Merge pull request #74 from EMSeek/master

wireghoul · web-flow · commit f7962ebaa62b · 2024-12-20T15:04:22.000+11:00
xmas update
diff --git a/Changelog b/Changelog
@@ -1,3 +1,17 @@
+3.7		2024 Dec 20
+		Updated javascript rules
+		Updated typescript rules
+		Updated sqli rules
+		Updated ruby rules
+		Updated php rules
+		Updated dotnet rules
+		Updated java rules
+		Updated fruit rules
+		Updated secret rules
+		Updated xss rules
+		Reduced false positives in default rules
+		Reduced false positives in fruit rules
+
 3.6		2024 Apr 09
 		Updated ruby rules
 		Updated JavaScript rules
diff --git a/graudit b/graudit
@@ -5,7 +5,7 @@
 set -- $GRARGS $@
 set -e
 set -o pipefail
-VERSION='3.6'
+VERSION='3.7'
 basedir=$(dirname "$0")
 BINFILE=$(which grep)
 
@@ -44,7 +44,7 @@ banner() {
         \___  /|__|  (____  /____/\____ | |__||__|  
        /_____/            \/           \/           
               grep rough audit - static analysis tool
-                  v3.6 written by @Wireghoul
+                  v3.7 written by @Wireghoul
 =================================[justanotherhacker.com]==='
     fi
 }
diff --git a/signatures/dotnet.db b/signatures/dotnet.db
@@ -40,7 +40,7 @@ new[[:space:]]+Cli[[:space:]]*\(.*
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*[Rr]equest
 (LIMIT|limit)[[:space:]]+([0-9]+,[[:space:]]*[Rr]equest\..*|[Rr]request\..*)
 Process.Start[[:space:]]*\(.*\+
-\.Arguments[[:space:]]*=(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|.*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
+\.Arguments[[:space:]]*=([^;\)]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|[^;\)]*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
 \.SelectNodes[[:space:]]*\(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 ReadAllBytes[[:space:]]*\(.*[Rr]equest
 # DotNet input controls
diff --git a/signatures/dotnet/fruit.db b/signatures/dotnet/fruit.db
@@ -7,6 +7,6 @@
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*[Rr]equest
 (LIMIT|limit)[[:space:]]+([0-9]+,[[:space:]]*[Rr]equest\..*|[Rr]request\..*)
 Process.Start[[:space:]]*\(.*\+
-\.Arguments[[:space:]]*=(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|.*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
+\.Arguments[[:space:]]*=([^;\)]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|[^;\)]*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
 \.SelectNodes[[:space:]]*\(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 ReadAllBytes[[:space:]]*\(.*[Rr]equest
diff --git a/signatures/fruit.db b/signatures/fruit.db
@@ -24,7 +24,7 @@ strnc(at|py)[[:space:]]*\([^,]+,[^,]+,[[:space:]]*strlen[[:space:]]*\([^\)]+\)[[
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*[Rr]equest
 (LIMIT|limit)[[:space:]]+([0-9]+,[[:space:]]*[Rr]equest\..*|[Rr]request\..*)
 Process.Start[[:space:]]*\(.*\+
-\.Arguments[[:space:]]*=(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|.*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
+\.Arguments[[:space:]]*=([^;\)]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+|[^;\)]*[^\'\"]+[[:space:]]*\+[[:space:]]*[\'\"])
 \.SelectNodes[[:space:]]*\(.*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 ReadAllBytes[[:space:]]*\(.*[Rr]equest
 \.Write(String)?[[:space:]]*\(.*URL\.Query[[:space:]]*\(.*\)
@@ -41,17 +41,17 @@ out\.print(ln)?.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram)
 \.exec[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+.*
