zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-security-input-validation-scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:22:16 +08:00
commit 38f63304b6
10 changed files with 518 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
skills/input-validation-scanner/assets/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Assets
Bundled resources for input-validation-scanner skill
- [ ] codeql_ruleset.qls: Example CodeQL ruleset for input validation.
- [ ] semgrep_ruleset.yaml: Example Semgrep ruleset for input validation.
- [ ] example_code_with_vulnerabilities.zip: A zip file containing example code snippets with common input validation vulnerabilities.

96
skills/input-validation-scanner/assets/codeql_ruleset.qls Normal file
View File

@@ -0,0 +1,96 @@
/**
* @name Input Validation Scanner - CodeQL Ruleset
* @description This ruleset contains queries that identify potential input validation vulnerabilities.
* @kind meta-ruleset
* @id input-validation-scanner
*/
import javascript
import python
import go
import csharp
import java
import cpp
/**
* General Input Validation Checks
*/
// Untrusted data used in SQL queries (SQL Injection)
from SqlInjectionQuery q
select q, "Potential SQL Injection vulnerability: Untrusted data used in SQL query."
// Untrusted data used in OS commands (Command Injection)
from CommandInjectionQuery q
select q, "Potential Command Injection vulnerability: Untrusted data used in OS command."
// Untrusted data used in XPath queries (XPath Injection) - Requires XPath support in language
// from XPathInjectionQuery q
// select q, "Potential XPath Injection vulnerability: Untrusted data used in XPath query."
// Cross-Site Scripting (XSS) - Requires framework-specific queries for best results
// Placeholder: Add XSS queries here, potentially framework-specific (e.g., React, Angular, Vue)
/**
* Language-Specific Input Validation Checks
*/
// JavaScript/TypeScript examples
from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlowPath(source, sink) and
source.asExpr().(CallExpr).getCalleeName() = "eval" and //Example: Detect use of eval with untrusted input. This is just an example, adjust as needed.
sink.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*[<>&\"'].*") and // Example: Simple check for HTML characters in the eval input. This is just an example, adjust as needed.
source.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*userInput.*") // Example: Check if the eval input uses a variable named "userInput". This is just an example, adjust as needed.
select path, "Potential JavaScript eval with untrusted input."
// Python examples
// Placeholder: Add Python-specific input validation queries here, focusing on common vulnerabilities. Example: OS Command Injection through format strings.
// Go examples
// Placeholder: Add Go-specific input validation queries here, focusing on common vulnerabilities. Example: Path Traversal.
// C# examples
// Placeholder: Add C#-specific input validation queries here, focusing on common vulnerabilities. Example: LDAP Injection.
// Java examples
// Placeholder: Add Java-specific input validation queries here, focusing on common vulnerabilities. Example: Deserialization vulnerabilities.
// C/C++ examples
// Placeholder: Add C/C++-specific input validation queries here, focusing on common vulnerabilities. Example: Buffer overflows.
/**
* Custom Input Validation Checks
*
* Placeholder: Add custom queries tailored to the specific application or framework.
* These queries should focus on identifying missing or inadequate input validation routines.
*/
// Example: Check for missing length validation on a specific input field.
// from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
// where cfg.hasFlowPath(source, sink) and
// source.asExpr().(VariableAccess).getTarget().getName() = "userInput" and // Replace "userInput" with the actual input field name
// sink.asExpr().(CallExpr).getCalleeName() = "processData" and // Replace "processData" with the function that processes the input
// not exists(CallExpr call | call.getCalleeName() = "validateLength" and call.getArgument(0) = source.asExpr()) // Check for missing length validation
// select path, "Missing length validation for input field 'userInput'."
/**
* Helper Queries (Optional)
*
* Placeholder: Add helper queries that can be used by other queries in this ruleset.
* These can simplify the main queries and improve code reuse.
