# Injection Prevention Rules
# ==========================

injection_rules:
  - id: SEC-011
    name: No raw SQL queries
    severity: error
    description: >
      Use SQLAlchemy ORM or parameterized queries only.
      Never concatenate user input into SQL strings.

  - id: SEC-012
    name: No shell command injection
    severity: error
    description: >
      Never use shell=True with subprocess.
      Use subprocess with list arguments.

  - id: SEC-013
    name: No code execution
    severity: error
    description: >
      Never use eval() or exec() with user input.

  - id: SEC-014
    name: Path traversal prevention
    severity: error
    description: >
      Validate file paths to prevent directory traversal.
      Use secure_filename() for uploads.

  - id: SEC-015
    name: XSS prevention in templates
    severity: error
    description: >
      Use safe output methods in templates.
      Prefer x-text over x-html.

  - id: SEC-016
    name: LDAP injection prevention
    severity: error
    description: >
      Escape special characters in LDAP queries.

  - id: SEC-017
    name: XML external entity prevention
    severity: error
    description: >
      Disable external entities when parsing XML.
      Use defusedxml.

  - id: SEC-018
    name: Template injection prevention
    severity: error
    description: >
      Never render user input as template code.

  - id: SEC-019
    name: SSRF prevention
    severity: warning
    description: >
      Validate URLs before making external requests.
      Whitelist allowed domains.

  - id: SEC-020
    name: Deserialization safety
    severity: error
    description: >
      Never deserialize untrusted data with pickle.
      Use yaml.safe_load() instead of yaml.load().