From 38f63304b6a3af966c623bc788df5c0731ada243 Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sun, 30 Nov 2025 08:22:16 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 15 ++ README.md | 3 + commands/scan-input.md | 8 + plugin.lock.json | 73 ++++++ skills/input-validation-scanner/SKILL.md | 54 ++++ .../input-validation-scanner/assets/README.md | 7 + .../assets/codeql_ruleset.qls | 96 +++++++ .../assets/semgrep_ruleset.yaml | 248 ++++++++++++++++++ .../references/README.md | 7 + .../scripts/README.md | 7 + 10 files changed, 518 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 commands/scan-input.md create mode 100644 plugin.lock.json create mode 100644 skills/input-validation-scanner/SKILL.md create mode 100644 skills/input-validation-scanner/assets/README.md create mode 100644 skills/input-validation-scanner/assets/codeql_ruleset.qls create mode 100644 skills/input-validation-scanner/assets/semgrep_ruleset.yaml create mode 100644 skills/input-validation-scanner/references/README.md create mode 100644 skills/input-validation-scanner/scripts/README.md diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..16e37f8 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,15 @@ +{ + "name": "input-validation-scanner", + "description": "Scan input validation practices", + "version": "1.0.0", + "author": { + "name": "Jeremy Longshore", + "email": "[email protected]" + }, + "skills": [ + "./skills" + ], + "commands": [ + "./commands" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..b9ec1e1 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# input-validation-scanner + +Scan input validation practices diff --git a/commands/scan-input.md b/commands/scan-input.md new file mode 100644 index 0000000..205880e --- /dev/null +++ b/commands/scan-input.md @@ -0,0 +1,8 @@ +--- +description: DESCRIPTION_PLACEHOLDER +shortcut: SHORTCUT_PLACEHOLDER +--- + +# TITLE_PLACEHOLDER + +CONTENT_PLACEHOLDER diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..1b09133 --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,73 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/security/input-validation-scanner", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "13d32b1a7b653f37593c768ee7d5fd6c05afdc36", + "treeHash": "d481e4ed9b7f315892bed70aabc46bed111deba6b282c974743fb81abd607e7d", + "generatedAt": "2025-11-28T10:18:31.099099Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "input-validation-scanner", + "description": "Scan input validation practices", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "1b62a3b0b77b561fc561e4fcc211d467360a381a2951d812dca7622ab1c4a568" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "48622c4c80365a34d6d94ed08c572339ec79ed63e7eb7dab03b290069ed67de2" + }, + { + "path": "commands/scan-input.md", + "sha256": "26981dafecd0bda9d89082c091325c9fdc3ac197318243e952dde0b1a38f4088" + }, + { + "path": "skills/input-validation-scanner/SKILL.md", + "sha256": "f6ead5a7619caf8aa7c4abbb1095ee43067d2ffb571675f65e986fb0b6c7e853" + }, + { + "path": "skills/input-validation-scanner/references/README.md", + "sha256": "76da117636186ede3c0b2e3c25082d43b1c5a81675b127c2c2e2eebaf3d9fc4c" + }, + { + "path": "skills/input-validation-scanner/scripts/README.md", + "sha256": "adca75ec9dede136446a53ccb79002c39c791d43312d778371f97b282ce048cd" + }, + { + "path": "skills/input-validation-scanner/assets/semgrep_ruleset.yaml", + "sha256": "61d2f08863b14732295384e8e75a7c12fc5504807ba5309e2bf12132cbb7aaf9" + }, + { + "path": "skills/input-validation-scanner/assets/example_code_with_vulnerabilities.zip", + "sha256": "e6e64ee038d180fdf8a7b8d94af62ad07c0910aefe6c002f79726c164be1939e" + }, + { + "path": "skills/input-validation-scanner/assets/README.md", + "sha256": "ce170a83c0c9625d43c0f6f786fce67e2ed7c71b2408cb856bc887c14be3dcb5" + }, + { + "path": "skills/input-validation-scanner/assets/codeql_ruleset.qls", + "sha256": "e8bad044ef08c82d0d97daa61017b4dd02a348a4ea5d2eab744b42908fa749de" + } + ], + "dirSha256": "d481e4ed9b7f315892bed70aabc46bed111deba6b282c974743fb81abd607e7d" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/input-validation-scanner/SKILL.md b/skills/input-validation-scanner/SKILL.md new file mode 100644 index 0000000..ce2176b --- /dev/null +++ b/skills/input-validation-scanner/SKILL.md @@ -0,0 +1,54 @@ +--- +name: scanning-input-validation-practices +description: | + This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis. +allowed-tools: