@kernlang/review 3.1.5 → 3.1.7

package/dist/taint-types.js

@@ -0,0 +1,174 @@
+/**
+ * Taint Tracking — shared types, classification tables, and sanitizer sufficiency.
+ */
+// ── Source Classification ────────────────────────────────────────────────
+/** Param names/types that indicate HTTP handler context */
+export const HTTP_PARAM_NAMES = /^(req|request)$/i;
+export const HTTP_PARAM_TYPES = /Request|IncomingMessage|FastifyRequest|KoaContext|Context/;
+/** User input access patterns — what flows from HTTP params */
+export const USER_INPUT_ACCESS = [
+    { pattern: /\breq\.body\b/, origin: 'req.body' },
+    { pattern: /\breq\.query\b/, origin: 'req.query' },
+    { pattern: /\breq\.params\b/, origin: 'req.params' },
+    { pattern: /\breq\.headers\b/, origin: 'req.headers' },
+    { pattern: /\brequest\.body\b/, origin: 'request.body' },
+    { pattern: /\brequest\.query\b/, origin: 'request.query' },
+    { pattern: /\brequest\.params\b/, origin: 'request.params' },
+    { pattern: /\bprocess\.argv\b/, origin: 'process.argv' },
+    { pattern: /\bprocess\.env\b/, origin: 'process.env' },
+    // DB read results (indirect injection sources)
+    { pattern: /\bdb\.query\b/, origin: 'db.query' },
+    { pattern: /\bfindOne\b/, origin: 'findOne' },
+    { pattern: /\bfindById\b/, origin: 'findById' },
+    { pattern: /\bgetItem\b/, origin: 'getItem' },
+    { pattern: /\bcollection\.find\b/, origin: 'collection.find' },
+    // RAG/retrieval results
+    { pattern: /\bvectorStore\.search\b/, origin: 'vectorStore.search' },
+    { pattern: /\bsimilaritySearch\b/, origin: 'similaritySearch' },
+    { pattern: /\bindex\.query\b/, origin: 'index.query' },
+];
+export const SINK_PATTERNS = [
+    // Command execution
+    { pattern: /\bexec\s*\(/, name: 'exec', category: 'command' },
+    { pattern: /\bexecSync\s*\(/, name: 'execSync', category: 'command' },
+    { pattern: /\bspawn\s*\(/, name: 'spawn', category: 'command' },
+    { pattern: /\bspawnSync\s*\(/, name: 'spawnSync', category: 'command' },
+    { pattern: /\bexecFile\s*\(/, name: 'execFile', category: 'command' },
+    // Filesystem
+    { pattern: /\bwriteFile\s*\(/, name: 'writeFile', category: 'fs' },
+    { pattern: /\bwriteFileSync\s*\(/, name: 'writeFileSync', category: 'fs' },
+    { pattern: /\bcreateWriteStream\s*\(/, name: 'createWriteStream', category: 'fs' },
+    { pattern: /\bunlink\s*\(/, name: 'unlink', category: 'fs' },
+    { pattern: /\bunlinkSync\s*\(/, name: 'unlinkSync', category: 'fs' },
+    // SQL (template literal with query-like calls)
+    { pattern: /\bquery\s*\(/, name: 'query', category: 'sql' },
+    { pattern: /\b\$execute\s*\(/, name: '$execute', category: 'sql' },
+    { pattern: /\braw\s*\(/, name: 'raw', category: 'sql' },
+    // Redirect
+    { pattern: /\bredirect\s*\(/, name: 'redirect', category: 'redirect' },
+    // Eval
+    { pattern: /\beval\s*\(/, name: 'eval', category: 'eval' },
+    { pattern: /\bnew\s+Function\s*\(/, name: 'new Function', category: 'eval' },
+    // LLM API calls (prompt injection sinks)
+    { pattern: /\bgenerateContent\s*\(/, name: 'generateContent', category: 'template' },
+    { pattern: /\bsendMessage\s*\(/, name: 'sendMessage', category: 'template' },
+    { pattern: /\bchat\.completions\.create\s*\(/, name: 'chat.completions.create', category: 'template' },
+    // VM execution sinks (LLM output execution)
