@kernlang/review 3.1.6 → 3.1.7

package/dist/taint-crossfile.js

@@ -0,0 +1,174 @@
+/**
+ * Taint Tracking — cross-file analysis.
+ *
+ * Traces tainted data across import boundaries:
+ *   handler(req) → importedFn(req.body) → exec() in another file.
+ */
+import { classifyParams, detectSanitizers, findClosingParen, findTaintedSinks, propagateTaint } from './taint-regex.js';
+// ── Export Map ───────────────────────────────────────────────────────────
+/**
+ * Build a map of exported functions across all files.
+ * Maps "filePath::fnName" → ExportedFunction with sink info.
+ */
+export function buildExportMap(inferredPerFile) {
+    const exportMap = new Map();
+    for (const [filePath, inferred] of inferredPerFile) {
+        for (const r of inferred) {
+            if (r.node.type !== 'fn')
+                continue;
+            const fnName = r.node.props?.name || '';
+            if (!fnName)
+                continue;
+            // Check if function is exported (absence of export='false' means exported)
+            const isExported = r.node.props?.export !== 'false';
+            if (!isExported)
+                continue;
+            const params = r.node.props?.params || '';
+            const handler = r.node.children?.find((c) => c.type === 'handler');
+            const code = handler?.props?.code || '';
+            // Check if the function body contains dangerous sinks
+            const sinks = [];
+            if (code) {
+                const dummyTaint = [];
+                // Parse params to get variable names for sink detection
+                const paramNames = params
+                    .split(',')
+                    .map((p) => p.trim().split(':')[0]?.trim())
+                    .filter(Boolean);
+                for (const name of paramNames) {
+                    dummyTaint.push({ name, origin: `param:${name}` });
+                }
+                if (dummyTaint.length > 0) {
+                    sinks.push(...findTaintedSinks(code, dummyTaint));
+                }
+            }
+            exportMap.set(`${filePath}::${fnName}`, {
+                filePath,
+                fnName,
+                params,
+                hasSink: sinks.length > 0,
+                sinks,
+            });
+        }
+    }
+    return exportMap;
+}
+// ── Import Map ──────────────────────────────────────────────────────────
+/**
+ * Build import→function resolution map.
+ * Maps "importingFile::importedName" → absolute file path of the definition.
+ */
+export function buildImportMap(inferredPerFile, graphImports) {
+    const importMap = new Map();
+    for (const [filePath, inferred] of inferredPerFile) {
+        const resolvedImports = graphImports.get(filePath) || [];
+        for (const r of inferred) {
+            if (r.node.type !== 'import')
+                continue;
+            const from = r.node.props?.from || '';
+            const names = r.node.props?.names || '';
+            const defaultImport = r.node.props?.default || '';
+            if (!from)
+                continue;
+            // Find the resolved path for this import specifier
+            const resolvedPath = resolvedImports.find((p) => p.includes(from.replace(/^\.\//, '').replace(/\.(js|ts|tsx)$/, '')));
+            if (!resolvedPath)
+                continue;
+            // Map each imported name to its resolved file
+            if (names) {
+                for (const name of names.split(',').map((n) => n.trim())) {
+                    if (name)
+                        importMap.set(`${filePath}::${name}`, resolvedPath);
+                }
+            }
+            if (defaultImport) {
+                importMap.set(`${filePath}::${defaultImport}`, resolvedPath);
+            }
+        }
+    }
+    return importMap;
+}
+// ── Cross-File Analysis ─────────────────────────────────────────────────
+/**
+ * Cross-file taint analysis.
+ *
+ * For each handler function with tainted params:
+ *   1. Find calls to imported functions in the handler body
+ *   2. Check if tainted data is passed as an argument
+ *   3. Look up the target function — does it have a dangerous sink?
+ *   4. If yes and no sanitizer in between → cross-file taint path
+ */
+export function analyzeTaintCrossFile(inferredPerFile, graphImports) {
+    const exportMap = buildExportMap(inferredPerFile);
+    const importMap = buildImportMap(inferredPerFile, graphImports);
+    const results = [];
+    for (const [filePath, inferred] of inferredPerFile) {
+        for (const r of inferred) {
+            if (r.node.type !== 'fn')
+                continue;
+            const fnName = r.node.props?.name || 'anonymous';
+            const paramsStr = r.node.props?.params || '';
+            const handler = r.node.children?.find((c) => c.type === 'handler');
+            const code = handler?.props?.code || '';
+            if (!code)
+                continue;
+            // Only analyze functions with tainted params
+            const taintedParams = classifyParams(paramsStr);
+            if (taintedParams.length === 0)
+                continue;
+            const taintedVars = propagateTaint(code, taintedParams);
+            const taintedNames = new Set(taintedVars.map((v) => v.name));
+            // Find calls to imported functions: importedFn(taintedVar)
+            const callRegex = /\b(\w+)\s*\(/g;
+            let callMatch;
+            while ((callMatch = callRegex.exec(code)) !== null) {
+                const calledFn = callMatch[0].replace(/\s*\($/, '');
+                // Is this an imported function?
+                const resolvedFile = importMap.get(`${filePath}::${calledFn}`);
+                if (!resolvedFile)
+                    continue;
+                // Does the target have dangerous sinks?
+                const targetFn = exportMap.get(`${resolvedFile}::${calledFn}`);
+                if (!targetFn?.hasSink)
+                    continue;
+                // Extract arguments passed to this call
+                const callStart = callMatch.index + callMatch[0].length;
+                const parenEnd = findClosingParen(code, callStart);
+                const argText = code.slice(callStart, parenEnd);
+                // Check if any tainted variable is passed as argument
+                const taintedArgs = [];
+                for (const tName of taintedNames) {
+                    if (new RegExp(`\\b${tName}\\b`).test(argText)) {
+                        taintedArgs.push(tName);
+                    }
+                }
+                if (taintedArgs.length === 0)
+                    continue;
+                // Check for sanitizers between the taint and the call
+                const beforeCall = code.slice(0, callMatch.index);
+                const foundSanitizers = detectSanitizers(beforeCall);
+                const hasSanitizer = taintedArgs.some((arg) => foundSanitizers.some((s) => new RegExp(`\\b${arg}\\b`).test(s.context)));
+                if (hasSanitizer)
+                    continue; // Sanitized before passing to callee
+                // Found cross-file taint path
+                for (const sink of targetFn.sinks) {
+                    const source = taintedVars.find((v) => taintedArgs.includes(v.name));
+                    if (!source)
+                        continue;
+                    results.push({
+                        callerFile: filePath,
+                        callerFn: fnName,
+                        callerLine: r.startLine,
+                        calleeFile: resolvedFile,
+                        calleeFn: calledFn,
+                        taintedArgs,
+                        sinkInCallee: sink,
+                        source,
+                    });
+                }
+            }
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=taint-crossfile.js.map