*/
/**
* Configuration
*
* Placeholder: Add any necessary configuration options for the queries in this ruleset.
* This might include specifying trusted sources, sanitization functions, or regular expressions.
*/
/**
* Considerations
*
* - This ruleset is a starting point and should be customized to the specific application and its security requirements.
* - Regularly update the ruleset to address new vulnerabilities and attack vectors.
* - Review the results carefully and prioritize remediation based on the severity of the vulnerability and the likelihood of exploitation.
*/

248
skills/input-validation-scanner/assets/semgrep_ruleset.yaml Normal file
View File

@@ -0,0 +1,248 @@
# semgrep_ruleset.yaml
# Example Semgrep ruleset for scanning input validation practices.
rules:
# Rule 1: Detect missing input validation on user-provided data
- id: input-validation.missing-validation
message: |
Missing input validation for user-provided data.
Consider adding validation to prevent injection attacks, XSS, etc.
severity: WARNING
languages:
- python
- javascript
patterns:
- pattern-either:
- pattern: $variable = request.GET["$input"] # Python Django example
- pattern: $variable = request.args.get("$input") # Python Flask example
- pattern: $variable = $_GET["$input"] # PHP example
- pattern: $variable = req.query.$input # Javascript Express example
- pattern: $variable = req.body.$input # Javascript Express example
- pattern-not: |
# Example: Check if $variable is validated before use
if validate($variable):
...
else:
raise Exception("Invalid input")
# Example metavariable regex constraint - require input to be a string
#constraints:
# $input:
# regex: "^[a-zA-Z_][a-zA-Z0-9_]*$"
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-20: Improper Input Validation"
references:
- "https://owasp.org/Top10/A03_2021-Injection/"
confidence: LOW # Adjust based on the accuracy of the rule
# Rule 2: Detect use of eval() without proper sanitization
- id: input-validation.unsafe-eval
message: |
Detected use of eval() function. This can be dangerous if user-provided input is used without proper sanitization.
Consider using safer alternatives.
severity: CRITICAL
languages:
- python
- javascript
patterns:
- pattern: eval($input)
# Example metavariable regex constraint - require input to be a string
constraints:
$input:
not: "safe_string" # Prevent flagging safe uses, REPLACE_ME: Add logic to identify safe strings
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
references:
- "https://owasp.org/www-community/attacks/Code_Injection"
confidence: MEDIUM
# Rule 3: Detect potential SQL injection vulnerabilities (basic example)
- id: input-validation.sql-injection-basic
message: |
Potential SQL injection vulnerability detected.
Ensure that user-provided input is properly sanitized and parameterized before use in SQL queries.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: db_query("SELECT * FROM users WHERE username = '" + $username + "'") # Generic string concatenation
- pattern: db_query(f"SELECT * FROM users WHERE username = '{ $username }'") # Python f-string
- pattern: db_query("SELECT * FROM users WHERE username = " . $username) # PHP concatenation
- pattern-not: |
# Example: Check if $username is properly escaped before use
$username = escape_sql($username)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
references:
- "https://owasp.org/www-community/attacks/SQL_Injection"
confidence: MEDIUM
# Rule 4: Detect use of shell injection vulnerabilities (basic example)
- id: input-validation.shell-injection-basic
message: |
Potential shell injection vulnerability detected.
Ensure that user-provided input is properly sanitized and parameterized before use in shell commands.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: subprocess.call($command, shell=True) # Python shell=True is dangerous
- pattern: exec($command) # PHP
- pattern: child_process.exec($command) # Javascript
- pattern-not: |
# Example: Check if $command is properly escaped before use
$command = escape_shell($command)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
references:
- "https://owasp.org/www-community/attacks/OS_Command_Injection"
confidence: MEDIUM
# Rule 5: Detect HTML injection vulnerabilities (basic example)
- id: input-validation.html-injection-basic
message: |
Potential HTML injection vulnerability detected.
