Merge pull request #72 from EMSeek/master

Rules update

Author: wireghoul

signatures/default.db

@@ -3,13 +3,14 @@ unsafeAddr([[:space:]]+|[[:space:]]*\()
 addr[[:space:]]*\(
 fmt[[:space:]]*\([[:space:]]*['"][Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*\{[a-zA-Z0-9]+\]
 # Execution
-exec[[:space:]]*\([^;]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
+exec[[:space:]]*\([^;\)]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
 passthru[[:space:]]*\(.*\)
 popen[[:space:]]*\(.*\$.*\)
 shell_exec[[:space:]]*\(.*\$.*\)
 system[[:space:]]*\([^;]*\$[^\)]+\)
-#deprecate this `[^`]*\$[^`]+`
-`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+call_user_func[[:space:]]*\(.?.?\$.*,.?\$.*
+[= (]`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+^`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
 #Otherstuffs
 #XSS signature needs to stop matching before LF when color=on #bug(1)
 echo.*\$_.*\[.*\]
@@ -18,13 +19,13 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
-(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
+^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
 new[[:space:]]+\$_(GET|REQUEST|POST|COOKIE).*\(
 \.cookie[[:space:]]*\(.*\.(query|param)
 \.location\.hash\.slice[[:space:]]*\(
-.innerHTML[[:space:]]*=.*\.(location\.hash|query|param)
+.innerHTML[[:space:]]*=[^;]*\.(location\.hash|query|param)
 require\(['"]adm-zip['"]\)
 \.createWriteStream[[:space:]]*\(
 \.runIn(New|This)?Context[[:space:]]*\(

signatures/js.db

@@ -51,6 +51,15 @@ require[[:space:]]*\([^))+[Yy][Aa][Mm][Ll].?\)\.load\(
 #MySQL rules
 \.createConnection\(.*
 \.query\(.*\)
+[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+\${[^}]+
+[Ff][Rr][Oo][Mm][[:space:]]+\${[^}]+
+[Ii][Nn][Ss][Ee][Rr][Tt][[:space:]]+[Ii][Nn][Tt][Oo][[:space:]]+\${[^}]+
+(UPDATE|update).+\${[^}]+
+[Ll][Ii][Mm][Ii][Tt][[:space:]]+\${[^}]+
+[Ww][Hh][Ee][Rr][Ee][[:space:]]+.*\${[^}]+
+[Aa][Nn][Dd][[:space:]]+.*=[[:space:]]*\${[^}]+
+[Ll][Ii][Kk][Ee][[:space:]]+['"]*\${[^}]+
+(group|GROUP|order|ORDER)[[:space:]]+[Bb][Yy][[:space:]]+\${[^}]+
 renderToString[[:space:]]*\(
 to_html[[:space:]]*\(
 \.render[[:space:]]*\(

signatures/js/sql.db

@@ -10,3 +10,12 @@
 #MySQL rules
 \.createConnection\(.*
 \.query\(.*\)
+[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+\${[^}]+
+[Ff][Rr][Oo][Mm][[:space:]]+\${[^}]+
+[Ii][Nn][Ss][Ee][Rr][Tt][[:space:]]+[Ii][Nn][Tt][Oo][[:space:]]+\${[^}]+
+(UPDATE|update).+\${[^}]+
+[Ll][Ii][Mm][Ii][Tt][[:space:]]+\${[^}]+
+[Ww][Hh][Ee][Rr][Ee][[:space:]]+.*\${[^}]+
+[Aa][Nn][Dd][[:space:]]+.*=[[:space:]]*\${[^}]+
+[Ll][Ii][Kk][Ee][[:space:]]+['"]*\${[^}]+
+(group|GROUP|order|ORDER)[[:space:]]+[Bb][Yy][[:space:]]+\${[^}]+

signatures/php.db

@@ -34,13 +34,14 @@ sqlite_create_function[[:space:]]*\(
 Closure::bind(To)?[[:space:]]*\(
 Closure::call[[:space:]]*\(
 # Execution
-exec[[:space:]]*\([^;]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
+exec[[:space:]]*\([^;\)]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
 passthru[[:space:]]*\(.*\)
 popen[[:space:]]*\(.*\$.*\)
 shell_exec[[:space:]]*\(.*\$.*\)
 system[[:space:]]*\([^;]*\$[^\)]+\)
-#deprecate this `[^`]*\$[^`]+`
-`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+call_user_func[[:space:]]*\(.?.?\$.*,.?\$.*
+[= (]`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+^`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
 #Otherstuffs
 #XSS signature needs to stop matching before LF when color=on #bug(1)
 echo.*\$_.*\[.*\]
@@ -49,7 +50,7 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
-(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
+^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
 new[[:space:]]+\$_(GET|REQUEST|POST|COOKIE).*\(

