feat: Payment Compliance Pack — Semgrep + CodeQL + State Machine + Schema

Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme: 1. Semgrep-Regeln (25 Regeln in 5 Dateien): - Logging: Sensitive Daten, Tokens, Debug-Flags - Crypto: MD5/SHA1/DES/ECB, Hardcoded Secrets, Weak Random, TLS - API: Debug-Routes, Exception Leaks, IDOR, Input Validation - Config: Test-Endpoints, CORS, Cookies, Retry - Data: Telemetrie, Cache, Export, Queue, Testdaten 2. CodeQL Query-Specs (5 Briefings): - Sensitive Data → Logs - Sensitive Data → HTTP Response - Tenant Context Loss - Sensitive Data → Telemetry - Cache/Export Leak 3. State-Machine-Tests (10 Testfaelle): - 11 Zustaende, 15 Events, 8 Invarianten - Duplicate Response, Timeout+Late Success, Decline - Invalid Reversal, Cancel, Backend Timeout - Parallel Reversal, Unknown Response, Reconnect - Late Response after Cancel 4. Finding Schema (JSON Schema): - Einheitliches Format fuer alle Engines - control_id, engine, status, confidence, evidence, verdict_text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 14:59:49 +02:00
parent 5c1a514b52
commit 8dfab4ba14
15 changed files with 567 additions and 0 deletions
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_api.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_api.yml
@@ -0,0 +1,37 @@
+rules:
+  - id: payment-debug-route
+    message: Debug- oder Diagnosepfad im produktiven API-Code pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(/debug|/internal|/test|/actuator|/swagger|/openapi)
+
+  - id: payment-admin-route-without-auth
+    message: Administrative Route ohne offensichtlichen Auth-Schutz pruefen.
+    severity: WARNING
+    languages: [python]
+    patterns:
+      - pattern: |
+          @app.$METHOD($ROUTE)
+          def $FUNC(...):
+            ...
+      - metavariable-pattern:
+          metavariable: $ROUTE
+          pattern-regex: (?i).*(admin|config|terminal|maintenance|device|key).*
+
+  - id: payment-raw-exception-response
+    message: Roh-Exceptions duerfen nicht direkt an Clients zurueckgegeben werden.
+    severity: ERROR
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(return .*str\(e\)|res\.status\(500\)\.send\(e|json\(.*error.*e)
+
+  - id: payment-missing-input-validation
+    message: Zahlungsrelevanter Endpunkt ohne offensichtliche Validierung pruefen.
+    severity: INFO
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(amount|currency|terminalId|transactionId)
+
+  - id: payment-idor-risk
+    message: Direkter Zugriff ueber terminalId/transactionId ohne Pruefung.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(get.*terminalId|find.*terminalId|get.*transactionId|find.*transactionId)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_config.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_config.yml
@@ -0,0 +1,30 @@
+rules:
+  - id: payment-prod-config-test-endpoint
+    message: Test- oder Sandbox-Endpunkt in produktionsnaher Konfiguration erkannt.
+    severity: ERROR
+    languages: [yaml, json]
+    pattern-regex: (?i)(sandbox|test-endpoint|mock-terminal|dummy-acquirer)
+
+  - id: payment-prod-debug-flag
+    message: Unsicherer Debug-Flag in Konfiguration erkannt.
+    severity: WARNING
+    languages: [yaml, json]
+    pattern-regex: (?i)(debug:\s*true|"debug"\s*:\s*true)
+
+  - id: payment-open-cors
+    message: Offene CORS-Freigabe pruefen.
+    severity: WARNING
+    languages: [yaml, json, javascript, typescript]
+    pattern-regex: (?i)(Access-Control-Allow-Origin.*\*|origin:\s*["']\*["'])
+
+  - id: payment-insecure-session-cookie
+    message: Unsicher gesetzte Session-Cookies pruefen.
+    severity: ERROR
+    languages: [javascript, typescript, python]
+    pattern-regex: (?i)(httpOnly\s*:\s*false|secure\s*:\s*false|sameSite\s*:\s*["']none["'])
+
+  - id: payment-unbounded-retry
+    message: Retry-Konfiguration scheint unbegrenzt oder zu hoch.
