection, owasp-a03, cwe-90]
+    source: diffscope-builtin
+
+  # ── Log Injection ──────────────────────────────────────────────────
+  - id: sec.injection.log
+    description: >
+      User-controlled data written to logs without sanitization, enabling
+      log forging or ANSI escape sequence injection.
+      Check for request parameters, headers, or user input in log statements
+      without newline/control character stripping.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs}"
+    severity: warning
+    category: security
+    tags: [injection, log-injection, owasp-a09, cwe-117]
+    source: diffscope-builtin
+
+  # ── Path Traversal ─────────────────────────────────────────────────
+  - id: sec.injection.path-traversal
+    description: >
+      User input used to construct file paths without validation, allowing
+      directory traversal via ../ sequences or absolute paths.
+      Sinks: open(user_path), fs.readFile(user_path), File.new(user_path),
+      std::fs::read(user_path), os.Open(user_path).
+      Sanitizers: path canonicalization + prefix check, basename extraction.
+    scope: "**/*.{py,js,ts,rb,go,rs,java,kt,cs,php}"
+    severity: error
+    category: security
+    tags: [injection, path-traversal, owasp-a01, cwe-22]
+    source: diffscope-builtin
+
+  # ── Code Injection ─────────────────────────────────────────────────
+  - id: sec.injection.code
+    description: >
+      User input passed to code evaluation functions.
+      Sinks: eval(), exec(), Function(str), setTimeout(str), setInterval(str),
+      compile(), __import__(), importlib with user strings.
+      Almost never safe with user input — flag unconditionally.
+    scope: "**/*.{py,js,ts,rb,php}"
+    severity: error
+    category: security
+    tags: [injection, code-injection, owasp-a03, cwe-94]
+    source: diffscope-builtin