+    { pattern: /\bvm\.runInContext\s*\(/, name: 'vm.runInContext', category: 'eval' },
+    { pattern: /\bvm\.runInNewContext\s*\(/, name: 'vm.runInNewContext', category: 'eval' },
+    // Code generation sinks — external values interpolated into generated source code
+    { pattern: /\blines\.push\s*\(`/, name: 'lines.push(template)', category: 'codegen' },
+    { pattern: /\bhelperBlock\.push\s*\(`/, name: 'helperBlock.push(template)', category: 'codegen' },
+    { pattern: /\bcode\s*\+=\s*`/, name: 'code += template', category: 'codegen' },
+];
+// ── Sanitizer Detection ─────────────────────────────────────────────────
+export const SANITIZER_PATTERNS = [
+    // Type coercion (sanitizes to safe type)
+    { pattern: /\bparseInt\s*\(/, name: 'parseInt' },
+    { pattern: /\bparseFloat\s*\(/, name: 'parseFloat' },
+    { pattern: /\bNumber\s*\(/, name: 'Number()' },
+    { pattern: /\bBoolean\s*\(/, name: 'Boolean()' },
+    // Schema validation
+    { pattern: /\.parse\s*\(/, name: 'schema.parse' },
+    { pattern: /\.safeParse\s*\(/, name: 'schema.safeParse' },
+    { pattern: /\.validate\s*\(/, name: 'schema.validate' },
+    { pattern: /\.validateSync\s*\(/, name: 'schema.validateSync' },
+    // String sanitization
+    { pattern: /\bsanitize\w*\s?\(/, name: 'sanitize()' },
+    { pattern: /\bescape\w*\s?\(/, name: 'escape()' },
+    { pattern: /\bDOMPurify\b/, name: 'DOMPurify' },
+    { pattern: /\bencodeURI(Component)?\s*\(/, name: 'encodeURIComponent' },
+    // Path sanitization
+    { pattern: /path\.(resolve|normalize|basename)\s*\(/, name: 'path.normalize' },
+    { pattern: /\.replace\s*\(\s*\/.*\.\.\//, name: 'replace(../)' },
+    // SQL parameterization
+    { pattern: /\$\d+/, name: 'parameterized query ($N)' },
+    { pattern: /\?\s*,/, name: 'parameterized query (?)' },
+    // Prompt sanitization
+    { pattern: /\bsanitizeForPrompt\s*\(/, name: 'sanitizeForPrompt' },
+    { pattern: /\bescapePrompt\s*\(/, name: 'escapePrompt' },
+    // LLM-specific sanitizers
+    { pattern: /\bstripDelimiters\s*\(/, name: 'stripDelimiters' },
+    { pattern: /\bcleanForPrompt\s*\(/, name: 'cleanForPrompt' },
+];
+const SANITIZER_SUFFICIENCY = {
+    parseInt: new Set(['sql']),
+    parseFloat: new Set(['sql']),
+    'Number()': new Set(['sql']),
+    'Boolean()': new Set([]), // too weak for anything
+    'schema.parse': new Set(['command', 'fs', 'sql', 'redirect', 'eval', 'template']),
+    'schema.safeParse': new Set(['command', 'fs', 'sql', 'redirect', 'eval', 'template']),
+    'schema.validate': new Set(['command', 'fs', 'sql', 'redirect', 'eval', 'template']),
+    'schema.validateSync': new Set(['command', 'fs', 'sql', 'redirect', 'eval', 'template']),
+    'sanitize()': new Set(['template']),
+    'escape()': new Set(['sql', 'template']),
+    DOMPurify: new Set(['template']),
+    encodeURIComponent: new Set(['redirect']),
+    'path.normalize': new Set(['fs']),
+    'replace(../)': new Set(['fs']),
+    'parameterized query ($N)': new Set(['sql']),
+    'parameterized query (?)': new Set(['sql']),
+    sanitizeForPrompt: new Set(['template']),
+    escapePrompt: new Set(['template']),
+    stripDelimiters: new Set(['template']),
+    cleanForPrompt: new Set(['template']),
+};
+/**
+ * Check if a sanitizer is actually sufficient for a given sink category.
+ * Returns true if the sanitizer protects against the sink, false if it's
+ * a mismatch (e.g., parseInt used to "sanitize" command injection).