Ensure that user-provided input is properly sanitized and escaped before use in HTML output.
severity: MEDIUM
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: document.write($input) # JavaScript
- pattern: echo $input # PHP
- pattern: return HttpResponse($input) # Python Django
- pattern-not: |
# Example: Check if $input is properly escaped before use
$input = escape_html($input)
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
references:
- "https://owasp.org/www-community/attacks/xss/"
confidence: MEDIUM
# Rule 6: Detect missing CSRF protection in forms (Django example)
- id: input-validation.missing-csrf-protection
message: |
Missing CSRF protection in Django form. Add {% csrf_token %} to your form.
severity: HIGH
languages:
- html
patterns:
- pattern: |
<form method="POST" ...>
...
</form>
- pattern-not: |
<form method="POST" ...>
{% csrf_token %}
...
</form>
metadata:
owasp: "A01:2021 - Broken Access Control"
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
references:
- "https://owasp.org/www-community/attacks/CSRF"
confidence: MEDIUM
# Rule 7: Detect use of hardcoded secrets (Placeholder, REPLACE_ME)
- id: input-validation.hardcoded-secret
message: |
Hardcoded secret detected. Avoid storing secrets directly in code.
Use environment variables or a secrets management system instead.
severity: CRITICAL
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: API_KEY = "YOUR_API_KEY_HERE" # Python
- pattern: const API_KEY = "YOUR_API_KEY_HERE"; # JavaScript
- pattern: $apiKey = "YOUR_API_KEY_HERE"; # PHP
- pattern: API_KEY = "REPLACE_ME"
- pattern: const API_KEY = "REPLACE_ME";
- pattern: $apiKey = "REPLACE_ME";
metadata:
owasp: "A05:2021 - Security Misconfiguration"
cwe: "CWE-798: Use of Hard-coded Credentials"
references:
- "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
confidence: HIGH
# Rule 8: Example for detecting weak password storage (Placeholder, REPLACE_ME)
- id: input-validation.weak-password-storage
message: |
Weak password storage detected. Use a strong hashing algorithm like bcrypt or Argon2.
severity: CRITICAL
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: hashlib.md5($password).hexdigest() # Python MD5
- pattern: md5($password) # PHP MD5
- pattern: SHA1($password) # PHP SHA1
- pattern-not: |
# Example: Check if $password is properly hashed with bcrypt
bcrypt.hashpw($password, bcrypt.gensalt())
metadata:
owasp: "A07:2021 - Identification and Authentication Failures"
cwe: "CWE-916: Use of Password Hash With Insufficient Computational Effort"
references:
- "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
confidence: MEDIUM
# Rule 9: Catching the usage of unsafe functions like gets() in C/C++
- id: input-validation.unsafe-function-gets
message: |
The `gets()` function is inherently unsafe due to lack of bounds checking.
Use `fgets()` instead.
severity: CRITICAL
languages:
- c
- cpp
patterns:
- pattern: gets($buf);
metadata:
owasp: "A03:2021 - Injection"
cwe: "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"
references:
- "https://cwe.mitre.org/data/definitions/120.html"
confidence: HIGH
# Rule 10: Detect path traversal vulnerabilities (Placeholder, REPLACE_ME)
- id: input-validation.path-traversal
message: |
Potential path traversal vulnerability detected. Ensure that file paths are properly validated to prevent access to unauthorized files.
severity: HIGH
languages:
- python
- javascript
- php
patterns:
- pattern-either:
- pattern: open($filepath, 'r') # Python
- pattern: fs.readFile($filepath) # Javascript
- pattern: fopen($filepath, 'r') # PHP
- pattern-not: |
# Example: Check if $filepath is properly validated before use
$filepath = validate_filepath($filepath)
metadata:
owasp: "A01:2021 - Broken Access Control"
cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
references:
- "https://owasp.org/www-community/attacks/Path_Traversal"
confidence: MEDIUM