+    severity: WARNING
+    languages: [yaml, json]
+    pattern-regex: (?i)(retry.*(9999|infinite|unbounded))
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_crypto.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_crypto.yml
@@ -0,0 +1,43 @@
+rules:
+  - id: payment-no-md5-sha1
+    message: Unsichere Hash-Algorithmen erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\b(md5|sha1)\b
+
+  - id: payment-no-des-3des
+    message: Veraltete symmetrische Verfahren erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\b(des|3des|tripledes)\b
+
+  - id: payment-no-ecb
+    message: ECB-Modus ist fuer sensible Daten ungeeignet.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\becb\b
+
+  - id: payment-hardcoded-secret
+    message: Moeglicherweise hartkodiertes Secret erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    patterns:
+      - pattern-either:
+          - pattern: $KEY = "..."
+          - pattern: const $KEY = "..."
+          - pattern: final String $KEY = "..."
+      - metavariable-pattern:
+          metavariable: $KEY
+          pattern-regex: (?i).*(secret|apikey|api_key|password|passwd|privatekey|private_key|terminalkey|zvtkey|opiKey).*
+
+  - id: payment-weak-random
+    message: Nicht-kryptographischer Zufall in Sicherheitskontext erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java]
+    pattern-regex: (?i)(Math\.random|random\.random|new Random\()
+
+  - id: payment-disable-tls-verify
+    message: TLS-Zertifikatspruefung scheint deaktiviert zu sein.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(verify\s*=\s*False|rejectUnauthorized\s*:\s*false|InsecureSkipVerify\s*:\s*true|trustAll)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_data.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_data.yml
@@ -0,0 +1,30 @@
+rules:
+  - id: payment-sensitive-in-telemetry
+    message: Sensitive Zahlungsdaten in Telemetrie oder Tracing pruefen.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(trace|span|metric|telemetry).*(pan|cvv|track2|cardnumber|pin|expiry)
+
+  - id: payment-sensitive-in-cache
+    message: Sensitiver Wert in Cache-Key oder Cache-Payload pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(cache|redis|memcache).*(pan|cvv|track2|cardnumber|pin)
+
+  - id: payment-sensitive-export
+    message: Export oder Report mit sensitiven Feldern pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(export|report|csv|xlsx|pdf).*(pan|cvv|track2|cardnumber|pin)
+
+  - id: payment-test-fixture-real-data
+    message: Testdaten mit moeglichen echten Kartendaten pruefen.
+    severity: WARNING
+    languages: [json, yaml, python, javascript, typescript]
+    pattern-regex: (?i)(4111111111111111|5555555555554444|track2|cvv)
+
+  - id: payment-queue-sensitive-payload
+    message: Queue-Nachricht mit sensitiven Zahlungsfeldern pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(publish|send|enqueue).*(pan|cvv|track2|cardnumber|pin)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_logging.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_logging.yml
@@ -0,0 +1,42 @@
+rules:
+  - id: payment-no-sensitive-logging-python
+    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [python]
+    patterns:
+      - pattern-either:
+          - pattern: logging.$METHOD(..., $X, ...)
+          - pattern: logger.$METHOD(..., $X, ...)
+      - metavariable-pattern:
+          metavariable: $X
+          pattern-regex: (?i).*(pan|cvv|cvc|track2|track_2|cardnumber|card_number|karten|pin|expiry|ablauf).*
+
+  - id: payment-no-sensitive-logging-js
+    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-either:
+          - pattern: console.$METHOD(..., $X, ...)
+          - pattern: logger.$METHOD(..., $X, ...)
+      - metavariable-pattern:
+          metavariable: $X
+          pattern-regex: (?i).*(pan|cvv|cvc|track2|cardnumber|pin|expiry).*
+
+  - id: payment-no-token-logging
+    message: Tokens oder Session-IDs duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(log|logger|logging|console)\.(debug|info|warn|error).*?(token|sessionid|session_id|authheader|authorization)
+
+  - id: payment-no-debug-logging-prod-flag
+    message: Debug-Logging darf in produktiven Pfaden nicht fest aktiviert sein.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(DEBUG\s*=\s*true|debug\s*:\s*true|setLevel\(.*DEBUG.*\))
+
+  - id: payment-audit-log-admin-action
+    message: Administrative sicherheitsrelevante Aktion ohne Audit-Hinweis pruefen.
+    severity: INFO
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(deleteTerminal|rotateKey|updateConfig|disableDevice|enableMaintenance)