Read, Write, Edit, Grep, Glob, Bash +version: 1.0.0 +--- + +## Overview + +This skill automates the process of identifying potential input validation flaws within a codebase. By analyzing how user-provided data is handled, it helps developers proactively address security vulnerabilities before they can be exploited. This skill streamlines security audits and improves the overall security posture of applications. + +## How It Works + +1. **Initiate Scan**: The user requests an input validation scan, triggering the skill. +2. **Code Analysis**: The skill uses the input-validation-scanner plugin to analyze the specified codebase or file. +3. **Vulnerability Identification**: The plugin identifies instances where input validation may be missing or insufficient. +4. **Report Generation**: The skill presents a report highlighting potential vulnerabilities and their locations in the code. + +## When to Use This Skill + +This skill activates when you need to: +- Audit a codebase for input validation vulnerabilities. +- Review newly written code for potential XSS or SQL injection flaws. +- Harden an application against common web security exploits. +- Ensure compliance with security best practices related to input handling. + +## Examples + +### Example 1: Identifying XSS Vulnerabilities + +User request: "Scan the user profile module for potential XSS vulnerabilities." + +The skill will: +1. Activate the input-validation-scanner plugin on the specified module. +2. Generate a report highlighting areas where user input is directly rendered without proper sanitization, indicating potential XSS vulnerabilities. + +### Example 2: Checking for SQL Injection Risks + +User request: "Check the database access layer for potential SQL injection risks." + +The skill will: +1. Use the input-validation-scanner plugin to examine the database access code. +2. Identify instances where user input is used directly in SQL queries without proper parameterization or escaping, indicating potential SQL injection vulnerabilities. + +## Best Practices + +- **Regular Scanning**: Integrate input validation scanning into your regular development workflow. +- **Contextual Analysis**: Always review the identified vulnerabilities in context to determine their actual impact and severity. +- **Comprehensive Validation**: Ensure that all user-supplied data is validated, including data from forms, APIs, and external sources. + +## Integration + +This skill can be used in conjunction with other security-related skills to provide a more comprehensive security assessment. For example, it can be combined with a static analysis skill to identify other types of vulnerabilities or with a dependency scanning skill to identify vulnerable third-party libraries. \ No newline at end of file diff --git a/skills/input-validation-scanner/assets/README.md b/skills/input-validation-scanner/assets/README.md new file mode 100644 index 0000000..5355dfa --- /dev/null +++ b/skills/input-validation-scanner/assets/README.md @@ -0,0 +1,7 @@ +# Assets + +Bundled resources for input-validation-scanner skill + +- [ ] codeql_ruleset.qls: Example CodeQL ruleset for input validation. +- [ ] semgrep_ruleset.yaml: Example Semgrep ruleset for input validation. +- [ ] example_code_with_vulnerabilities.zip: A zip file containing example code snippets with common input validation vulnerabilities. diff --git a/skills/input-validation-scanner/assets/codeql_ruleset.qls b/skills/input-validation-scanner/assets/codeql_ruleset.qls new file mode 100644 index 0000000..a92f3ff --- /dev/null +++ b/skills/input-validation-scanner/assets/codeql_ruleset.qls @@ -0,0 +1,96 @@ +/** + * @name Input Validation Scanner - CodeQL Ruleset + * @description This ruleset contains queries that identify potential input validation vulnerabilities. + * @kind meta-ruleset + * @id input-validation-scanner + */ + +import javascript +import python +import go +import csharp +import java +import cpp + +/** + * General Input Validation Checks + */ + +// Untrusted data used in SQL queries (SQL Injection) +from SqlInjectionQuery q +select q, "Potential SQL Injection vulnerability: Untrusted data used in SQL query." + +// Untrusted data used in OS commands (Command Injection) +from CommandInjectionQuery q +select q, "Potential Command Injection vulnerability: Untrusted data used in OS command." + +// Untrusted data used in XPath queries (XPath Injection) - Requires XPath support in language +// from XPathInjectionQuery q +// select q, "Potential XPath Injection vulnerability: Untrusted data used in XPath query." + +// Cross-Site Scripting (XSS) - Requires framework-specific queries for best results +// Placeholder: Add XSS queries here, potentially framework-specific (e.g., React, Angular, Vue) + +/** + * Language-Specific Input Validation Checks + */ + +// JavaScript/TypeScript examples +from DataFlow::PathGraph path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlowPath(source, sink) and + source.asExpr().