@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/src/ir/parser-php.js

@@ -0,0 +1,330 @@
+// PHP IR frontend.
+//
+// Regex-based, follows the parser-cs.js / parser-go.js pattern. Focused on
+// PDO, mysqli, Laravel DB facade, and PHP superglobal taint surface.
+//
+// What we model:
+//   - function / method declarations
+//   - $var = expr assignments
+//   - function calls and method calls ($obj->method(args))
+//   - return
+//   - foreach as loop-header + assign
+//   - PHP superglobals ($_GET, $_POST, $_REQUEST, etc.) as ident sources
+//
+// What we do NOT model:
+//   - arrow functions (fn($x) => expr)
+//   - traits / interfaces
+//   - anonymous classes
+//   - control flow (if/for/while/switch) — body is straight-line
+
+import * as crypto from 'node:crypto';
+
+const FUNC_RE = new RegExp(
+  '(?:^|[\\n;{}])\\s*' +
+  '(?:(?:public|private|protected|static|abstract|final)\\s+)*' +
+  'function\\s+' +
+  '([A-Za-z_]\\w*)' +                  // function name (g1)
+  '\\s*\\(([^)]*)\\)' +                // params (g2)
+  '(?:\\s*:\\s*\\??[A-Za-z_]\\w*)?' +   // optional return type
+  '\\s*\\{', 'g');
+
+function _splitStatements(body) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  let escape = false;
+  for (let i = 0; i < body.length; i++) {
+    const c = body[i];
+    if (escape) { buf += c; escape = false; continue; }
+    if (inStr) {
+      buf += c;
+      if (c === '\\') { escape = true; continue; }
+      if (c === inStr) inStr = null;
+      continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; buf += c; continue; }
+    if (c === '/' && body[i + 1] === '/') {
+      while (i < body.length && body[i] !== '\n') i++;
+      continue;
+    }
+    if (c === '{' || c === '(' || c === '[') depth++;
+    if (c === '}' || c === ')' || c === ']') depth--;
+    if (c === ';' && depth === 0) {
+      const t = buf.trim();
+      if (t) out.push(t);
+      buf = '';
+      continue;
+    }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _lowerExpr(text) {
+  const s = String(text || '').trim();
+  if (!s) return { kind: 'unknown' };
+  if (/^"/.test(s) || /^'/.test(s)) return { kind: 'literal', value: s };
+  if (/^\d/.test(s)) return { kind: 'literal', value: s };
+  if (/^(true|false|null|NULL)\b/.test(s)) return { kind: 'literal', value: s };
+  // Superglobals
+  if (/^\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES|SESSION|ENV)\b/.test(s)) {
+    const parts = s.split(/[\[\]'"]+/).filter(Boolean);
+    if (parts.length === 1) return { kind: 'ident', name: parts[0] };
+    let cur = { kind: 'ident', name: parts[0] };
+    for (let i = 1; i < parts.length; i++) {
+      cur = { kind: 'member', object: cur, prop: parts[i] || '[]' };
+    }
+    return cur;
+  }
+  // Variable
+  if (/^\$[A-Za-z_]\w*$/.test(s)) return { kind: 'ident', name: s };
+  // Method call: $obj->method(args) or ClassName::method(args)
+  const methodCall = s.match(/^(\$[\w]+(?:->[\w]+)*|[A-Za-z_][\w]*(?:::[\w]+)*)\s*\((.*)\)\s*$/s);
+  if (methodCall) {
+    const callee = methodCall[1].replace(/->/g, '.').replace(/::/g, '.');
+    const args = _splitTopLevelCommas(methodCall[2]).map(_lowerExpr);
+    return { kind: 'call', callee, args };
+  }
+  // Function call: func(args)
+  const funcCall = s.match(/^([A-Za-z_][\w]*)\s*\((.*)\)\s*$/s);
+  if (funcCall) {
+    return { kind: 'call', callee: funcCall[1], args: _splitTopLevelCommas(funcCall[2]).map(_lowerExpr) };
+  }
+  // Concat with .