 (execute|create|new)Query[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
 queryforObject[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
-eval[[:space:]]*\([^\)\;]*([Rr]eq(uest)?|\.[Gg]et[Pp]aram).*\)
+eval[[:space:]]*\([^\)\;\"]*([Rr]eq(uest)?[\.\)]|\.[Gg]et[Pp]aram[[:space:]]*[\[\(]).*\)
 \.getDocument[[:space:]]*\([^\)\;]+([Rr]eq(uest)?|\.g[Gg]et[Pp]aram).*\)
-(WHERE|where)[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
+(WHERE|where)[[:space:]]+[^;]+=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (LIKE|like)[[:space:]]+[\'\"A-Za-z0-9%]+[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (LIMIT|limit)[[:space:]]+([0-9,]+)?[;:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
-\.query\(.*[\'\"][[:space:]]*\+.*
+\.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 <%-[[:space:]]+.*%>
-\.(spawn|exec)(File)?(Sync)?\([^\)]+([\'\"] *\+|\$\{)
+\.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
 asm[[:space:]]+[\'\"].*
 unsafeAddr
 execShellCmd[[:space:]]*\(
@@ -94,7 +94,7 @@ require[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\
 require_once[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 fopen[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 readfile[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
-file_get_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
+file_(get|put)_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 (is_dir|file_exists|unlink)[[:space:]]*\(\"?\$(_ENV|_GET|_POST|_COOKE|_REQUEST|_SERVER|HTTP|http).*\)
 show_source[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 preg_replace[[:space:]]*\([\'"](.).*\1[igsu]*e
@@ -113,10 +113,13 @@ pg_query[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (LIMIT|limit)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 \.execute[[:space:]]*\([\"\'].*%.*[\"\'][[:space:]]*%.*\)
+^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
+[=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
+render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
 Source\.fromFile[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 sql\".*\#\$.*\"\.as\[.*
 SQL[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
-(WHERE|where)[[:space:]]+[^;]+(=|[Ii][[Nn][[:space:]]+).*\$\{
+(WHERE|where)[[:space:]]+[^\;:\)]+(=|[Ii][[Nn][[:space:]]+[\+\"\(]).*\$\{
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]?\$\{[^\}]+\}
 (LIKE|like)[[:space:]]+(['"][^\'\"]*)?\$\{[^\}]+\}
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$\{[^\}]+\}
diff --git a/signatures/java.db b/signatures/java.db
@@ -36,9 +36,9 @@ out\.print(ln)?.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram)
 \.exec[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+.*
 (execute|create|new)Query[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
 queryforObject[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
-eval[[:space:]]*\([^\)\;]*([Rr]eq(uest)?|\.[Gg]et[Pp]aram).*\)
+eval[[:space:]]*\([^\)\;\"]*([Rr]eq(uest)?[\.\)]|\.[Gg]et[Pp]aram[[:space:]]*[\[\(]).*\)
 \.getDocument[[:space:]]*\([^\)\;]+([Rr]eq(uest)?|\.g[Gg]et[Pp]aram).*\)
-(WHERE|where)[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
+(WHERE|where)[[:space:]]+[^;]+=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (LIKE|like)[[:space:]]+[\'\"A-Za-z0-9%]+[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
diff --git a/signatures/java/fruit.db b/signatures/java/fruit.db
@@ -4,9 +4,9 @@ out\.print(ln)?.*([Rr]eq(uest)?|\.[Gg]et[Pp]aram)