(CallExpr).getCalleeName() = "eval" and //Example: Detect use of eval with untrusted input. This is just an example, adjust as needed. + sink.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*[<>&\"'].*") and // Example: Simple check for HTML characters in the eval input. This is just an example, adjust as needed. + source.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*userInput.*") // Example: Check if the eval input uses a variable named "userInput". This is just an example, adjust as needed. +select path, "Potential JavaScript eval with untrusted input." + +// Python examples +// Placeholder: Add Python-specific input validation queries here, focusing on common vulnerabilities. Example: OS Command Injection through format strings. + +// Go examples +// Placeholder: Add Go-specific input validation queries here, focusing on common vulnerabilities. Example: Path Traversal. + +// C# examples +// Placeholder: Add C#-specific input validation queries here, focusing on common vulnerabilities. Example: LDAP Injection. + +// Java examples +// Placeholder: Add Java-specific input validation queries here, focusing on common vulnerabilities. Example: Deserialization vulnerabilities. + +// C/C++ examples +// Placeholder: Add C/C++-specific input validation queries here, focusing on common vulnerabilities. Example: Buffer overflows. + +/** + * Custom Input Validation Checks + * + * Placeholder: Add custom queries tailored to the specific application or framework. + * These queries should focus on identifying missing or inadequate input validation routines. + */ + +// Example: Check for missing length validation on a specific input field. +// from DataFlow::PathGraph path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink +// where cfg.hasFlowPath(source, sink) and +// source.asExpr().(VariableAccess).getTarget().getName() = "userInput" and // Replace "userInput" with the actual input field name +// sink.asExpr().(CallExpr).getCalleeName() = "processData" and // Replace "processData" with the function that processes the input +// not exists(CallExpr call | call.getCalleeName() = "validateLength" and call.getArgument(0) = source.asExpr()) // Check for missing length validation +// select path, "Missing length validation for input field 'userInput'." + +/** + * Helper Queries (Optional) + * + * Placeholder: Add helper queries that can be used by other queries in this ruleset. + * These can simplify the main queries and improve code reuse. + */ + +/** + * Configuration + * + * Placeholder: Add any necessary configuration options for the queries in this ruleset. + * This might include specifying trusted sources, sanitization functions, or regular expressions. + */ + +/** + * Considerations + * + * - This ruleset is a starting point and should be customized to the specific application and its security requirements. + * - Regularly update the ruleset to address new vulnerabilities and attack vectors. + * - Review the results carefully and prioritize remediation based on the severity of the vulnerability and the likelihood of exploitation. + */ \ No newline at end of file diff --git a/skills/input-validation-scanner/assets/semgrep_ruleset.yaml b/skills/input-validation-scanner/assets/semgrep_ruleset.yaml new file mode 100644 index 0000000..37da318 --- /dev/null +++ b/skills/input-validation-scanner/assets/semgrep_ruleset.yaml @@ -0,0 +1,248 @@ +# semgrep_ruleset.yaml +# Example Semgrep ruleset for scanning input validation practices. + +rules: + # Rule 1: Detect missing input validation on user-provided data + - id: input-validation.missing-validation + message: | + Missing input validation for user-provided data. + Consider adding validation to prevent injection attacks, XSS, etc. + severity: WARNING + languages: + - python + - javascript + patterns: + - pattern-either: + - pattern: $variable = request.GET["$input"] # Python Django example + - pattern: $variable = request.args.get("$input") # Python Flask example + - pattern: $variable = $_GET["$input"] # PHP example + - pattern: $variable = req.query.