+  if (s.includes('.') && /["'\$]/.test(s)) {
+    const parts = _splitTopLevelDot(s).map(_lowerExpr);
+    return { kind: 'tpl', parts };
+  }
+  // Member: $obj->prop
+  if (/^\$[\w]+(?:->[\w]+)+$/.test(s)) {
+    const parts = s.split('->');
+    let cur = { kind: 'ident', name: parts[0] };
+    for (let i = 1; i < parts.length; i++) cur = { kind: 'member', object: cur, prop: parts[i] };
+    return cur;
+  }
+  return { kind: 'unknown' };
+}
+
+function _splitTopLevelCommas(s) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (inStr) {
+      buf += c;
+      if (c === '\\') { i++; buf += s[i] || ''; continue; }
+      if (c === inStr) inStr = null;
+      continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; buf += c; continue; }
+    if (c === '(' || c === '{' || c === '[') depth++;
+    if (c === ')' || c === '}' || c === ']') depth--;
+    if (c === ',' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _splitTopLevelDot(s) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (inStr) {
+      buf += c;
+      if (c === '\\') { i++; buf += s[i] || ''; continue; }
+      if (c === inStr) inStr = null;
+      continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; buf += c; continue; }
+    if (c === '(' || c === '{' || c === '[') depth++;
+    if (c === ')' || c === '}' || c === ']') depth--;
+    if (c === '.' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _lowerStmt(stmt, line) {
+  const s = stmt.trim();
+  if (!s || s.startsWith('//') || s.startsWith('#')) return null;
+  if (/^return\b/.test(s)) {
+    const rest = s.replace(/^return\s*/, '').trim();
+    return { kind: 'return', line, value: rest ? _lowerExpr(rest) : null };
+  }
+  if (/^throw\b/.test(s)) {
+    return { kind: 'throw', line, value: _lowerExpr(s.replace(/^throw\s+/, '')) };
+  }
+  // Assignment: $var = expr
+  const assign = s.match(/^(\$[\w]+(?:->[\w]+)*)\s*=\s*(.+)$/s);
+  if (assign) {
+    return { kind: 'assign', line, target: assign[1], source: _lowerExpr(assign[2]) };
+  }
+  // Statement-form call
+  const call = s.match(/^(\$[\w]+(?:->[\w]+)*|[A-Za-z_][\w]*(?:::[\w]+)*)\s*\((.*)\)\s*$/s);
+  if (call) {
+    const callee = call[1].replace(/->/g, '.').replace(/::/g, '.');
+    return { kind: 'call', line, callee, args: _splitTopLevelCommas(call[2]).map(_lowerExpr) };
+  }
+  return null;
+}
+
+function _extractBody(src, openBrace) {
+  let depth = 1;
+  let i = openBrace + 1;
+  let inStr = null;
+  let escape = false;
+  while (i < src.length && depth > 0) {
+    const c = src[i];
+    if (escape) { escape = false; i++; continue; }
+    if (inStr) {
+      if (c === '\\') { escape = true; i++; continue; }
+      if (c === inStr) inStr = null;
+      i++; continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; i++; continue; }
+    if (c === '{') depth++;
+    else if (c === '}') depth--;
+    if (depth === 0) return { body: src.slice(openBrace + 1, i), end: i };
+    i++;
+  }
+  return null;
+}
+
+function _lineAt(src, idx) {
+  let line = 1;
+  for (let i = 0; i < idx && i < src.length; i++) if (src[i] === '\n') line++;
+  return line;
+}
+
+function _qid(file, name, line, body) {
+  const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);
+  return `${file}::${name}@${line}#${sha}`;
+}
+
+let _nid = 0;
+function _nextId() { return `pn${++_nid}`; }
+
+function _addNode(nodes, node) {
+  const id = _nextId();
+  node.succ = node.succ || [];
+  node.pred = node.pred || [];
+  nodes[id] = node;
+  return id;
+}
+
+function _linkNodes(nodes, src, dst) {
+  if (!nodes[src] || !nodes[dst]) return;
+  if (!nodes[src].succ.includes(dst)) nodes[src].succ.push(dst);
+  if (!nodes[dst].pred.includes(src)) nodes[dst].pred.push(src);
+}
+
+function _buildCfg(bodyText, nodes, prevId, startLine) {
+  const stmts = _splitStatements(bodyText);
+  let prev = prevId;
+  let line = startLine;
+  for (const stmt of stmts) {
+    const s = stmt.trim();
