@@ -18,98 +18,98 @@ class SusPatternsManager:
1818 custom_patterns : set [str ] = set ()
1919
2020 patterns : list [str ] = [
21- # XSS - Enhanced patterns
22- r"<script[^>]* >[^<]* <\/script\s* >" , # Basic script tag
23- r"javascript:\s* [^\s]+ " , # javascript: protocol
21+ # XSS
22+ r"<script[^>]{0,100} >[^<]{0,1000} <\/script\s{0,10} >" , # Basic script tag
23+ r"javascript:\s{0,10} [^\s]{1,200} " , # javascript: protocol
2424 # Event handlers
2525 r"(?:on(?:error|load|click|mouseover|submit|mouse|unload|change|focus|"
26- r"blur|drag))=[\"\']? [^\"\'>\s]+ " ,
26+ r"blur|drag))=(?: [\"'] [^\"']{1,100}[\"']|[^\s>]{1,100}) " ,
2727 # Malicious attributes
28- r"(?:<[^>]*\s+ (?:href|src|data|action)\s* =[\s\"\']* (?:javascript|"
28+ r"(?:<[^>]{1,200}\s{1,20} (?:href|src|data|action)\s{0,10} =[\s\"\']{0,3} (?:javascript|"
2929 r"vbscript|data):)" ,
3030 # CSS expressions
31- r"(?:<[^>]*\s+ style\s* =[\s\"\']* [^>]* (?:expression|behavior|url)\s* \("
32- r"[^)]* \))" ,
33- r"(?:<object[^>]* >[\s\S]*? <\/object\s* >)" , # Suspicious objects
34- r"(?:<embed[^>]* >[\s\S]*? <\/embed\s* >)" , # Suspicious embeds
35- r"(?:<applet[^>]* >[\s\S]*? <\/applet\s* >)" , # Java applets
36- # SQL Injection - Enhanced patterns
31+ r"(?:<[^>]{1,200} style\s{0,10} =[\s\"\']{0,3} [^>\"\']{1,200} (?:expression|behavior|url)\s{0,10} \("
32+ r"[^)]{1,200} \))" ,
33+ r"(?:<object[^>]{1,200} >[\s\S]{1,1000} <\/object\s{0,10} >)" , # Suspicious obj
34+ r"(?:<embed[^>]{1,200} >[\s\S]{1,1000} <\/embed\s{0,10} >)" , # Suspicious embeds
35+ r"(?:<applet[^>]{1,200} >[\s\S]{1,1000} <\/applet\s{0,10} >)" , # Java applets
36+ # SQL Injection
3737 # Basic SELECT statements
38- r"(?i)SELECT\s+ [\w\s,\*]+\s+ FROM\s+ [\w\s\._]+ " ,
38+ r"(?i)SELECT\s{1,20} [\w\s,\*]{1,200}\s{1,20} FROM\s{1,20} [\w\s\._]{1,100} " ,
3939 # UNION-based queries
40- r"(?i)UNION\s+ (?:ALL\s+ )?SELECT" ,
40+ r"(?i)UNION\s{1,20} (?:ALL\s{1,20} )?SELECT" ,
4141 # Logic-based
42- r"(?i)('\s* (?:OR|AND)\s* [\(\s]* '?[\d\w]+\s* (?:=|LIKE|<|>|<=|>=)\s* "
43- r"[\(\s]* '?[\d\w]+ )" ,
44- # UNION-based (original pattern)
45- r"(?i)(UNION\s+ (?:ALL\s+ )?SELECT\s+ (?:NULL[,\s]*)+ |\(\s* SELECT\s+ "
42+ r"(?i)('\s{0,5} (?:OR|AND)\s{0,5} [\(\s]{0,5} '?[\d\w]{1,50}\s{0,5} (?:=|LIKE|<|>|<=|>=)\s{0,5} "
43+ r"[\(\s]{0,5} '?[\d\w]{1,50} )" ,
44+ # UNION-based
45+ r"(?i)(UNION\s{1,20} (?:ALL\s{1,20} )?SELECT\s{1,20} (?:NULL[,\s]{0,10}){1,20} |\(\s{0,10} SELECT\s{1,20} "
4646 r"(?:@@|VERSION))" ,
47- r"(?i)(?:INTO\s+ (?:OUTFILE|DUMPFILE)\s+ '[^']+ ')" , # File operations
48- r"(?i)(?:LOAD_FILE\s* \([^)]+ \))" , # File reading
49- r"(?i)(?:BENCHMARK\s* \(\s*\d+\s* ,)" , # Time-based
50- r"(?i)(?:SLEEP\s* \(\s*\d+\s* \))" , # Time-based
47+ r"(?i)(?:INTO\s{1,20} (?:OUTFILE|DUMPFILE)\s{1,20} '[^']{1,200} ')" , # File ops