+ */
+export function isSanitizerSufficient(sanitizerName, sinkCategory) {
+    const allowed = SANITIZER_SUFFICIENCY[sanitizerName];
+    if (!allowed)
+        return false; // Unknown sanitizer — default deny, verify manually
+    return allowed.has(sinkCategory);
+}
+// ── Derived Lookup Tables ───────────────────────────────────────────────
+// Sink name → category lookup (flat map from SINK_PATTERNS)
+export const SINK_NAMES = new Map([
+    ['exec', 'command'],
+    ['execSync', 'command'],
+    ['spawn', 'command'],
+    ['spawnSync', 'command'],
+    ['execFile', 'command'],
+    ['execFileSync', 'command'],
+    ['readFile', 'fs'],
+    ['readFileSync', 'fs'],
+    ['writeFile', 'fs'],
+    ['writeFileSync', 'fs'],
+    ['createWriteStream', 'fs'],
+    ['createReadStream', 'fs'],
+    ['unlink', 'fs'],
+    ['unlinkSync', 'fs'],
+    ['query', 'sql'],
+    ['$execute', 'sql'],
+    ['raw', 'sql'],
+    ['$queryRaw', 'sql'],
+    ['$queryRawUnsafe', 'sql'],
+    ['redirect', 'redirect'],
+    ['eval', 'eval'],
+    ['Function', 'eval'],
+]);
+// Sanitizer names to detect (from SANITIZER_PATTERNS)
+export const SANITIZER_PATTERN_NAMES = [
+    'parseInt',
+    'parseFloat',
+    'Number',
+    'Boolean',
+    'String',
+    'encodeURI',
+    'encodeURIComponent',
+    'escape',
+    'sanitize',
+    'DOMPurify',
+    'purify',
+    'xss',
+    'escapeHtml',
+    'sqlstring',
+    'parameterized',
+    'parse',
+    'safeParse',
+    'validate',
+];
+//# sourceMappingURL=taint-types.js.map

package/dist/taint-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-types.js","sourceRoot":"","sources":["../src/taint-types.ts"],"names":[],"mappings":"AAAA;;GAEG;AA+DH,4EAA4E;AAE5E,2DAA2D;AAC3D,MAAM,CAAC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC;AACnD,MAAM,CAAC,MAAM,gBAAgB,GAAG,2DAA2D,CAAC;AAE5F,+DAA+D;AAC/D,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE;IAChD,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,WAAW,EAAE;IAClD,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,YAAY,EAAE;IACpD,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,EAAE;IACtD,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,cAAc,EAAE;IACxD,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,eAAe,EAAE;IAC1D,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,gBAAgB,EAAE;IAC5D,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,cAAc,EAAE;IACxD,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,EAAE;IACtD,+CAA+C;IAC/C,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE;IAChD,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE;IAC7C,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,UAAU,EAAE;IAC/C,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE;IAC7C,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,iBAAiB,EAAE;IAC9D,wBAAwB;IACxB,EAAE,OAAO,EAAE,yBAAyB,EAAE,MAAM,EAAE,oBAAoB,EAAE;IACpE,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,kBAAkB,EAAE;IAC/D,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,EAAE;CAC9C,CAAC;AAUX,MAAM,CAAC,MAAM,aAAa,GAAkB;IAC1C,oBAAoB;IACpB,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC7D,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE;IACrE,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC/D,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE;IACvE,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE;IACrE,aAAa;IACb,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE;IAClE,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,IAAI,EAAE;IAC1E,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;IAClF,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;IAC5D,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE;IACpE,+CAA+C;IAC/C,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC3D,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE;IAClE,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;IACvD,WAAW;IACX,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtE,OAAO;IACP,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC1D,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC5E,yCAAyC;IACzC,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE;IACpF,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC5E,EAAE,OAAO,EAAE,kCAAkC,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtG,4CAA4C;IAC5C,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACjF,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACvF,kFAAkF;IAClF,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,SAAS,EAAE;IACrF,EAAE,OAAO,EAAE,2BAA2B,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,SAAS,EAAE;IACjG,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE;CAC/E,CAAC;AAEF,2EAA2E;AAE3E,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,yCAAyC;IACzC,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE;IAChD,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY,EAAE;IACpD,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,UAAU,EAAE;IAC9C,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE;IAChD,oBAAoB;IACpB,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