$input # Javascript Express example + - pattern: $variable = req.body.$input # Javascript Express example + - pattern-not: | + # Example: Check if $variable is validated before use + if validate($variable): + ... + else: + raise Exception("Invalid input") + # Example metavariable regex constraint - require input to be a string + #constraints: + # $input: + # regex: "^[a-zA-Z_][a-zA-Z0-9_]*$" + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-20: Improper Input Validation" + references: + - "https://owasp.org/Top10/A03_2021-Injection/" + confidence: LOW # Adjust based on the accuracy of the rule + + # Rule 2: Detect use of eval() without proper sanitization + - id: input-validation.unsafe-eval + message: | + Detected use of eval() function. This can be dangerous if user-provided input is used without proper sanitization. + Consider using safer alternatives. + severity: CRITICAL + languages: + - python + - javascript + patterns: + - pattern: eval($input) + # Example metavariable regex constraint - require input to be a string + constraints: + $input: + not: "safe_string" # Prevent flagging safe uses, REPLACE_ME: Add logic to identify safe strings + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + references: + - "https://owasp.org/www-community/attacks/Code_Injection" + confidence: MEDIUM + + # Rule 3: Detect potential SQL injection vulnerabilities (basic example) + - id: input-validation.sql-injection-basic + message: | + Potential SQL injection vulnerability detected. + Ensure that user-provided input is properly sanitized and parameterized before use in SQL queries. + severity: HIGH + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: db_query("SELECT * FROM users WHERE username = '" + $username + "'") # Generic string concatenation + - pattern: db_query(f"SELECT * FROM users WHERE username = '{ $username }'") # Python f-string + - pattern: db_query("SELECT * FROM users WHERE username = " . $username) # PHP concatenation + - pattern-not: | + # Example: Check if $username is properly escaped before use + $username = escape_sql($username) + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + references: + - "https://owasp.org/www-community/attacks/SQL_Injection" + confidence: MEDIUM + + # Rule 4: Detect use of shell injection vulnerabilities (basic example) + - id: input-validation.shell-injection-basic + message: | + Potential shell injection vulnerability detected. + Ensure that user-provided input is properly sanitized and parameterized before use in shell commands. + severity: HIGH + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: subprocess.call($command, shell=True) # Python shell=True is dangerous + - pattern: exec($command) # PHP + - pattern: child_process.exec($command) # Javascript + - pattern-not: | + # Example: Check if $command is properly escaped before use + $command = escape_shell($command) + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + references: + - "https://owasp.org/www-community/attacks/OS_Command_Injection" + confidence: MEDIUM + + # Rule 5: Detect HTML injection vulnerabilities (basic example) + - id: input-validation.html-injection-basic + message: | + Potential HTML injection vulnerability detected. + Ensure that user-provided input is properly sanitized and escaped before use in HTML output. + severity: MEDIUM + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: document.write($input) # JavaScript + - pattern: echo $input # PHP + - pattern: return HttpResponse($input) # Python Django + - pattern-not: | + # Example: Check if $input is properly escaped before use + $input = escape_html($input) + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + references: + - "https://owasp.org/www-community/attacks/xss/" + confidence: MEDIUM + + # Rule 6: Detect missing CSRF protection in forms (Django example) + - id: input-validation.missing-csrf-protection + message: | + Missing CSRF protection in Django form. Add {% csrf_token %} to your form. + severity: HIGH + languages: + - html + patterns: + - pattern: | +
+ ... +
+ - pattern-not: | +
+ {% csrf_token %} + ... +