 \.exec[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+.*
 (execute|create|new)Query[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
 queryforObject[[:space:]]*\(.*[\"\'][[:space:]]*\+[[:space:]]*[^\"\']+
-eval[[:space:]]*\([^\)\;]*([Rr]eq(uest)?|\.[Gg]et[Pp]aram).*\)
+eval[[:space:]]*\([^\)\;\"]*([Rr]eq(uest)?[\.\)]|\.[Gg]et[Pp]aram[[:space:]]*[\[\(]).*\)
 \.getDocument[[:space:]]*\([^\)\;]+([Rr]eq(uest)?|\.g[Gg]et[Pp]aram).*\)
-(WHERE|where)[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
+(WHERE|where)[[:space:]]+[^;]+=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']+
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (LIKE|like)[[:space:]]+[\'\"A-Za-z0-9%]+[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
diff --git a/signatures/js.db b/signatures/js.db
@@ -14,10 +14,10 @@ additionalArguments
 enableWebSQL
 openExternal[[:space:]]*\(
 ELECTRON_RUN_AS_NODE
-\.query\(.*[\'\"][[:space:]]*\+.*
+\.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 <%-[[:space:]]+.*%>
-\.(spawn|exec)(File)?(Sync)?\([^\)]+([\'\"] *\+|\$\{)
+\.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
 eval[[:space:]]*\(
 dangerouslySetInnerHTML
 trustAsHtml
diff --git a/signatures/js/fruit.db b/signatures/js/fruit.db
@@ -1,4 +1,4 @@
-\.query\(.*[\'\"][[:space:]]*\+.*
+\.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 <%-[[:space:]]+.*%>
-\.(spawn|exec)(File)?(Sync)?\([^\)]+([\'\"] *\+|\$\{)
+\.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
diff --git a/signatures/php.db b/signatures/php.db
@@ -117,7 +117,7 @@ require[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\
 require_once[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 fopen[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 readfile[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
-file_get_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
+file_(get|put)_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 (is_dir|file_exists|unlink)[[:space:]]*\(\"?\$(_ENV|_GET|_POST|_COOKE|_REQUEST|_SERVER|HTTP|http).*\)
 show_source[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 preg_replace[[:space:]]*\([\'"](.).*\1[igsu]*e
@@ -238,6 +238,8 @@ px_.*[[:space:]]*\(.*\$.*\)
 ovrimos_.*[[:space:]]*\(.*\$.*\)
 maxdb_.*[[:space:]]*\(.*\$.*\)
 db2_.*[[:space:]]*\(.*\$.*\)
+->sqliteCreate(Agregate|Collation|Function)[[:space:]]*\(
+->createFunction[[:space:]]*\(
 CURLOPT_SSL_VERIFY(HOST|PEER), *([Ff][Aa][Ll][Ss][Ee]|0)
 unserialize[[:space:]]*\(.*\$.*
 file_exists[[:space:]]*\(\"?\$.*
@@ -248,6 +250,9 @@ filesize[[:space:]]*\(\"?\$.*
 file_get_contents[[:space:]]*\(.*\$.*
 fopen[[:space:]]*\(.*\$.*
 file[[:space:]]*\(.*\$.*
+file_(get|put)_contents[[:space:]]*\(.*\$
+fread[[:space:]]*\(
+fwrite[[:space:]]*\(
 scandir[[:space:]]*\(.*
 php://stdin
 php://stdout
diff --git a/signatures/php/fruit.db b/signatures/php/fruit.db
@@ -22,7 +22,7 @@ require[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\
 require_once[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 fopen[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 readfile[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
-file_get_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
+file_(get|put)_contents[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 (is_dir|file_exists|unlink)[[:space:]]*\(\"?\$(_ENV|_GET|_POST|_COOKE|_REQUEST|_SERVER|HTTP|http).*\)
 show_source[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*\)
