{"id":18708594,"url":"https://github.com/va1da5/manual-source-code-review","last_synced_at":"2026-02-03T11:05:14.250Z","repository":{"id":106645568,"uuid":"296907462","full_name":"va1da5/manual-source-code-review","owner":"va1da5","description":"Regex patterns for manual application source code review","archived":false,"fork":false,"pushed_at":"2020-12-14T09:25:22.000Z","size":4,"stargazers_count":28,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-27T23:02:07.132Z","etag":null,"topics":["bugs","oswe","oswe-prep","regex-pattern","review","security","web-300"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/va1da5.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-19T16:23:51.000Z","updated_at":"2025-06-03T01:53:12.000Z","dependencies_parsed_at":"2024-01-11T11:20:25.100Z","dependency_job_id":null,"html_url":"https://github.com/va1da5/manual-source-code-review","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/va1da5/manual-source-code-review","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/va1da5%2Fmanual-source-code-review","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/va1da5%2Fmanual-source-code-review/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/va1da5%2Fmanual-source-code-review/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/va1da5%2Fmanual-source-code-review/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/va1da5","download_url":"https://codeload.github.com/va1da5/manual-source-code-review/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/va1da5%2Fmanual-source-code-review/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29043753,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugs","oswe","oswe-prep","regex-pattern","review","security","web-300"],"created_at":"2024-11-07T12:24:06.553Z","updated_at":"2026-02-03T11:05:14.232Z","avatar_url":"https://github.com/va1da5.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Source Code Review Bug Patterns\n\nThis repository contains Regex patterns to look for while performing manual application source code analysis. The patterns are pretty open-scoped and, if used in automated tools, would provide lots of false-positives. However, it still brings value when doing manual investigation and could lead into some serious bug findings. The match of the pattern in the code does not necessarily mean the application being vulnerable to a certain type of attack. It is security tester's responsibility to evaluate each case and arrive to the conclusion.\n\n## Tools\n\nUsage with `grep`\n\n```bash\n# List files with a specific extension\nfind . -name \"*.html\" -o -name \"*.jsp\"\n\ngrep -rnw -P \"do(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\\b\" -l | grep -vP \".*.(?:js|css|jpg)$\" |  xargs grep -iP \"WHERE.