+    if (!s || s.startsWith('//') || s.startsWith('#')) { line++; continue; }
+
+    const ifMatch = s.match(/^if\s*\((.+?)\)\s*\{([\s\S]*)\}(?:\s*else\s*\{([\s\S]*)\})?\s*$/s);
+    if (ifMatch) {
+      const ifNode = _addNode(nodes, { kind: 'if', cond: _lowerExpr(ifMatch[1]), line });
+      _linkNodes(nodes, prev, ifNode);
+      const join = _addNode(nodes, { kind: 'noop', line });
+      const thenTail = _buildCfg(ifMatch[2], nodes, ifNode, line + 1);
+      _linkNodes(nodes, thenTail, join);
+      if (ifMatch[3]) {
+        const elseTail = _buildCfg(ifMatch[3], nodes, ifNode, line + 1);
+        _linkNodes(nodes, elseTail, join);
+      } else {
+        _linkNodes(nodes, ifNode, join);
+      }
+      prev = join;
+      line += (s.match(/\n/g) || []).length + 1;
+      continue;
+    }
+
+    const whileMatch = s.match(/^while\s*\((.+?)\)\s*\{([\s\S]*)\}\s*$/s);
+    if (whileMatch) {
+      const header = _addNode(nodes, { kind: 'loop-header', line });
+      _linkNodes(nodes, prev, header);
+      const bodyTail = _buildCfg(whileMatch[2], nodes, header, line + 1);
+      _linkNodes(nodes, bodyTail, header);
+      const join = _addNode(nodes, { kind: 'noop', line });
+      _linkNodes(nodes, header, join);
+      prev = join;
+      line += (s.match(/\n/g) || []).length + 1;
+      continue;
+    }
+
+    const foreachMatch = s.match(/^foreach\s*\((.+?)\s+as\s+(?:\$\w+\s*=>\s*)?(\$\w+)\)\s*\{([\s\S]*)\}\s*$/s);
+    if (foreachMatch) {
+      const header = _addNode(nodes, { kind: 'loop-header', line });
+      _linkNodes(nodes, prev, header);
+      const assignId = _addNode(nodes, { kind: 'assign', target: foreachMatch[2], source: _lowerExpr(foreachMatch[1]), line });
+      _linkNodes(nodes, header, assignId);
+      const bodyTail = _buildCfg(foreachMatch[3], nodes, assignId, line + 1);
+      _linkNodes(nodes, bodyTail, header);
+      const join = _addNode(nodes, { kind: 'noop', line });
+      _linkNodes(nodes, header, join);
+      prev = join;
+      line += (s.match(/\n/g) || []).length + 1;
+      continue;
+    }
+
+    const node = _lowerStmt(s, line);
+    if (!node) { line++; continue; }
+    const id = _addNode(nodes, node);
+    _linkNodes(nodes, prev, id);
+    prev = id;
+    line += (s.match(/\n/g) || []).length + 1;
+  }
+  return prev;
+}
+
+export function parsePhpFile(file, code) {
+  if (!file || typeof code !== 'string') return null;
+  if (!/\.(?:php|phtml)$/i.test(file)) return null;
+  if (code.length > 1_000_000) return null;
+
+  const functions = [];
+  FUNC_RE.lastIndex = 0;
+  _nid = 0;
+  let m;
+  while ((m = FUNC_RE.exec(code)) !== null) {
+    const name = m[1];
+    const paramsText = m[2] || '';
+    const params = paramsText.split(',').map(p => {
+      const t = p.trim();
+      if (!t) return null;
+      const vm = t.match(/\$(\w+)/);
+      return vm ? '$' + vm[1] : null;
+    }).filter(Boolean);
+    const braceIdx = code.indexOf('{', m.index + m[0].length - 1);
+    if (braceIdx < 0) continue;
+    const extracted = _extractBody(code, braceIdx);
+    if (!extracted) continue;
+    const startLine = _lineAt(code, m.index);
+    const nodes = {};
+    const entry = _addNode(nodes, { kind: 'entry', line: startLine });
+    const exit = _addNode(nodes, { kind: 'exit', line: startLine });
+    const tail = _buildCfg(extracted.body, nodes, entry, startLine + 1);
+    _linkNodes(nodes, tail, exit);
+    functions.push({
+      qid: _qid(file, name, startLine, extracted.body),
+      name, line: startLine, params, file,
+      cfg: { entry, exit, nodes },
+    });
+    FUNC_RE.lastIndex = extracted.end + 1;
+  }
+  return functions.length ? { file, functions, topLevel: null } : null;
+}

package/src/ir/parser-py.helper.py

@@ -166,8 +166,14 @@ def _lower_expr(node: ast.AST) -> dict[str, Any]:
     if isinstance(node, ast.Starred):
         return _lower_expr(node.value)
     if isinstance(node, ast.NamedExpr):
-        # Walrus: `(x := expr)` — flow the RHS forward.