 preg_replace[[:space:]]*\([\'"](.).*\1[igsu]*e
diff --git a/signatures/php/sql.db b/signatures/php/sql.db
@@ -40,3 +40,5 @@ px_.*[[:space:]]*\(.*\$.*\)
 ovrimos_.*[[:space:]]*\(.*\$.*\)
 maxdb_.*[[:space:]]*\(.*\$.*\)
 db2_.*[[:space:]]*\(.*\$.*\)
+->sqliteCreate(Agregate|Collation|Function)[[:space:]]*\(
+->createFunction[[:space:]]*\(
diff --git a/signatures/php/streams.db b/signatures/php/streams.db
@@ -7,6 +7,9 @@ filesize[[:space:]]*\(\"?\$.*
 file_get_contents[[:space:]]*\(.*\$.*
 fopen[[:space:]]*\(.*\$.*
 file[[:space:]]*\(.*\$.*
+file_(get|put)_contents[[:space:]]*\(.*\$
+fread[[:space:]]*\(
+fwrite[[:space:]]*\(
 scandir[[:space:]]*\(.*
 php://stdin
 php://stdout
diff --git a/signatures/ruby.db b/signatures/ruby.db
@@ -7,6 +7,9 @@ system[[:space:]]*\(
 \.(public_)?send[[:space:]]*\(
 `.*#\{[^`]+`
 File\.(read|new|open|delete)[[:space:]]*\(
+^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
+[=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
+render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
 # Ruby - Execution
 _send_[[:space:]]*\(
 __send__[[:space:]]*\(
@@ -30,3 +33,5 @@ new[[:space:]]*\(params\[:[a-zA-Z0-9_]+\]
 \.(calculate|average|count|maximum|minimum|sum|join|lock|(re)?select)[[:space:]]*\(.*\[:
 \.exists\?.*:
 \.find_(or_(create|initialize)_)?by!?.*:
+I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
+render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
diff --git a/signatures/ruby/fruit.db b/signatures/ruby/fruit.db
@@ -0,0 +1,3 @@
+^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
+[=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
+render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
diff --git a/signatures/ruby/xss.db b/signatures/ruby/xss.db
@@ -0,0 +1,2 @@
+I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
+render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
diff --git a/signatures/secrets.db b/signatures/secrets.db
@@ -3,8 +3,8 @@
 A[SK]IA[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9]+
 [Aa][Cc][Cc][Ee][Ss][Ss][_\.\-]?[Kk][Ee][Yy]([_\-\.]?[Ii][Dd])?[\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[\'\" ]
 [Aa][Cc][Cc][Ee][Ss][Ss][_\.\-]?[Kk][Ee][Yy]([_\-\.]?[Ii][Dd])?[\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-]+[a-zA-Z0-9\'\"=_\-]$
-[_\.\-]?[Aa][Pp][Ii][_\.\-]?[Kk][Ee][Yy][\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[\'\" ]
-[_\.\-]?[Aa][Pp][Ii][_\.\-]?[Kk][Ee][Yy][\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-]+[a-zA-Z0-9+=\'\"_\-]$
+[_\.\-]?[Aa][Pp][Ii][_\.\-]?[Kk][Ee][Yy]\\?[\'\"]?[[:space:]]*[=:][[:space:]]*\\?[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[\'\" ]
+[_\.\-]?[Aa][Pp][Ii][_\.\-]?[Kk][Ee][Yy]\\?[\'\"]?[[:space:]]*[=:][[:space:]]*\\?[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-]+[a-zA-Z0-9+=\'\"_\-]$
 [_\.\-][Oo][Aa][Uu][Tt][Hh][[:space:]]*=
 (client_secret|CLIENT_SECRET)[\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9+=\'\"_\-][a-zA-Z0-9+=\'\"_\-]+
 [Ss][Ee][Cc][Rr][Ee][Tt][_\-\.]?([Kk][Ee][Yy])?[\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+[\'\" ]
@@ -16,16 +16,22 @@ A[SK]IA[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z
 [Pp][Rr][Ii][Vv]([Aa][Tt][Ee])?[_\.\-]?[Kk][Ee][Yy][\'\"]?[[:space:]]*[=:][[:space:]]*[a-zA-Z0-9\'\"_\-][a-zA-Z0-9/+_\-][a-zA-Z0-9/+_\-]+[a-zA-Z0-9/+=_\-][a-zA-Z0-9+=_\-]+
 PuTTY-User-Key-File-2\:
 SG\.......................\............................................