48+ r"(?i)(?:LOAD_FILE\s{0,10} \([^)]{1,200} \))" , # File reading
49+ r"(?i)(?:BENCHMARK\s{0,10} \(\s{0,10}\d{1,10}\s{0,10} ,)" , # Time-based
50+ r"(?i)(?:SLEEP\s{0,10} \(\s{0,10}\d{1,10}\s{0,10} \))" , # Time-based
5151 # Comment-based
52- r"(?i)(?:\/\*![0-9]*\s* (?:OR|AND|UNION|SELECT|INSERT|DELETE|DROP|"
52+ r"(?i)(?:\/\*![0-9]{0,10}\s{0,10} (?:OR|AND|UNION|SELECT|INSERT|DELETE|DROP|"
5353 r"CONCAT|CHAR|UPDATE)\b)" ,
54- # Directory Traversal - Enhanced patterns
55- r"(?:\.\./|\.\\/){2,}" , # Multiple traversal
54+ # Directory Traversal
55+ r"(?:\.\./|\.\\/){2,10 }" , # Multiple traversal
5656 # Sensitive files
5757 r"(?:/etc/(?:passwd|shadow|group|hosts|motd|issue|mysql/my.cnf|ssh/"
5858 r"ssh_config)$)" ,
59- r"(?:boot\.ini|win\.ini|system\.ini|config\.sys)\s* $" , # Windows files
59+ r"(?:boot\.ini|win\.ini|system\.ini|config\.sys)\s{0,10} $" , # Windows files
6060 r"(?:\/proc\/self\/environ$)" , # Process information
61- r"(?:\/var\/log\/[^\/]+ $)" , # Log files
62- # Command Injection - Enhanced patterns
61+ r"(?:\/var\/log\/[^\/]{1,100} $)" , # Log files
62+ # Command Injection
6363 # Basic commands
64- r";\s* (?:ls|cat|rm|chmod|chown|wget|curl|nc|netcat|ping|telnet)\s+ "
65- r"-[a-zA-Z]+\s+ " ,
64+ r";\s{0,10} (?:ls|cat|rm|chmod|chown|wget|curl|nc|netcat|ping|telnet)\s{1,20} "
65+ r"-[a-zA-Z]{1,20}\s{1,20} " ,
6666 # Download commands
67- r"\|\s* (?:wget|curl|fetch|lwp-download|lynx|links|GET)\s+ " ,
67+ r"\|\s{0,10} (?:wget|curl|fetch|lwp-download|lynx|links|GET)\s{1,20} " ,
6868 # Command substitution
69- r"(?:[;&|`]\s* (?:\$\([^)]+ \)|\$\{[^}]+ \}))" ,
69+ r"(?:[;&|`]\s{0,10} (?:\$\([^)]{1,100} \)|\$\{[^}]{1,100} \}))" ,
7070 # Shell execution
71- r"(?:^|;)\s* (?:bash|sh|ksh|csh|tsch|zsh|ash)\s+ -[a-zA-Z]+ " ,
71+ r"(?:^|;)\s{0,10} (?:bash|sh|ksh|csh|tsch|zsh|ash)\s{1,20} -[a-zA-Z]{1,20} " ,
7272 # PHP functions
73- r"\b(?:eval|system|exec|shell_exec|passthru|popen|proc_open)\s* \(" ,
74- # File Inclusion - Enhanced patterns
73+ r"\b(?:eval|system|exec|shell_exec|passthru|popen|proc_open)\s{0,10} \(" ,
74+ # File Inclusion
7575 # Protocols
7676 r"(?:php|data|zip|rar|file|glob|expect|input|phpinfo|zlib|phar|ssh2|"
77- r"rar|ogg|expect)://[^\s]+ " ,
77+ r"rar|ogg|expect)://[^\s]{1,200} " ,
7878 # URLs
79- r"(?:\/\/[0-9a-zA-Z]([-.\w]* [0-9a-zA-Z])*(:( 0-9)*)* (?:\/?)(?:"
80- r"[a-zA-Z0-9\-\.\?,'/\\\+&%\$#_]* )?)" ,
81- # LDAP Injection - Enhanced patterns
82- r"\(\s* [|&]\s* \(\s* [^)]+ =[*]" , # Wildcards
83- r"(?:\*(?:[\s\d\w]+\s* =|=\s* [\d\w\s]+ ))" , # Attribute matching
84- r"(?:\(\s* [&|]\s* )" , # Logic operations
85- # XML Injection - Enhanced patterns
86- r"<!(?:ENTITY|DOCTYPE)[^>]+ SYSTEM[^>]+ >" , # XXE
87- r"(?:<!\[CDATA\[.* ?\]\]>)" , # CDATA sections
88- r"(?:<\?xml.* ?\?>)" , # XML declarations