*\" --color\n```\n\n---\n\n## Javascript\n\n### Node JS\n\n```regex\nunserialize\\s*\\(\neval\\s*\\(\n\\bchild_process\\b\nexec\\s*\\(\nspawn\\s*\\(\nexecFile\\s*\\(\n\\bfork\\s*\\(\n```\n\n### HTML DOM Related\n\n```regex\ninnerText\ninnerHTML\ndocument\\.location\ndocument\\.create\ndocument\\.URL\ndocument\\.URLUnencoded\ndocument\\.referrer\nwindow\\.location\ndocument\\.write\\s*\\(\ndocument\\.writeln\\s*\\(\ndocument\\.body\\.innerHtml\neval\\s*\\(\ndocument\\.cookie\nwindow\\.execScript\\s*\\(\nwindow\\.setInterval\\s*\\(\nwindow\\.setTimeout\\s*\\(\ndocument\\.location\ndocument\\.URL\ndocument\\.open\\s*\\(\nwindow\\.location\\.href\nwindow.navigate\\s*\\(\nwindow\\.open\\s*\\(\ndocument\\.execCommand\nlocation\\.hash\nlocation\\.href\nwindow\\.createRequest\ndocument\\.attachEvent\nwindow\\.execScript\nwindow\\.setInterval\ntarget\\s*=\\s*[\"']_blank['\"]\n```\n\n---\n\n## PHP\n\n### PHP Deserialization\n\n```regex\nunserialize\\s?\\(\nunserialize_callback_func\n```\n\n### Command Execution\n\n```regex\nexec\\s*\\(\npassthru\\s*\\(\npopen\\s*\\(\nshell_exec\\s*\\(\nsystem\\s*\\(\n`[^`]+`\neval\\s*\\(\nproc_open\\s*\\(\nproc_close\\s*\\(\nproc_get_status\\s*\\(\nproc_nice\\s*\\(\nproc_terminate\\s*\\(\n```\n\n### User Input\n\n```regex\n\\$_ENV\\[.*\\]\n\\$_GET\\[.*\\]\n\\$_POST\\[.*\\]\n\\$_COOKIE\\[.*\\]\n\\$_REQUEST\\[.*\\]\n\\$_FILES\\[.*\\]\n\\$_SERVER\\[.*\\]\n\\$HTTP_GET_VARS\n\\$http_get_vars\n\\$HTTP_POST_VARS\n\\$http_post_vars\n\\$HTTP_ENV_VARS\n\\$http_env_vars\n\\$HTTP_RAW_POST_DATA\n\\$http_raw_post_data\n\\$HTTP_POST_FILES\n\\$http_post_files\n```\n\n### SQL Commands\n\n```regex\nmysql_query\\s*\\(\nWHERE\\s+.*=.*\nmysql_connect\\s*\\(\nmysql_pconnect\\s*\\(\nmysqli\\s*\\(\n(mysqli::[^ ]*|mysqli_[^ ]*)\nmysql_query\\s*\\(\nmysql_error\\s*\\(\npg_connect\\s*\\(\npg_pconnect\\s*\\(\npg_execute\\s*\\(\npg_insert\\s*\\(\npg_put_line\\s*\\(\npg_query\\s*\\(\npg_select\\s*\\(\npg_send_query\\s*\\(\npg_update\\s*\\(\nsqlite_open\\s*\\(\nsqlite_query\\s*\\(\nsqlite_array_query\\s*\\(\nsqlite_create_function\\s*\\(\nsqlite_create_aggregate\\s*\\(\nsqlite_exec\\s*\\(\nsqlite_fetch_.*\nmsql_.*\nmssql_.*\nodbc_.*\nfbsql_.*\ndb2_.*\nsqlsrv_.*\nsybase_.*\nibase_.*\ndbx_.*\ningres_.*\nifx_.*\noci_.*\npx_.*\novrimos_.*\nmaxdb_.*\n```\n\n### File Related Functions\n\n```regex\n(include|include_once|require|require_once)\nfile\\s*\\(\nfile_get_contents\\s*\\(\nfopen\\s*\\(\np?fsockopen\\s*\\(\nfwrite\\s*\\(\nmove_uploaded_file\nstream_.*\nreadfile\\s*\\(\n```\n\n### Other Interesting Stuff\n\n```regex\nget_loaded_extensions\ngetenv\\s?\\(\nputenv\\s?\\(\napache_setenv\\s?\\(\napache_request_headers\\s?\\(\napache_response_headers\\s?\\(\nheader\\s?\\(\nstream_context_create\ncreate_function\\s?\\(\nmail\\s?\\(\npreg_replace\n\\\u003c\\?