zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-security-input-validation-scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:22:16 +08:00
commit 38f63304b6
10 changed files with 518 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "input-validation-scanner",
"description": "Scan input validation practices",
"version": "1.0.0",
"author": {
"name": "Jeremy Longshore",
"email": "[email protected]"
},
"skills": [
"./skills"
],
"commands": [
"./commands"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# input-validation-scanner
Scan input validation practices

8
commands/scan-input.md Normal file
View File

@@ -0,0 +1,8 @@
---
description: DESCRIPTION_PLACEHOLDER
shortcut: SHORTCUT_PLACEHOLDER
---
# TITLE_PLACEHOLDER
CONTENT_PLACEHOLDER

73
plugin.lock.json Normal file
View File

@@ -0,0 +1,73 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/security/input-validation-scanner",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "13d32b1a7b653f37593c768ee7d5fd6c05afdc36",
"treeHash": "d481e4ed9b7f315892bed70aabc46bed111deba6b282c974743fb81abd607e7d",
"generatedAt": "2025-11-28T10:18:31.099099Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "input-validation-scanner",
"description": "Scan input validation practices",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "1b62a3b0b77b561fc561e4fcc211d467360a381a2951d812dca7622ab1c4a568"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "48622c4c80365a34d6d94ed08c572339ec79ed63e7eb7dab03b290069ed67de2"
},
{
"path": "commands/scan-input.md",
"sha256": "26981dafecd0bda9d89082c091325c9fdc3ac197318243e952dde0b1a38f4088"
},
{
"path": "skills/input-validation-scanner/SKILL.md",
"sha256": "f6ead5a7619caf8aa7c4abbb1095ee43067d2ffb571675f65e986fb0b6c7e853"
},
{
"path": "skills/input-validation-scanner/references/README.md",
"sha256": "76da117636186ede3c0b2e3c25082d43b1c5a81675b127c2c2e2eebaf3d9fc4c"
},
{
"path": "skills/input-validation-scanner/scripts/README.md",
"sha256": "adca75ec9dede136446a53ccb79002c39c791d43312d778371f97b282ce048cd"
},
{
"path": "skills/input-validation-scanner/assets/semgrep_ruleset.yaml",
"sha256": "61d2f08863b14732295384e8e75a7c12fc5504807ba5309e2bf12132cbb7aaf9"
},
{
"path": "skills/input-validation-scanner/assets/example_code_with_vulnerabilities.zip",
"sha256": "e6e64ee038d180fdf8a7b8d94af62ad07c0910aefe6c002f79726c164be1939e"
},
{
"path": "skills/input-validation-scanner/assets/README.md",
"sha256": "ce170a83c0c9625d43c0f6f786fce67e2ed7c71b2408cb856bc887c14be3dcb5"
},
{
"path": "skills/input-validation-scanner/assets/codeql_ruleset.qls",
"sha256": "e8bad044ef08c82d0d97daa61017b4dd02a348a4ea5d2eab744b42908fa749de"
}
],
"dirSha256": "d481e4ed9b7f315892bed70aabc46bed111deba6b282c974743fb81abd607e7d"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

54
skills/input-validation-scanner/SKILL.md Normal file
View File

@@ -0,0 +1,54 @@
---
name: scanning-input-validation-practices
description: |
This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis.
allowed-tools: Read, Write, Edit, Grep, Glob, Bash
version: 1.0.0
---
## Overview
This skill automates the process of identifying potential input validation flaws within a codebase. By analyzing how user-provided data is handled, it helps developers proactively address security vulnerabilities before they can be exploited. This skill streamlines security audits and improves the overall security posture of applications.
## How It Works
1. **Initiate Scan**: The user requests an input validation scan, triggering the skill.
2. **Code Analysis**: The skill uses the input-validation-scanner plugin to analyze the specified codebase or file.
3. **Vulnerability Identification**: The plugin identifies instances where input validation may be missing or insufficient.
4. **Report Generation**: The skill presents a report highlighting potential vulnerabilities and their locations in the code.
## When to Use This Skill
This skill activates when you need to:
- Audit a codebase for input validation vulnerabilities.
- Review newly written code for potential XSS or SQL injection flaws.
- Harden an application against common web security exploits.
- Ensure compliance with security best practices related to input handling.
## Examples
### Example 1: Identifying XSS Vulnerabilities
User request: "Scan the user profile module for potential XSS vulnerabilities."
The skill will:
1. Activate the input-validation-scanner plugin on the specified module.
2. Generate a report highlighting areas where user input is directly rendered without proper sanitization, indicating potential XSS vulnerabilities.
### Example 2: Checking for SQL Injection Risks
User request: "Check the database access layer for potential SQL injection risks."
The skill will:
1. Use the input-validation-scanner plugin to examine the database access code.
2. Identify instances where user input is used directly in SQL queries without proper parameterization or escaping, indicating potential SQL injection vulnerabilities.
## Best Practices
- **Regular Scanning**: Integrate input validation scanning into your regular development workflow.
- **Contextual Analysis**: Always review the identified vulnerabilities in context to determine their actual impact and severity.
- **Comprehensive Validation**: Ensure that all user-supplied data is validated, including data from forms, APIs, and external sources.
## Integration
This skill can be used in conjunction with other security-related skills to provide a more comprehensive security assessment. For example, it can be combined with a static analysis skill to identify other types of vulnerabilities or with a dependency scanning skill to identify vulnerable third-party libraries.