-        return _lower_expr(node.value)
+        # Walrus: `(x := expr)` — surface both the target binding and the value.
+        return {
+            "kind": "union",
+            "branches": [
+                {"kind": "ident", "name": node.target.id},
+                _lower_expr(node.value),
+            ],
+        }
     if isinstance(node, ast.UnaryOp):
         return _lower_expr(node.operand)
     if isinstance(node, ast.Await):
@@ -205,9 +211,9 @@ def _flatten_callee(node: ast.AST) -> Any:
     return None
 
 
-def _assign_target(node: ast.AST) -> Optional[str]:
-    """Return a single identifier or dotted-path string for an assignment target,
-    or None for destructuring shapes we don't model."""
+def _assign_target(node: ast.AST) -> "str | list[str] | None":
+    """Return a single identifier, dotted-path string, or a list of targets
+    for destructuring assignments (Tuple/List unpacking)."""
     if isinstance(node, ast.Name):
         return node.id
     if isinstance(node, ast.Attribute):
@@ -219,7 +225,40 @@ def _assign_target(node: ast.AST) -> Optional[str]:
         if isinstance(cur, ast.Name):
             parts.insert(0, cur.id)
             return ".".join(parts)
-    # ast.Tuple, ast.List, ast.Starred — destructuring, not yet modeled.
+    if isinstance(node, (ast.Tuple, ast.List)):
+        targets = []
+        for elt in node.elts:
+            t = _assign_target(elt)
+            targets.append(t if isinstance(t, str) else None)
+        return targets
+    if isinstance(node, ast.Starred):
+        return _assign_target(node.value)
+    return None
+
+
+def _lower_match_pattern(pattern: ast.AST, subject: dict) -> dict:
+    """Lower a match-case pattern to an expression for the if-condition."""
+    if isinstance(pattern, ast.MatchValue):
+        return {"kind": "binary", "op": "Eq", "left": subject, "right": _lower_expr(pattern.value)}
+    if isinstance(pattern, ast.MatchSingleton):
+        return {"kind": "binary", "op": "Is", "left": subject, "right": {"kind": "literal", "value": pattern.value}}
+    if isinstance(pattern, ast.MatchAs):
+        if pattern.pattern is not None:
+            return _lower_match_pattern(pattern.pattern, subject)
+        return {"kind": "unknown"}
+    if isinstance(pattern, ast.MatchOr):
+        if pattern.patterns:
+            return _lower_match_pattern(pattern.patterns[0], subject)
+        return {"kind": "unknown"}
+    return {"kind": "unknown"}
+
+
+def _match_pattern_capture(pattern: ast.AST) -> Optional[str]:
+    """Extract the capture variable name from a match-case pattern, if any."""
+    if isinstance(pattern, ast.MatchAs):
+        return pattern.name
+    if isinstance(pattern, ast.MatchStar) and hasattr(pattern, "name"):
+        return pattern.name
     return None
 
 
@@ -250,6 +289,28 @@ class CfgBuilder:
         if src_id not in dn["pred"]:
             dn["pred"].append(src_id)
 
+    @staticmethod
+    def _collect_walrus(node: ast.AST) -> list[ast.NamedExpr]:
+        """Collect all NamedExpr (walrus) nodes from an expression tree."""
+        out: list[ast.NamedExpr] = []
+        for child in ast.walk(node):
+            if isinstance(child, ast.NamedExpr):
+                out.append(child)
+        return out
+
+    def _emit_walrus_assigns(self, expr_node: ast.AST, prev: str, line: int) -> str:
+        """Emit assign nodes for any walrus operators in an expression."""
+        for w in self._collect_walrus(expr_node):
+            a = self._add({
+                "kind": "assign",
+                "target": w.target.id,
+                "source": _lower_expr(w.value),
+                "line": line,
+            })
+            self._link(prev, a)
+            prev = a
+        return prev
+
     def lower(self, body: list[ast.stmt]) -> None:
         tail = self.entry
         tail = self._lower_block(body, tail)
@@ -274,6 +335,13 @@ class CfgBuilder:
                           + [_lower_expr(kw.value) for kw in (stmt.value.keywords or [])],
                     "line": line,
                 })
+            elif isinstance(stmt.value, ast.NamedExpr):
+                cur = self._add({
+                    "kind": "assign",
+                    "target": stmt.value.target.id,
+                    "source": _lower_expr(stmt.value.value),
+                    "line": line,
+                })
             else:
                 cur = self._add({"kind": "noop", "line": line})
             self._link(prev, cur)
@@ -300,10 +368,46 @@ class CfgBuilder:
                 # ast.Assign: targets may be multi (a = b = c). We use the first.
                 tgt = _assign_target(stmt.targets[0]) if stmt.targets else None
                 src = _lower_expr(stmt.value)
+            if isinstance(tgt, list):
+                # Destructuring: a, b = expr → one assign per element.
