nyx-scanner 0.3.0

use crate::patterns::{Pattern, Severity};
pub const PATTERNS: &[Pattern] = &[
    // ---------- Runtime code-execution primitives ----------
    Pattern {
        id: "eval_call",
        description: "Kernel#eval usage",
        query: r#"
          (call
            (identifier) @id
            (#eq? @id "eval")
          ) @vuln
        "#,
        severity: Severity::High,
    },
    Pattern {
        id: "instance_eval_call",
        description: "Object#instance_eval usage",
        query: r#"
          (call
            (identifier) @id
            (#eq? @id "instance_eval")
          ) @vuln
        "#,
        severity: Severity::High,
    },
    Pattern {
        id: "class_eval_call",
        description: "Module#class_eval / module_eval usage",
        query: r#"
          (call
            (identifier) @id
            (#match? @id "^(class_eval|module_eval)$")
          ) @vuln
        "#,
        severity: Severity::High,
    },
    // ---------- Shell execution ----------
    Pattern {
        id: "system_exec_interp",
        description: "system/exec with string interpolation",
        query: r#"
          (call
            method: (identifier) @m
            (#match? @m "^(system|exec)$")
            arguments: (argument_list
              (string
                (interpolation)+ @vuln
              )
            )
          )
        "#,
        severity: Severity::High,
    },
    Pattern {
        id: "backtick_command",
        description: "Back-tick shell execution",
        // `uname -a`
        query: r#"(shell_command) @vuln"#,
        severity: Severity::High,
    },
    // ---------- Dangerous deserialisation ----------
    Pattern {
        id: "yaml_load",
        description: "YAML.load / Psych.load (arbitrary object deserialisation)",
        query: r#"
          (call
            receiver: (constant) @recv
            (#match? @recv "^(YAML|Psych)$")
            method: (identifier) @m
            (#eq? @m "load")
          ) @vuln
        "#,
        severity: Severity::High,
    },
    Pattern {
        id: "marshal_load",
        description: "Marshal.load usage",
        query: r#"
          (call
            receiver: (constant) @recv
            (#eq? @recv "Marshal")
            method: (identifier) @m
            (#eq? @m "load")
          ) @vuln
        "#,
        severity: Severity::High,
    },
    // ---------- Reflection / meta-programming ----------
    Pattern {
        id: "send_dynamic",
        description: "send() with dynamic first argument (not a literal symbol)",
        query: r#"
          (call
            method: (identifier) @m
            (#eq? @m "send")
            arguments: (argument_list
              [
                (identifier)                ; send(method_name_var, …)
                (string (interpolation)+)   ; send("user_#{role}", …)
              ] @vuln
            )
          )
        "#,
        severity: Severity::Medium,
    },
    Pattern {
        id: "constantize_call",
        description: "ActiveSupport constantize / safe_constantize on tainted data",
        query: r#"
          (call
            method: (identifier) @m
            (#match? @m "^(constantize|safe_constantize)$")
          ) @vuln
        "#,
        severity: Severity::Medium,
    },
    // ---------- Insecure resource access ----------
    Pattern {
        id: "open_uri_http",
        description: "Kernel#open with HTTP(S) URL (open-uri auto-follow)",
        query: r#"
          (call
            method: (identifier) @m
            (#eq? @m "open")
            arguments: (argument_list
              (string) @url
              (#match? @url "^\"https?://")
            )
          ) @vuln
        "#,
        severity: Severity::Medium,
    },
];