\\=\\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)\n\\\u003c\\%\\=\\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)\n{php}\n```\n\n### I/O Streams\n\n```regex\nphp://stdin\nphp://stdout\nphp://stderr\nphp://output\nphp://input\nphp://filter\nphp://memory\nphp://temp\n```\n\n---\n\n## JAVA\n\n- [FindBugs JAVA weaknesses database](https://find-sec-bugs.github.io/bugs.htm)\n- [Sonarqube Rules](https://rules.sonarsource.com/java)\n- [PMD Java Coding Patterns](https://pmd.github.io/pmd-6.18.0/pmd_rules_java.html)\n- [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)\n\n### Deserialization\n\n```regex\n\\bObjectInputStream\\(\n\\breadObject\\(\n\\bdefaultReadObject\\s*\\(\n\\breadUnshared\\s*\\(\n\\breadResolve\\s*\\(\n\\bwriteObject\\s*\\(\n\\bXMLDecoder\\s*\\(\n\\bXStream\\b\n\\.enableDefaultTyping\\(\\)\n\\bcom\\.fasterxml\\.jackson\\.databind\\.ObjectMapper\\b\n\\bnew\\s+ObjectMapper()\\b\n\\b@JsonTypeInfo\\(\n\\breadValue\\([^,]+,\\s*Object\\.class\\)\n\\bJSON\\.parseObject\\b\n\\bcom\\.alibaba\\.fastjson\\.JSON\\b\n```\n\n### Command Execution\n\n```regex\n\\bexec\\s?\\(\n```\n\n### User Input\n\n```regex\ndo(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\\b\n@WebServlet\\(.*\n\\bjavax\\.servlet\\..*\ngetParameter\\s*\\(\ngetParameterNames\\s*\\(\ngetParameterValues\\s*\\(\ngetParameterMap\\s*\\(\ngetQueryString\\s*\\(\nHttpServletRequest\ngetScheme\\s*\\(\ngetProtocol\\s*\\(\ngetContentType\\s*\\(\ngetServerName\\s*\\(\ngetRemoteAddr\\s*\\(\ngetRemoteHost\\s*\\(\ngetRealPath\\s*\\(\ngetLocalName\\s*\\(\ngetAttribute\\s*\\(\ngetAttributeNames\\s*\\(\ngetLocalAddr\\s*\\(\ngetAuthType\\s*\\(\ngetRemoteUser\\s*\\(\ngetCookies\\s*\\(\ngetHeaderNames\\s*\\(\ngetHeaders?\\s*\\(\ngetPrincipal\\s*\\(\ngetUserPrincipal\\s*\\(\ngetRequestedSessionId\\s*\\(\nXMLReader\n\\bCookie\\b\ngetRequestURI\ngetRequestURL\ngetComment\\s*\\(\n\n\\.get(?:Parameter(?:Names?|Values?|Map)?|QueryString|ContentType|Cookies|Header(?:s|Names)|Request(?:URL|URI))\\s*\\(\n```\n\n### JSP\n\n```regex\n\\brequest\\.getParameter\\(\n\\bsession\\.setAttribute\\(\n\\$\\{[^}]+\\}\n\\.getRequestDispatcher\\(                                        #look for .include(request, response)\n(?!.*\\.jspf?['\"])(?:\u003cjsp:include\\s+page|\u003cjsp:directive\\.include\\s+file|\u003c%@\\s+include\\s+file|\u003cc:import\\s+url)\\s*=\\s*[\"'].*\n\u003cc:out.*escapeXml\\s*=\\s*[\"']false[\"']\n\u003c%=\\s+[a-zA-Z0-9_$]+\\s+%\u003e\n\u003cx:transform\\b.*\\b(?:xml|xslt)\\s*=.*(?:xml|xslt)\\s*=.*\u003e\n\n```\n\n### Servlet Response Functions\n\n```regex\n\\.sendRedirect\\((?:.*\\.getParameter\\(.*\\))?\nsetJavaScriptEnabled\ngetWriter\naddCookie\\s*\\(\n\\b(?:add|set)Header\\s*\\(\n\\bsetStatus\nsetAttribute\\s*\\(\nHttpServletResponse\nServletOutputStream\n\\.addHeader\\(\"Access-Control-Allow-Origin\", \"\\*\"\\)\n```\n\n### SQL Commands\n\n```regex\nexecute(?:Query|Update)\\s*\\(\nPrepared?Statement\\b\n\\b(?:SELECT|UPDATE|DELETE|WHERE|GROUP BY|HAVING|ORDER BY)\\s+.*=.*\n(?:create|execute)[sS]tatement\\s*\\(\nget(?:Object|String)\\s*\\(\naddBatch\\s*\\(\nexecute\\s*\\(\nprepareCall\\s*\\(\njdbc:.