+                rhs = src
+                tail = prev
+                for i, t in enumerate(tgt):
+                    elem_src = {"kind": "member", "object": rhs, "prop": "[]"}
+                    a = self._add({"kind": "assign", "target": t, "source": elem_src, "line": line})
+                    self._link(tail, a)
+                    tail = a
+                return tail
+            # Comprehension with filters at statement level: emit filter conditions.
+            rhs_node = stmt.value if isinstance(stmt, (ast.Assign, ast.AnnAssign)) else None
+            if rhs_node and isinstance(rhs_node, (ast.ListComp, ast.SetComp, ast.GeneratorExp, ast.DictComp)):
+                tail = prev
+                for gen in rhs_node.generators:
+                    # Emit loop var assign from iter
+                    loop_tgt = _assign_target(gen.target)
+                    if loop_tgt and isinstance(loop_tgt, str):
+                        la = self._add({
+                            "kind": "assign", "target": loop_tgt,
+                            "source": _lower_expr(gen.iter), "line": line,
+                        })
+                        self._link(tail, la)
+                        tail = la
+                    for if_clause in gen.ifs:
+                        if_n = self._add({
+                            "kind": "if",
+                            "cond": _lower_expr(if_clause),
+                            "line": line,
+                        })
+                        self._link(tail, if_n)
+                        tail = if_n
+                cur = self._add({"kind": "assign", "target": tgt if isinstance(tgt, str) else None, "source": src, "line": line})
+                self._link(tail, cur)
+                return cur
             cur = self._add({"kind": "assign", "target": tgt, "source": src, "line": line})
             self._link(prev, cur)
             return cur
         if isinstance(stmt, ast.If):
+            prev = self._emit_walrus_assigns(stmt.test, prev, line)
             if_node = self._add({
                 "kind": "if",
                 "cond": _lower_expr(stmt.test),
@@ -342,6 +446,7 @@ class CfgBuilder:
             self._link(lh, join)
             return join
         if isinstance(stmt, (ast.While,)):
+            prev = self._emit_walrus_assigns(stmt.test, prev, line)
             lh = self._add({"kind": "loop-header", "line": line})
             self._link(prev, lh)
             body_tail = self._lower_block(stmt.body, lh)
@@ -409,11 +514,32 @@ class CfgBuilder:
             self._link(prev, cur)
             return cur
         if isinstance(stmt, ast.Match):
-            # Match statement — emit a noop for now. Future work: lower each
-            # case as an alternate branch with its pattern guard.
-            cur = self._add({"kind": "noop", "line": line, "_unmodeled": "match"})
-            self._link(prev, cur)
-            return cur
+            subject = _lower_expr(stmt.subject)
+            join = self._add({"kind": "noop", "line": line})
+            for case in stmt.cases:
+                case_line = getattr(case, "lineno", line) or line
+                pattern_expr = _lower_match_pattern(case.pattern, subject)
+                if_node = self._add({
+                    "kind": "if",
+                    "cond": pattern_expr,
+                    "line": case_line,
+                })
+                self._link(prev, if_node)
+                # If pattern has a capture name, emit an assign for it.
+                capture = _match_pattern_capture(case.pattern)
+                if capture:
+                    a = self._add({
+                        "kind": "assign", "target": capture,
+                        "source": subject, "line": case_line,
+                    })
+                    self._link(if_node, a)
+                    body_prev = a
+                else:
+                    body_prev = if_node
+                body_tail = self._lower_block(case.body, body_prev)
+                self._link(body_tail, join)
+            self._link(prev, join)
+            return join
         # ast.Pass, ast.Break, ast.Continue, ast.Import, ast.ImportFrom,
         # ast.Global, ast.Nonlocal, ast.Delete — all noops for taint.
         cur = self._add({"kind": "noop", "line": line})