+https://events\.pagerduty\.com/integration/[0-9a-fA-F]+/enqueue
+https://hooks.slack.com/services/[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+
 SessionCryptoPassphrase(File)?[[:space:]]
 sk_live_.*
 xox([pbrcseoa]|a-2|e-1)-[0-9][0-9][0-9][0-9][0-9][0-9]+-[0-9][0-9][0-9][0-9][0-9][0-9]+-([a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9])+
 [Gg][Rr][Aa][Nn][Tt].*[Ii][Dd][Ee][Nn][Tt][Ii][Ff][Ii][Ee][Dd][[:space:]]+[Bb][Yy].*
 [Ii][Nn][Ss][Ee][Rr][Tt][[:space:]]+[Ii][Nn][Tt][Oo].*'[0-9a-fA-F]{32}'.*
 [Ii][Nn][Ss][Ee][rR][Tt][[:space:]]+[Ii][Nn][Tt][Oo].*'[0-9a-fA-F]{40}'.*
 PHP_AUTH_(USER|PW).*[\!\=][\!\=].+
-[Cc]onnection[Ss]tring.*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Pp][Ww][Dd])[[:space:]]*=.*
+[Cc]onnection[Ss]tring.*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Pp][Ww][Dd])[[:space:]]*=[^;]+
+[Dd][Bb][Cc]:.*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Pp][Ww][Dd])[[:space:]]*=[^;]+
+\.connect[[:space:]]*\(.*([Pp][Ww][Dd]|[Tt][Oo][Kk][Ee][Nn])=.*
+://[^:/@;]+:[^:@/;]+@.*
 mysqldump[[:space:]]+.*--password[= ].+
 curl[[:space:]]+.*-?-([UEu](ser)?[^:]+:[^ ]+|tlspassword .*|pass .*|cert *[^: ]+:[^ ]+)
 curl_setopt[[:space:]]*\(.*CURLOPT_USERPWD.*\)
 ([Aa][Uu][Tt][Hh].*[\'\"]|Authorization: )[Bb]asic[[:space:]]+([a-zA-Z0-9/\+\.\-][a-zA-Z0-9/\+\.\-][a-zA-Z0-9/\+\.=\-][a-zA-Z0-9/\+\.=\-])+[\'\" ]
 --data-urlencode.*[Pp][Aa][Ss][Ss][Ww][Oo]?[Rr]?[Dd]?=.+
+JWT::decode[[:space:]]*\([^,]+,[[:space:]]*new Key[[:space:]]*\(['"][^'"]+
diff --git a/signatures/sql.db b/signatures/sql.db
@@ -110,6 +110,8 @@ px_.*[[:space:]]*\(.*\$.*\)
 ovrimos_.*[[:space:]]*\(.*\$.*\)
 maxdb_.*[[:space:]]*\(.*\$.*\)
 db2_.*[[:space:]]*\(.*\$.*\)
+->sqliteCreate(Agregate|Collation|Function)[[:space:]]*\(
+->createFunction[[:space:]]*\(
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=[[:space:]]*\{\}
 [Aa][Nn][Dd][[:space:]]+.*=[[:space:]]*\{\}
 (WHERE|where)[[:space:]]+.*=.*[\'\"][[:space:]]*\+.*
diff --git a/signatures/typescript.db b/signatures/typescript.db
@@ -22,7 +22,7 @@ require[[:space:]]*\([[:space:]]*.(child_process|execa).
 \.readFileSync[[:space:]]*\(
 dotfiles.?[[:space:]]*:[[:space:]]*['"][Aa][Ll][Ll][Oo][Ww]['"]
 \.chmod(Sync)?[[:space:]]*\(
-(WHERE|where)[[:space:]]+[^;]+(=|[Ii][[Nn][[:space:]]+).*\$\{
+(WHERE|where)[[:space:]]+[^\;:\)]+(=|[Ii][[Nn][[:space:]]+[\+\"\(]).*\$\{
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]?\$\{[^\}]+\}
 (LIKE|like)[[:space:]]+(['"][^\'\"]*)?\$\{[^\}]+\}
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$\{[^\}]+\}
diff --git a/signatures/typescript/fruit.db b/signatures/typescript/fruit.db
@@ -1,4 +1,4 @@
-(WHERE|where)[[:space:]]+[^;]+(=|[Ii][[Nn][[:space:]]+).*\$\{
+(WHERE|where)[[:space:]]+[^\;:\)]+(=|[Ii][[Nn][[:space:]]+[\+\"\(]).*\$\{
 [\'\" ]+AND[[:space:]]+.*=[[:space:]]?\$\{[^\}]+\}
 (LIKE|like)[[:space:]]+(['"][^\'\"]*)?\$\{[^\}]+\}
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$\{[^\}]+\}
diff --git a/signatures/xss.db b/signatures/xss.db
@@ -20,3 +20,5 @@ echo[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 print[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 print_r([[:space:]]*\(|[[:space:]]+).*\)?\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 \<[\?\%]\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
+I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
+render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