+ metadata: + owasp: "A01:2021 - Broken Access Control" + cwe: "CWE-352: Cross-Site Request Forgery (CSRF)" + references: + - "https://owasp.org/www-community/attacks/CSRF" + confidence: MEDIUM + + # Rule 7: Detect use of hardcoded secrets (Placeholder, REPLACE_ME) + - id: input-validation.hardcoded-secret + message: | + Hardcoded secret detected. Avoid storing secrets directly in code. + Use environment variables or a secrets management system instead. + severity: CRITICAL + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: API_KEY = "YOUR_API_KEY_HERE" # Python + - pattern: const API_KEY = "YOUR_API_KEY_HERE"; # JavaScript + - pattern: $apiKey = "YOUR_API_KEY_HERE"; # PHP + - pattern: API_KEY = "REPLACE_ME" + - pattern: const API_KEY = "REPLACE_ME"; + - pattern: $apiKey = "REPLACE_ME"; + metadata: + owasp: "A05:2021 - Security Misconfiguration" + cwe: "CWE-798: Use of Hard-coded Credentials" + references: + - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" + confidence: HIGH + + # Rule 8: Example for detecting weak password storage (Placeholder, REPLACE_ME) + - id: input-validation.weak-password-storage + message: | + Weak password storage detected. Use a strong hashing algorithm like bcrypt or Argon2. + severity: CRITICAL + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: hashlib.md5($password).hexdigest() # Python MD5 + - pattern: md5($password) # PHP MD5 + - pattern: SHA1($password) # PHP SHA1 + - pattern-not: | + # Example: Check if $password is properly hashed with bcrypt + bcrypt.hashpw($password, bcrypt.gensalt()) + metadata: + owasp: "A07:2021 - Identification and Authentication Failures" + cwe: "CWE-916: Use of Password Hash With Insufficient Computational Effort" + references: + - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/" + confidence: MEDIUM + + # Rule 9: Catching the usage of unsafe functions like gets() in C/C++ + - id: input-validation.unsafe-function-gets + message: | + The `gets()` function is inherently unsafe due to lack of bounds checking. + Use `fgets()` instead. + severity: CRITICAL + languages: + - c + - cpp + patterns: + - pattern: gets($buf); + metadata: + owasp: "A03:2021 - Injection" + cwe: "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" + references: + - "https://cwe.mitre.org/data/definitions/120.html" + confidence: HIGH + + # Rule 10: Detect path traversal vulnerabilities (Placeholder, REPLACE_ME) + - id: input-validation.path-traversal + message: | + Potential path traversal vulnerability detected. Ensure that file paths are properly validated to prevent access to unauthorized files. + severity: HIGH + languages: + - python + - javascript + - php + patterns: + - pattern-either: + - pattern: open($filepath, 'r') # Python + - pattern: fs.readFile($filepath) # Javascript + - pattern: fopen($filepath, 'r') # PHP + - pattern-not: | + # Example: Check if $filepath is properly validated before use + $filepath = validate_filepath($filepath) + metadata: + owasp: "A01:2021 - Broken Access Control" + cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + references: + - "https://owasp.org/www-community/attacks/Path_Traversal" + confidence: MEDIUM \ No newline at end of file diff --git a/skills/input-validation-scanner/references/README.md b/skills/input-validation-scanner/references/README.md new file mode 100644 index 0000000..32ee45e --- /dev/null +++ b/skills/input-validation-scanner/references/README.md @@ -0,0 +1,7 @@ +# References + +Bundled resources for input-validation-scanner skill + +- [ ] owasp_input_validation_cheatsheet.md: OWASP Input Validation Cheat Sheet for best practices. +- [ ] codeql_rules.md: Documentation on custom CodeQL rules for input validation. +- [ ] semgrep_rules.md: Documentation on custom Semgrep rules for input validation. diff --git a/skills/input-validation-scanner/scripts/README.md b/skills/input-validation-scanner/scripts/README.md new file mode 100644 index 0000000..1b93201 --- /dev/null +++ b/skills/input-validation-scanner/scripts/README.md @@ -0,0 +1,7 @@ +# Scripts + +Bundled resources for input-validation-scanner skill + +- [ ] codeql_scan.sh: Executes CodeQL to scan the code for input validation vulnerabilities. Requires CodeQL CLI to be installed. +- [ ] semgrep_scan.sh: Executes Semgrep to scan the code for input validation vulnerabilities. Requires Semgrep CLI to be installed. +- [ ] dependency_check.py: Python script to check for vulnerable dependencies that could lead to input validation issues. Requires a requirements.txt file.