signatures/php/default.db

@@ -1,11 +1,12 @@
 # Execution
-exec[[:space:]]*\([^;]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
+exec[[:space:]]*\([^;\)]*\$[\(\{]?[_a-zA-Z0-9][^\)]*\)[[:space:]]*[\);]
 passthru[[:space:]]*\(.*\)
 popen[[:space:]]*\(.*\$.*\)
 shell_exec[[:space:]]*\(.*\$.*\)
 system[[:space:]]*\([^;]*\$[^\)]+\)
-#deprecate this `[^`]*\$[^`]+`
-`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+call_user_func[[:space:]]*\(.?.?\$.*,.?\$.*
+[= (]`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
+^`[^`]*\$[\(\{]?[_a-zA-Z0-9][^`]*`
 #Otherstuffs
 #XSS signature needs to stop matching before LF when color=on #bug(1)
 echo.*\$_.*\[.*\]
@@ -14,7 +15,7 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
-(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
+^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
 new[[:space:]]+\$_(GET|REQUEST|POST|COOKIE).*\(

signatures/secrets.db

@@ -11,6 +11,7 @@ A[SK]IA[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z
 [Ss][Ee][Cc][Rr][Ee][Tt][_\-\.]?([Kk][Ee][Yy])?[\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-]+[a-zA-Z0-9\'\"+=_\-]$
 [_\&\.\-]?[Pp][Aa][Ss][Ss][Ww][Oo]?[Rr]?[Dd][[:space:]]*=[[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[\'\" ]
 [_\&\.\-]?[Pp][Aa][Ss][Ss][Ww][Oo]?[Rr]?[Dd][[:space:]]*=[[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[a-zA-Z0-9/+=\'\"_\-]$
+[Pp][Aa][Ss][Ss][Ww]([Oo][Rr])?[Dd]?[[:space:]]*=.*[\'\"\`][^\$\{][a-zA-Z0-9\!\@\#\$\%\^\&\*\(\)\_\+-\=\:\<\>\{\}\?\,\.\/\\\|]+[\'\"\`];?$
 -----BEGIN( RSA| OPENSSH| DSA| EC| PGP| ENCRYPTED)? PRIVATE KEY( BLOCK)?-----
 [Pp][Rr][Ii][Vv]([Aa][Tt][Ee])?[_\.\-]?[Kk][Ee][Yy][\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+
 PuTTY-User-Key-File-2\:

signatures/sql.db

@@ -59,6 +59,15 @@ StoredProcedure[[:space:]]*\(
 #MySQL rules
 \.createConnection\(.*
 \.query\(.*\)
+[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+\${[^}]+
+[Ff][Rr][Oo][Mm][[:space:]]+\${[^}]+
+[Ii][Nn][Ss][Ee][Rr][Tt][[:space:]]+[Ii][Nn][Tt][Oo][[:space:]]+\${[^}]+
+(UPDATE|update).+\${[^}]+
+[Ll][Ii][Mm][Ii][Tt][[:space:]]+\${[^}]+
+[Ww][Hh][Ee][Rr][Ee][[:space:]]+.*\${[^}]+
+[Aa][Nn][Dd][[:space:]]+.*=[[:space:]]*\${[^}]+
+[Ll][Ii][Kk][Ee][[:space:]]+['"]*\${[^}]+
+(group|GROUP|order|ORDER)[[:space:]]+[Bb][Yy][[:space:]]+\${[^}]+
 # PHP - Database
 mysql_connect[[:space:]]*\(.*\$.*\)
 mysql_pconnect[[:space:]]*\(.*\$.*\)

signatures/typescript.db

@@ -8,7 +8,7 @@ secureProtocol.*TLSv1_method
 (min|max)Version.*TLSv1.1
 \.cookie[[:space:]]*\(.*\.(query|param)
 \.location\.hash\.slice[[:space:]]*\(
-.innerHTML[[:space:]]*=.*\.(location\.hash|query|param)
+.innerHTML[[:space:]]*=[^;]*\.(location\.hash|query|param)
 require\(['"]adm-zip['"]\)
 \.createWriteStream[[:space:]]*\(
 \.runIn(New|This)?Context[[:space:]]*\(

signatures/typescript/default.db

@@ -1,6 +1,6 @@
 \.cookie[[:space:]]*\(.*\.(query|param)
 \.location\.hash\.slice[[:space:]]*\(
-.innerHTML[[:space:]]*=.*\.(location\.hash|query|param)
+.innerHTML[[:space:]]*=[^;]*\.(location\.hash|query|param)
 require\(['"]adm-zip['"]\)
 \.createWriteStream[[:space:]]*\(
 \.runIn(New|This)?Context[[:space:]]*\(