*\n```\n\n### Files/Streams Related Functions\n\n```regex\n\\bcreateRequest\\b\n\\b(?:new )?File\\b\n\\bFiles\\.exists\\((?:\\s*Paths\\.get\\()?\n\\bfromFile\\s*\\(\njava\\.io\\.File\n\\bFileReader\\b\n\\bFileWriter\\b\nrenameTo\\s*\\(\nmkdir\\s*\\(\n\\bRandomAccessFile\\b\n\\bFileOutputStream\\b\n\\bHttpsURLConnection\\b\n\\bFileInputStream\\b\n\\bFilterInputStream\\b\n\\bPipedInputStream\\b\n\\bBufferedReader\\b\n\\bFileOutputStream\\b\n\\bSequenceInputStream\\b\n\\bStringBufferInputStream\\b\n\\bByteArrayInputStream\\b\n\\bSocket\\s*\\(\n\\bServerSocket\\s*\\(\n\\bFileNotFoundException\\b\n(?:\\bnew\\s+URL(.*))?\\.(?:getContent|open(?:Connection|Stream))\\(\\)\n```\n\n### XXE\n\n```regex\n\\.createXMLStreamReader\\s*\\(\n(?\u003c!Pattern|RegExp|JsonPointer)(?:XPathExpression\\b.*)?\\.compile\\s*\\(\n(?:\\bSAXParser\\b.*)?\\.newSAXParser\\s*\\(\\b                                # look for parser.parse(..)\n(?:\\bXMLReader\\b.*)?\\.createXMLReader\\s*\\(                               # look for reader.parse(...);\n(?:\\bDocumentBuilder\\b.*)?\\.newDocumentBuilder\\s*\\(                      # look for db.parse(input);\n\\bDocument\\s.*\\.parse\\s*\\(\n(?:\\bTransformer\\s.*)?\\.newTransformer\\s*\\(\n```\n\n### Spring\n\n```regex\n@(?:Request|Get|Post|Put|Delete|Patch)Mapping\n\\.csrf\\(\\)\\.disable\\(\\)\n\\bExpression\\s.*\\.parseExpression\\s*\\(\nredirect\\(\\s*@RequestParam\\(.*\n\\bModelAndView\\(\n\u003cspring:eval\\s*expression\\s*=\\s*\"\n```\n\n### Other Interesting Stuff\n\n```regex\n\\bRandom\\(\ngetPropert(y|ies)\\s*\\(\ngetSession\\s*\\(\n\\bHTTPCookie\\b\n\\bdoPrivileged\\b\nIS_SUPPORTING_EXTERNAL_ENTITIES\neval\\s*\\(\n\\bprint[Ss]tack[Tt]race\\b\nBase64\n\\.newTransformer\\(\nimport java\\.lang\\.Runtime\n\\bXPath\\b\n(?:\\bXPath\\s.*)\\.newXPath\\s*\\(\n(?:\\bXPathExpression\\s.*)\\.compile\\s*\\(\n\\bNamingEnumeration\\b.*\\.search\\s*\\(\n(?:\\bScriptEngine\\s.*)?\\.getEngineByName\\s*\\(\n(?!.*=\\s*\"\\s*\\+.*\\+\\s*\")(?:String\\s*)?(?:secret|token|pass(?:key|phrase|word|wd)?|api_?key|hash|user(?:name|id)?|login|admin|account(?:id)?|auth|email)[a-zA-Z0-9$_]*\\s*=\\s*\".{4,}\";\n\\.newTransformer\\s*\\(\nVelocity\\.evaluate\\(\nBeanUtils\\.populate\\(\n\\bMimeMessage\\(\n\\.setEscapeModelStrings\\(false\\)\n(?:setHeader|setRequestProperty)\\(\"Authorization\"\\s*,\\s*\"Basic\n\\bisActiveSession\\([a-z0-9_$]+\\.getRequestedSessionId\\(\\)\\)\n\\bTemplate\\s+[a-zA-Z0-9_$]+\\s*=\\s*[a-zA-Z0-9_$]+.getTemplate\\(\n```\n\n---\n\n## C#\n\n- [Security Code Scan Rules](https://security-code-scan.github.io/#Rules)\n\n### Deserialization\n\n```regex\nXmlReader\nXmlReader\\.Create\nXamlReader\\.Load\nJsonConvert.DeserializeObject\n\\.DeserializeObject\nJSON.ToObject\n\\.ToObject\nJsonSerializer\nJavaScriptSerializer\nSimpleTypeResolvers\\s*\\(\nXmlSerializer\\s*\\(\nDataContractSerializer\\s*\\(\nDeserializerBuilder\n\\.Deserialize\\s*\\(\nBinaryFormatter\nObjectStateFormatter\nSoapFormatter\nNetDataContractSerializer\nLosFormatter\nSerializationFormatter\n```\n\n### Command