,cAAc,EAAE;IACjD,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,kBAAkB,EAAE;IACzD,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACvD,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,qBAAqB,EAAE;IAC/D,sBAAsB;IACtB,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE;IACrD,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,UAAU,EAAE;IACjD,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,WAAW,EAAE;IAC/C,EAAE,OAAO,EAAE,8BAA8B,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACvE,oBAAoB;IACpB,EAAE,OAAO,EAAE,yCAAyC,EAAE,IAAI,EAAE,gBAAgB,EAAE;IAC9E,EAAE,OAAO,EAAE,6BAA6B,EAAE,IAAI,EAAE,cAAc,EAAE;IAChE,uBAAuB;IACvB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,0BAA0B,EAAE;IACtD,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,yBAAyB,EAAE;IACtD,sBAAsB;IACtB,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,mBAAmB,EAAE;IAClE,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,cAAc,EAAE;IACxD,0BAA0B;IAC1B,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAC9D,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,gBAAgB,EAAE;CAC7D,CAAC;AAQF,MAAM,qBAAqB,GAAsC;IAC/D,QAAQ,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC5B,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC5B,WAAW,EAAE,IAAI,GAAG,CAAC,EAAE,CAAC,EAAE,wBAAwB;IAClD,cAAc,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACjF,kBAAkB,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACrF,iBAAiB,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACpF,qBAAqB,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACxF,YAAY,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IACnC,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACxC,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IAChC,kBAAkB,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IACzC,gBAAgB,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IACjC,cAAc,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/B,0BAA0B,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC5C,yBAAyB,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC3C,iBAAiB,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IACxC,YAAY,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IACnC,eAAe,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IACtC,cAAc,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;CACtC,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,aAAqB,EAAE,YAA0B;IACrF,MAAM,OAAO,GAAG,qBAAqB,CAAC,aAAa,CAAC,CAAC;IACrD,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC,CAAC,oDAAoD;IAChF,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACnC,CAAC;AAED,2EAA2E;AAE3E,4DAA4D;AAC5D,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAgC;IAC/D,CAAC,MAAM,EAAE,SAAS,CAAC;IACnB,CAAC,UAAU,EAAE,SAAS,CAAC;IACvB,CAAC,OAAO,EAAE,SAAS,CAAC;IACpB,CAAC,WAAW,EAAE,SAAS,CAAC;IACxB,CAAC,UAAU,EAAE,SAAS,CAAC;IACvB,CAAC,cAAc,EAAE,SAAS,CAAC;IAC3B,CAAC,UAAU,EAAE,IAAI,CAAC;IAClB,CAAC,cAAc,EAAE,IAAI,CAAC;IACtB,CAAC,WAAW,EAAE,IAAI,CAAC;IACnB,CAAC,eAAe,EAAE,IAAI,CAAC;IACvB,CAAC,mBAAmB,EAAE,IAAI,CAAC;IAC3B,CAAC,kBAAkB,EAAE,IAAI,CAAC;IAC1B,CAAC,QAAQ,EAAE,IAAI,CAAC;IAChB,CAAC,YAAY,EAAE,IAAI,CAAC;IACpB,CAAC,OAAO,EAAE,KAAK,CAAC;IAChB,CAAC,UAAU,EAAE,KAAK,CAAC;IACnB,CAAC,KAAK,EAAE,KAAK,CAAC;IACd,CAAC,WAAW,EAAE,KAAK,CAAC;IACpB,CAAC,iBAAiB,EAAE,KAAK,CAAC;IAC1B,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,MAAM,EAAE,MAAM,CAAC;IAChB,CAAC,UAAU,EAAE,MAAM,CAAC;CACrB,CAAC,CAAC;AAEH,sDAAsD;AACtD,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,WAAW;IACX,oBAAoB;IACpB,QAAQ;IACR,UAAU;IACV,WAAW;IACX,QAAQ;IACR,KAAK;IACL,YAAY;IACZ,WAAW;IACX,eAAe;IACf,OAAO;IACP,WAAW;IACX,UAAU;CACX,CAAC"}

package/dist/taint.d.ts

@@ -1,115 +1,21 @@
 /**
- * Taint Tracking — source→sink analysis on KERN IR.
+ * Taint Tracking — barrel re-export module.
  *
- * Phase 2 of the security pipeline. Works on InferResult[] handler bodies.
- *
- * Two modes:
- *   analyzeTaint()          — intra-procedural (single file)
- *   analyzeTaintCrossFile() — inter-procedural (follows imports across files)
- *
- * Also validates sanitizer sufficiency: parseInt stops SQL injection on
- * numeric values but NOT command injection. DOMPurify stops XSS but
- * NOT SQL injection. The sufficiency matrix catches these mismatches.
- */
-import { type SourceFile } from 'ts-morph';
-import type { InferResult, ReviewFinding } from './types.js';
-export interface TaintSource {
-    name: string;
-    origin: string;
-    line?: number;
-}
-export interface TaintSink {
-    name: string;
-    category: 'command' | 'fs' | 'sql' | 'redirect' | 'eval' | 'template';
-    taintedArg: string;
-    line?: number;
-}
-export interface TaintPath {
-    source: TaintSource;
-    sink: TaintSink;
-    sanitized: boolean;
-    sanitizer?: string;
-    insufficientSanitizer?: string;
-}
-export interface TaintResult {
-    fnName: string;
-    filePath: string;
-    startLine: number;
-    paths: TaintPath[];
-}
-type SinkCategory = TaintSink['category'];
-/**
- * Check if a sanitizer is actually sufficient for a given sink category.
