# Vulnerability Detection Patterns
Quick reference for security pattern matching. Use with grep/ripgrep for automated scanning.
---
## Critical Severity
### SQL Injection
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| SQL_JS | JS/TS | `\.query\s*\(\s*[^\)]*\+[^\)]*\)` | String concat in .query() |
| SQL_PY | Python | `\.execute\s*\(\s*(?:f['"].*\{.*\}.*['"]|['"].*\.format\(|['"].*%)` | f-string/format/% in execute() |
| SQL_JAVA | Java | `(?:Statement|executeQuery|executeUpdate)\s*\(.*(?:\+|append\().*` | Concat in JDBC/Hibernate |
| SQL_GO | Go | `(?:Query|Exec)\s*\(.*fmt\.Sprintf` | fmt.Sprintf in Query/Exec |
| SQL_CS | C# | `(?:SqlCommand|ExecuteReader|ExecuteNonQuery)\s*\(.*(?:\+|String\.Format|\$)` | Concat in SqlCommand |
| SQL_PHP | PHP | `(?:mysql_query|mysqli_query|pg_query)\s*\(.*(?:\.|"_)` | Concat in PHP query |
### Command Injection
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| CMD_JS | JS/TS | `\b(?:child_process\.)?exec\s*\(\s*[^\)]*\+[^\)]*\)` | Concat in exec() |
| CMD_PY | Python | `\bsubprocess\.(?:run\|Popen\|call)\s*\([^\)]*shell\s*=\s*True` | shell=True in subprocess |
| CMD_JAVA | Java | `Runtime\.getRuntime\(\)\.exec\s*\(\s*(?:String\.|"\s*\+)` | Dynamic arguments in exec |
| CMD_GO | Go | `exec\.Command\s*\(\s*(?:['"]sh['"]|['"]bash['"]|['"]cmd['"]).*\)` | Shell execution |
| CMD_PHP | PHP | `\b(?:system|exec|passthru|shell_exec|popen)\s*\(\s*\$` | Variable in system/exec |
### RCE / Deserialization
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| RCE_PY | Python | `pickle\.loads\s*\(` | Unsafe pickle usage |
| RCE_JS | JS/TS | `eval\s*\(` | eval() usage |
| RCE_JAVA | Java | `ObjectInputStream\s*\(` | Java Deserialization |
| RCE_PHP | PHP | `unserialize\s*\(` | PHP unserialize |
| XML_XXE | Java | `DocumentBuilderFactory|SAXParserFactory` | Potential XXE (check config) |
---
## Medium Severity
### XSS (Cross-Site Scripting)
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| XSS_JS | JS/TS | `innerHTML\s*=\s*` | innerHTML assignment |
| XSS_REACT| JS/TS | `dangerouslySetInnerHTML` | React dangerous HTML |
| XSS_CS | C# | `Html\.Raw\s*\(` | ASP.NET raw HTML |
| XSS_PHP | PHP | `echo\s+\$` | Unsanitized echo |
### SSRF (Server-Side Request Forgery)
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| SSRF_JS | JS/TS | `(?:fetch|axios\.(?:get|post))\s*\(\s*(?!['"]).` | Variable URL in fetch/axios |
| SSRF_PY | Python | `requests\.(?:get|post)\s*\(\s*(?!['"]).` | Variable URL in requests |
| SSRF_JAVA| Java | `new\s+URL\s*\(\s*(?!").*\)\.openConnection` | Dynamic URL connection |
### Path Traversal
| ID | Language | Pattern | Description |
|----|----------|---------|-------------|
| PATH_JS | JS/TS | `fs\.(?:readFile|open)\s*\(\s*(?!['"]).` | Dynamic file path |
| PATH_PY | Python | `open\s*\(\s*(?!['"]).` | Dynamic file open |
| PATH_JAVA| Java | `new\s+File\s*\(\s*(?!").*\)` | Dynamic File object |
---
## Advanced Backend & API
### JWT & Auth
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| JWT_NONE | Auth | `['"]?alg['"]?\s*:\s*['"]?none['"]?` | Insecure JWT algorithm 'none' |
| JWT_DEC | Auth | `jwt\.decode\s*\(` | Decoding without verification |
| HARD_SEC | Secrets | `secret\s*:\s*['"][a-zA-Z0-9]{1,20}['"]` | Weak/Hardcoded JWT secret |
### GraphQL
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| GQL_INTRO| Config | `introspection\s*:\s*true` | Introspection enabled (Info Leak) |
| GQL_DBG | Config | `debug\s*:\s*true` | Debug mode enabled |
| GQL_DEP | DoS | `validationRules` | Check for depth limit rules (manual) |
### Financial Logic
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| $$$_FLT | Logic | `(?:float|double)\s+(?:price|cost|balance|amount)` | Floating point for money |
| $$$_NEG | Logic | `if\s*\(\s*amount\s*!=\s*0` | Checks non-zero but allows negative |
---
## Infrastructure & Secrets
### Secrets / Keys (Generic)
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| SEC_AWS | Cloud | `(?:AKIA|ASIA)[0-9A-Z]{16}` | AWS Access Key ID |
| SEC_KEY | Crypto | `-----BEGIN.*PRIVATE KEY-----` | Private Key Block |
| SEC_GEN | Generic | `(?i)(?:api_key|secret|token|password)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]` | Generic API Key/Secret |
### Docker
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| DOCK_ROOT| Security | `USER\s+root` | Explicit usage of root user |
| DOCK_LAT | Stability| `FROM\s+.*:latest` | Using 'latest' tag |
| DOCK_ADD | Security | `ADD\s+` | Prefer COPY over ADD |
### Terraform / K8s
| ID | Category | Pattern | Description |
|----|----------|---------|-------------|
| K8S_PRIV | Security | `privileged\s*:\s*true` | Privileged container |
| TF_S3PUB | Cloud | `acl\s*=\s*"public-read"` | Public S3 bucket |
| TF_SG | Cloud | `cidr_blocks\s*=\s*\["0.0.0.0/0"\]` | Open Security Group |
---
## Taint Sources (Untrusted Input)
### Java
```regex
HttpServletRequest
@RequestParam
@PathVariable
System\.getenv
args\[\]
```
### Go
```regex
r\.URL\.Query\(\)
r\.FormValue
os\.Args
os\.Getenv
```
### C#
```regex
Request\.QueryString
Request\.Form
Input\.
args\[\]
```
### PHP
```regex
\$_GET
\$_POST
\$_REQUEST
\$_FILES
\$_COOKIE
```
---
## Severity Matrix
| Impact | Severity | Description |
|--------|----------|-------------|
| **Critical** | System Compromise | Remote Code Execution, SQL Injection, Auth Bypass |
| **High** | Data Breach | IDOR, Mass Assignment, XXE, Secrets Exposure |
| **Medium** | Unauthorized Action | XSS, SSRF, CSRF |
| **Low** | Reconnaissance | Information Disclosure, Stack Traces |