7
skills/input-validation-scanner/assets/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Assets
Bundled resources for input-validation-scanner skill
- [ ] codeql_ruleset.qls: Example CodeQL ruleset for input validation.
- [ ] semgrep_ruleset.yaml: Example Semgrep ruleset for input validation.
- [ ] example_code_with_vulnerabilities.zip: A zip file containing example code snippets with common input validation vulnerabilities.

96
skills/input-validation-scanner/assets/codeql_ruleset.qls Normal file
View File

@@ -0,0 +1,96 @@
/**
* @name Input Validation Scanner - CodeQL Ruleset
* @description This ruleset contains queries that identify potential input validation vulnerabilities.
* @kind meta-ruleset
* @id input-validation-scanner
*/
import javascript
import python
import go
import csharp
import java
import cpp
/**
* General Input Validation Checks
*/
// Untrusted data used in SQL queries (SQL Injection)
from SqlInjectionQuery q
select q, "Potential SQL Injection vulnerability: Untrusted data used in SQL query."
// Untrusted data used in OS commands (Command Injection)
from CommandInjectionQuery q
select q, "Potential Command Injection vulnerability: Untrusted data used in OS command."
// Untrusted data used in XPath queries (XPath Injection) - Requires XPath support in language
// from XPathInjectionQuery q
// select q, "Potential XPath Injection vulnerability: Untrusted data used in XPath query."
// Cross-Site Scripting (XSS) - Requires framework-specific queries for best results
// Placeholder: Add XSS queries here, potentially framework-specific (e.g., React, Angular, Vue)
/**
* Language-Specific Input Validation Checks
*/
// JavaScript/TypeScript examples
from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlowPath(source, sink) and
source.asExpr().(CallExpr).getCalleeName() = "eval" and //Example: Detect use of eval with untrusted input. This is just an example, adjust as needed.
sink.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*[<>&\"'].*") and // Example: Simple check for HTML characters in the eval input. This is just an example, adjust as needed.
source.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*userInput.*") // Example: Check if the eval input uses a variable named "userInput". This is just an example, adjust as needed.
select path, "Potential JavaScript eval with untrusted input."
// Python examples
// Placeholder: Add Python-specific input validation queries here, focusing on common vulnerabilities. Example: OS Command Injection through format strings.
// Go examples
// Placeholder: Add Go-specific input validation queries here, focusing on common vulnerabilities. Example: Path Traversal.
// C# examples
// Placeholder: Add C#-specific input validation queries here, focusing on common vulnerabilities. Example: LDAP Injection.
// Java examples
// Placeholder: Add Java-specific input validation queries here, focusing on common vulnerabilities. Example: Deserialization vulnerabilities.
// C/C++ examples
// Placeholder: Add C/C++-specific input validation queries here, focusing on common vulnerabilities. Example: Buffer overflows.
/**
* Custom Input Validation Checks
*
* Placeholder: Add custom queries tailored to the specific application or framework.
* These queries should focus on identifying missing or inadequate input validation routines.
*/
// Example: Check for missing length validation on a specific input field.
// from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
// where cfg.hasFlowPath(source, sink) and
// source.asExpr().(VariableAccess).getTarget().getName() = "userInput" and // Replace "userInput" with the actual input field name
// sink.asExpr().(CallExpr).getCalleeName() = "processData" and // Replace "processData" with the function that processes the input
// not exists(CallExpr call | call.getCalleeName() = "validateLength" and call.getArgument(0) = source.asExpr()) // Check for missing length validation
// select path, "Missing length validation for input field 'userInput'."
/**
* Helper Queries (Optional)
*
* Placeholder: Add helper queries that can be used by other queries in this ruleset.
* These can simplify the main queries and improve code reuse.
*/
/**
* Configuration
*
* Placeholder: Add any necessary configuration options for the queries in this ruleset.
* This might include specifying trusted sources, sanitization functions, or regular expressions.
*/
/**
* Considerations
*
* - This ruleset is a starting point and should be customized to the specific application and its security requirements.
* - Regularly update the ruleset to address new vulnerabilities and attack vectors.
* - Review the results carefully and prioritize remediation based on the severity of the vulnerability and the likelihood of exploitation.
*/