Execution\n\n```regex\nServer\\.Execute\n\\bExecute\\b\n\\bEval\\b\n\\bProcess\\b\n\\.StartInfo\\.FileName\\b\n\\.StartInfo\\.Arguments\\b\n\n```\n\n### User Input\n\n```regex\nSystem\\.Net\\.Cookie\nCookie\n\\.Cookies\nrequest\\.cookies\nRequest\nRequest\\.Files\nRequest\\.Headers\nrequest\\.querystring\nrequest\\.form\nrequest\\.item\nrequest\\.url\nrequest\\.urlreferrer\nrequest\\.useragent\nrequest\\.userlanguages\n```\n\n### Server Response Functions\n\n```regex\nresponse\\.write\ninnerText\nHttpUtility\ninnerHTML\nHtmlEncode\n\u003c%=\nUrlEncode\ndocument\\.cookie\nHTTPOnly\nhtmlcontrols\\.\nwebcontrols\\.\nResponse\\.AddHeader\nResponse\\.Redirect\n```\n\n### SQL Commands\n\n```regex\n\\bselect\\b\n\\bdelete\\b\n\\bupdate\\b\n\\bwhere.*=.*\n\nsp_executesql\n\\bExecuteQuery\\b\n\\bexecuteSQL\\b\n\\bexecuteQuery\\b\n\\bSqlDataAdapter\\b\n\\bSqlConnection\\b\n\\bCreateSQLQuery\\b\nexec sp_\nexec xp_\nexecute sp_\nexec @\nsetfilter\nsqloledb\n\\.Provider\\b\nExecuteReader\\b\nSqlDataReader\\b\nexecute @\nSystem\\.Data\\.sql\nDataSource\nExecuteReader\nexecutestatement\nGetQueryResultInXML\n\\bdriver\\b\nADODB\\.recordset\nSqlCommand\nSqlDataAdapter\n\\badodb\\b\nServer\\.CreateObject\nNew OleDbConnection\\b\n\\bOdbcCommand\\b\n\\bSqlCommand\\b\nMicrosoft\\.Jet\n\\bStoredProcedure\\b\n\\bExecuteSqlCommand\\b\n\\bExecuteDataSet\\b\n\\bNpgsqlCommand\\b\n```\n\n### Files/Streams Related Functions\n\n```regex\nSystem\\.IO\nReadAllBytes\nFileSystemObject\nStreamReader\nFileInputStream\nGetTempFileName\n```\n\n### XXE\n\n```regex\n\\bXmlReaderSettings\\b\n\\bXmlReader\\b\n\\bXmlDocument\\b\n```\n\n### Other Interesting Stuff\n\n```regex\nShell\\.Application\nShell32\nServer\\.CreateObject\n\\.Run\\b\nWscript\\.Shell\nSystem\\.Security\\.Cryptography\n\\bCipherMode\\.(CBC|ECB|OFB)\n\\.SetPassword\\b\n```\n\n---\n\n## References\n\n- [Regular Expression: Special Groups](https://www.regular-expressions.info/refadv.html)\n- [graudit](https://github.com/wireghoul/graudit)\n- [Security Code Scan - static code analyzer for .NET](https://security-code-scan.github.io/)\n- [FindBugs JAVA weaknesses database](https://find-sec-bugs.github.io/bugs.htm)\n- [Sonarqube Rules](https://rules.sonarsource.com/java)\n- [PMD Java Coding Patterns](https://pmd.github.io/pmd-6.18.0/pmd_rules_java.html)\n- [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)\n- [CFR - another java decompiler](http://www.benf.org/other/cfr/)\n- [JD-GUI](https://java-decompiler.github.io/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fva1da5%2Fmanual-source-code-review","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fva1da5%2Fmanual-source-code-review","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fva1da5%2Fmanual-source-code-review/lists"}