- * Returns true if the sanitizer protects against the sink, false if it's
- * a mismatch (e.g., parseInt used to "sanitize" command injection).
- */
-export declare function isSanitizerSufficient(sanitizerName: string, sinkCategory: SinkCategory): boolean;
-export interface CrossFileTaintResult {
-    callerFile: string;
-    callerFn: string;
-    callerLine: number;
-    calleeFile: string;
-    calleeFn: string;
-    taintedArgs: string[];
-    sinkInCallee: TaintSink;
-    source: TaintSource;
-}
-/** Map of exported function names → file path + param info */
-export interface ExportedFunction {
-    filePath: string;
-    fnName: string;
-    params: string;
-    hasSink: boolean;
-    sinks: TaintSink[];
-}
+ * Re-exports everything from the 5 taint sub-modules so existing
+ * imports from './taint.js' continue to work unchanged.
+ */
+import type { SourceFile } from 'ts-morph';
+import type { TaintResult } from './taint-types.js';
+import type { InferResult } from './types.js';
+export type { CrossFileTaintResult, ExportedFunction, InternalSinkFunction, SinkCategory, SinkPattern, TaintPath, TaintResult, TaintSink, TaintSource, } from './taint-types.js';
+export { HTTP_PARAM_NAMES, HTTP_PARAM_TYPES, isSanitizerSufficient, SANITIZER_PATTERN_NAMES, SANITIZER_PATTERNS, SINK_NAMES, SINK_PATTERNS, USER_INPUT_ACCESS, } from './taint-types.js';
+export { analyzeTaintAST, buildInternalSinkMap } from './taint-ast.js';
+export { analyzeTaintRegex, buildPaths, classifyParams, detectSanitizers, extractAllAssignments, extractDependencies, findClosingParen, findTaintedSinks, isCircularAssignment, parseLineAssignments, propagateTaint, propagateTaintMultiHop, } from './taint-regex.js';
+export { crossFileTaintToFindings, taintToFindings } from './taint-findings.js';
+export { analyzeTaintCrossFile, buildExportMap, buildImportMap } from './taint-crossfile.js';
 /**
  * Run taint analysis on all fn nodes in inferred results.
  * When sourceFile is provided, uses AST-based analysis (more accurate).
  * Falls back to regex-based analysis when no SourceFile available.
  */
 export declare function analyzeTaint(inferred: InferResult[], filePath: string, sourceFile?: SourceFile): TaintResult[];
-/**
- * Multi-hop taint propagation using worklist algorithm.
- * Propagates until fixed point or configurable depth limit.
- *
- * Handles all assignment patterns:
- * - const b = a
- * - const b = a.trim()
- * - const {x} = obj
- * - let b; b = a
- *
- * @param code - Handler code string
- * @param initialTainted - Set of initially tainted variable names
- * @param maxDepth - Maximum propagation depth (default: 3)
- * @returns Set of all tainted variable names after fixed point or depth limit
- */
-export declare function propagateTaintMultiHop(code: string, initialTainted: Set<string>, maxDepth?: number): Set<string>;
-/**
- * Convert taint results into ReviewFinding[] for the unified pipeline.
- */
-export declare function taintToFindings(results: TaintResult[]): ReviewFinding[];
-/**
- * Build a map of exported functions across all files.
- * Maps "filePath::fnName" → ExportedFunction with sink info.
- */
-export declare function buildExportMap(inferredPerFile: Map<string, InferResult[]>): Map<string, ExportedFunction>;
-/**
- * Build import→function resolution map.
- * Maps "importingFile::importedName" → absolute file path of the definition.
- */
-export declare function buildImportMap(inferredPerFile: Map<string, InferResult[]>, graphImports: Map<string, string[]>): Map<string, string>;
-/**
- * Cross-file taint analysis.
- *
- * For each handler function with tainted params:
- *   1. Find calls to imported functions in the handler body
- *   2. Check if tainted data is passed as an argument
- *   3. Look up the target function — does it have a dangerous sink?
- *   4. If yes and no sanitizer in between → cross-file taint path
- */
-export declare function analyzeTaintCrossFile(inferredPerFile: Map<string, InferResult[]>, graphImports: Map<string, string[]>): CrossFileTaintResult[];
-/**
- * Convert cross-file taint results into ReviewFinding[].
- */
-export declare function crossFileTaintToFindings(results: CrossFileTaintResult[]): ReviewFinding[];
-export {};