248
skills/input-validation-scanner/assets/semgrep_ruleset.yaml Normal file
View File

@@ -0,0 +1,248 @@
# semgrep_ruleset.yaml
# Example Semgrep ruleset for scanning input validation practices.
rules:
# Rule 1: Detect missing input validation on user-provided data
- id: input-validation.missing-validation
message: |
Missing input validation for user-provided data.
Consider adding validation to prevent injection attacks, XSS, etc.
severity: WARNING
languages:
- python
- javascript
patterns:
- pattern-either:
- pattern: $variable = request.GET["$input"] # Python Django example
- pattern: $variable = request.args.get("$input") # Python Flask example
- pattern: $variable = $_GET["$input"] # PHP example
- pattern: $variable = req.query.$input # Javascript Express example
- pattern: $variable = req.body.$input # Javascript Express example
- pattern-not: |
# Example: Check if $variable is validated before use
if validate($variable):
...
else:
raise Exception("Invalid input")
# Example metavariable regex constraint - require input to be a string
#constraints:
# $input:
# regex: "^[a-zA-Z_][a-zA-Z0-9_]*$"
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-20: Improper Input Validation"
references:
- "https://owasp.org/Top10/A03_2021-Injection/"
confidence: LOW # Adjust based on the accuracy of the rule
# Rule 2: Detect use of eval() without proper sanitization
- id: input-validation.unsafe-eval
message: |
Detected use of eval() function. This can be dangerous if user-provided input is used without proper sanitization.
Consider using safer alternatives.
severity: CRITICAL
languages:
- python
- javascript
patterns:
- pattern: eval($input)
# Example metavariable regex constraint - require input to be a string
constraints:
$input:
not: "safe_string" # Prevent flagging safe uses, REPLACE_ME: Add logic to identify safe strings
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
references:
- "https://owasp.org/www-community/attacks/Code_Injection"
confidence: MEDIUM
# Rule 3: Detect potential SQL injection vulnerabilities (basic example)
- id: input-validation.sql-injection-basic
message: |
Potential SQL injection vulnerability detected.
Ensure that user-provided input is properly sanitized and parameterized before use in SQL queries.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: db_query("SELECT * FROM users WHERE username = '" + $username + "'") # Generic string concatenation
- pattern: db_query(f"SELECT * FROM users WHERE username = '{ $username }'") # Python f-string
- pattern: db_query("SELECT * FROM users WHERE username = " . $username) # PHP concatenation
- pattern-not: |
# Example: Check if $username is properly escaped before use
$username = escape_sql($username)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
references:
- "https://owasp.org/www-community/attacks/SQL_Injection"
confidence: MEDIUM
# Rule 4: Detect use of shell injection vulnerabilities (basic example)
- id: input-validation.shell-injection-basic
message: |
Potential shell injection vulnerability detected.
Ensure that user-provided input is properly sanitized and parameterized before use in shell commands.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: subprocess.call($command, shell=True) # Python shell=True is dangerous
- pattern: exec($command) # PHP
- pattern: child_process.exec($command) # Javascript
- pattern-not: |
# Example: Check if $command is properly escaped before use
$command = escape_shell($command)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
references:
- "https://owasp.org/www-community/attacks/OS_Command_Injection"
confidence: MEDIUM
# Rule 5: Detect HTML injection vulnerabilities (basic example)
- id: input-validation.html-injection-basic
message: |
Potential HTML injection vulnerability detected.
Ensure that user-provided input is properly sanitized and escaped before use in HTML output.
severity: MEDIUM
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: document.write($input) # JavaScript
- pattern: echo $input # PHP
- pattern: return HttpResponse($input) # Python Django
- pattern-not: |
# Example: Check if $input is properly escaped before use
$input = escape_html($input)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
references:
- "https://owasp.org/www-community/attacks/xss/"