89- # SSRF - Enhanced patterns
79+ r"(?:\/\/[0-9a-zA-Z]([-.\w]{0,50} [0-9a-zA-Z]){0,10}(:[ 0-9]{0,10}){0,1} (?:\/?)(?:"
80+ r"[a-zA-Z0-9\-\.\?,'/\\\+&%\$#_]{0,500} )?)" ,
81+ # LDAP Injection
82+ r"\(\s{0,10} [|&]\s{0,10} \(\s{0,10} [^)]{1,100} =[*]" , # Wildcards
83+ r"(?:\*(?:[\s\d\w]{1,50}\s{0,10} =|=\s{0,10} [\d\w\s]{1,50} ))" , # Attribute match
84+ r"(?:\(\s{0,10} [&|]\s{0,10} )" , # Logic operations
85+ # XML Injection
86+ r"<!(?:ENTITY|DOCTYPE)[^>]{1,200} SYSTEM[^>]{1,200} >" , # XXE
87+ r"(?:<!\[CDATA\[.{0,1000} ?\]\]>)" , # CDATA sections
88+ r"(?:<\?xml.{0,200} ?\?>)" , # XML declarations
89+ # SSRF
9090 # Local addresses
91- r"(?:^|\s|/)(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::(?:\d* )\]|(?:169\.254|192\.168|10\.|"
92- r"172\.(?:1[6-9]|2[0-9]|3[01]))\.\d+ )(?:\s|$|/)" ,
93- r"(?:file|dict|gopher|jar|tftp)://[^\s]+ " , # Dangerous protocols
94- # NoSQL Injection - Enhanced patterns
91+ r"(?:^|\s|/)(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::(?:\d{0,10} )\]|(?:169\.254|192\.168|10\.|"
92+ r"172\.(?:1[6-9]|2[0-9]|3[01]))\.\d{1,3} )(?:\s|$|/)" ,
93+ r"(?:file|dict|gopher|jar|tftp)://[^\s]{1,200} " , # Dangerous protocols
94+ # NoSQL Injection
9595 # MongoDB
96- r"\{\s* \$(?:where|gt|lt|ne|eq|regex|in|nin|all|size|exists|type|mod|"
96+ r"\{\s{0,10} \$(?:where|gt|lt|ne|eq|regex|in|nin|all|size|exists|type|mod|"
9797 r"options):" ,
98- r"(?:\{\s* \$[a-zA-Z]+\s* :\s* (?:\{|\[))" , # Nested operators
99- # File Upload - Enhanced patterns
100- r"(?i)filename=[\"'].* ?\.(?:php\d* |phar|phtml|exe|jsp|asp|aspx|sh|"
98+ r"(?:\{\s{0,10} \$[a-zA-Z]{1,20}\s{0,10} :\s{0,10} (?:\{|\[))" , # Nested operators
99+ # File Upload
100+ r"(?i)filename=[\"'].{0,200} ?\.(?:php\d{0,5} |phar|phtml|exe|jsp|asp|aspx|sh|"
101101 r"bash|rb|py|pl|cgi|com|bat|cmd|vbs|vbe|js|ws|wsf|msi|hta)[\"\']" ,
102- # Path Traversal - Enhanced patterns
102+ # Path Traversal
103103 # Encoded traversal
104104 r"(?:%2e%2e|%252e%252e|%uff0e%uff0e|%c0%ae%c0%ae|%e0%40%ae|%c0%ae"
105105 r"%e0%80%ae|%25c0%25ae)/" ,
106- # Template Injection - New category
106+ # Template Injection
107107 # Basic template injection
108- r"\{\{\s* [^\}]* (?:system|exec|popen|eval|require|include)\s* \}\}" ,
108+ r"\{\{\s{0,10} [^\}]{1,200} (?:system|exec|popen|eval|require|include)\s{0,10} \}\}" ,
109109 # Alternative syntax
110- r"\{\%\s* [^\%]* (?:system|exec|popen|eval|require|include)\s* \%\}" ,
111- # HTTP Response Splitting - New category
112- r"[\r\n]\s* (?:HTTP\/[0-9.]+ |Location:|Set-Cookie:)" ,
110+ r"\{\%\s{0,10} [^\%]{1,200} (?:system|exec|popen|eval|require|include)\s{0,10} \%\}" ,
111+ # HTTP Response Splitting
112+ r"[\r\n]\s{0,10} (?:HTTP\/[0-9.]{1,10} |Location:|Set-Cookie:)" ,
113113 ]
114114
115115 compiled_patterns : list [re .Pattern ]
0 commit comments