confidence: MEDIUM
# Rule 6: Detect missing CSRF protection in forms (Django example)
- id: input-validation.missing-csrf-protection
message: |
Missing CSRF protection in Django form. Add {% csrf_token %} to your form.
severity: HIGH
languages:
- html
patterns:
- pattern: |
<form method="POST" ...>
...
</form>
- pattern-not: |
<form method="POST" ...>
{% csrf_token %}
...
</form>
metadata:
owasp: "A01:2021 - Broken Access Control"
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
references:
- "https://owasp.org/www-community/attacks/CSRF"
confidence: MEDIUM
# Rule 7: Detect use of hardcoded secrets (Placeholder, REPLACE_ME)
- id: input-validation.hardcoded-secret
message: |
Hardcoded secret detected. Avoid storing secrets directly in code.
Use environment variables or a secrets management system instead.
severity: CRITICAL
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: API_KEY = "YOUR_API_KEY_HERE" # Python
- pattern: const API_KEY = "YOUR_API_KEY_HERE"; # JavaScript
- pattern: $apiKey = "YOUR_API_KEY_HERE"; # PHP
- pattern: API_KEY = "REPLACE_ME"
- pattern: const API_KEY = "REPLACE_ME";
- pattern: $apiKey = "REPLACE_ME";
metadata:
owasp: "A05:2021 - Security Misconfiguration"
cwe: "CWE-798: Use of Hard-coded Credentials"
references:
- "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
confidence: HIGH
# Rule 8: Example for detecting weak password storage (Placeholder, REPLACE_ME)
- id: input-validation.weak-password-storage
message: |
Weak password storage detected. Use a strong hashing algorithm like bcrypt or Argon2.
severity: CRITICAL
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: hashlib.md5($password).hexdigest() # Python MD5
- pattern: md5($password) # PHP MD5
- pattern: SHA1($password) # PHP SHA1
- pattern-not: |
# Example: Check if $password is properly hashed with bcrypt
bcrypt.hashpw($password, bcrypt.gensalt())
metadata:
owasp: "A07:2021 - Identification and Authentication Failures"
cwe: "CWE-916: Use of Password Hash With Insufficient Computational Effort"
references:
- "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
confidence: MEDIUM
# Rule 9: Catching the usage of unsafe functions like gets() in C/C++
- id: input-validation.unsafe-function-gets
message: |
The `gets()` function is inherently unsafe due to lack of bounds checking.
Use `fgets()` instead.
severity: CRITICAL
languages:
- c
- cpp
patterns:
- pattern: gets($buf);
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"
references:
- "https://cwe.mitre.org/data/definitions/120.html"
confidence: HIGH
# Rule 10: Detect path traversal vulnerabilities (Placeholder, REPLACE_ME)
- id: input-validation.path-traversal
message: |
Potential path traversal vulnerability detected. Ensure that file paths are properly validated to prevent access to unauthorized files.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: open($filepath, 'r') # Python
- pattern: fs.readFile($filepath) # Javascript
- pattern: fopen($filepath, 'r') # PHP
- pattern-not: |
# Example: Check if $filepath is properly validated before use
$filepath = validate_filepath($filepath)
metadata:
owasp: "A01:2021 - Broken Access Control"
cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
references:
- "https://owasp.org/www-community/attacks/Path_Traversal"
confidence: MEDIUM

7
skills/input-validation-scanner/references/README.md Normal file
View File

@@ -0,0 +1,7 @@
# References
Bundled resources for input-validation-scanner skill
- [ ] owasp_input_validation_cheatsheet.md: OWASP Input Validation Cheat Sheet for best practices.
- [ ] codeql_rules.md: Documentation on custom CodeQL rules for input validation.
- [ ] semgrep_rules.md: Documentation on custom Semgrep rules for input validation.

7
skills/input-validation-scanner/scripts/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Scripts
Bundled resources for input-validation-scanner skill
- [ ] codeql_scan.sh: Executes CodeQL to scan the code for input validation vulnerabilities. Requires CodeQL CLI to be installed.
- [ ] semgrep_scan.sh: Executes Semgrep to scan the code for input validation vulnerabilities. Requires Semgrep CLI to be installed.
- [ ] dependency_check.py: Python script to check for vulnerable dependencies that could lead to input validation issues. Requires a requirements.txt file.