package/dist/taint-crossfile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-crossfile.js","sourceRoot":"","sources":["../src/taint-crossfile.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAIxH,4EAA4E;AAE5E;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,eAA2C;IACxE,MAAM,SAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEtD,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YACnC,MAAM,MAAM,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAe,IAAI,EAAE,CAAC;YACpD,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,2EAA2E;YAC3E,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;YACpD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,MAAM,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,MAAiB,IAAI,EAAE,CAAC;YACtD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;YACnE,MAAM,IAAI,GAAI,OAAO,EAAE,KAAK,EAAE,IAAe,IAAI,EAAE,CAAC;YAEpD,sDAAsD;YACtD,MAAM,KAAK,GAAgB,EAAE,CAAC;YAC9B,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,UAAU,GAAkB,EAAE,CAAC;gBACrC,wDAAwD;gBACxD,MAAM,UAAU,GAAG,MAAM;qBACtB,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;qBAC1C,MAAM,CAAC,OAAO,CAAC,CAAC;gBACnB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,IAAI,EAAE,EAAE,CAAC,CAAC;gBACrD,CAAC;gBACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC1B,KAAK,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YAED,SAAS,CAAC,GAAG,CAAC,GAAG,QAAQ,KAAK,MAAM,EAAE,EAAE;gBACtC,QAAQ;gBACR,MAAM;gBACN,MAAM;gBACN,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC;gBACzB,KAAK;aACN,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,2EAA2E;AAE3E;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,eAA2C,EAC3C,YAAmC;IAEnC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE5C,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC;QACnD,MAAM,eAAe,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEzD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAS;YACvC,MAAM,IAAI,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAe,IAAI,EAAE,CAAC;YAClD,MAAM,KAAK,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,KAAgB,IAAI,EAAE,CAAC;YACpD,MAAM,aAAa,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAkB,IAAI,EAAE,CAAC;YAE9D,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,mDAAmD;YACnD,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC9C,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC,CACpE,CAAC;YACF,IAAI,CAAC,YAAY;gBAAE,SAAS;YAE5B,8CAA8C;YAC9C,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;oBACzD,IAAI,IAAI;wBAAE,SAAS,CAAC,GAAG,CAAC,GAAG,QAAQ,KAAK,IAAI,EAAE,EAAE,YAAY,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;YACD,IAAI,aAAa,EAAE,CAAC;gBAClB,SAAS,CAAC,GAAG,CAAC,GAAG,QAAQ,KAAK,aAAa,EAAE,EAAE,YAAY,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,2EAA2E;AAE3E;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CACnC,eAA2C,EAC3C,YAAmC;IAEnC,MAAM,SAAS,GAAG,cAAc,CAAC,eAAe,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,cAAc,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IAChE,MAAM,OAAO,GAA2B,EAAE,CAAC;IAE3C,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAEnC,MAAM,MAAM,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAe,IAAI,WAAW,CAAC;YAC7D,MAAM,SAAS,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,MAAiB,IAAI,EAAE,CAAC;YACzD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;YACnE,MAAM,IAAI,GAAI,OAAO,EAAE,KAAK,EAAE,IAAe,IAAI,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,6CAA6C;YAC7C,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;YAChD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEzC,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAE7D,2DAA2D;YAC3D,MAAM,SAAS,GAAG,eAAe,CAAC;YAClC,IAAI,SAAS,CAAC;YACd,OAAO,CAAC,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAEpD,gCAAgC;gBAChC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC,CAAC;gBAC/D,IAAI,CAAC,YAAY;oBAAE,SAAS;gBAE5B,wCAAwC;gBACxC,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,QAAQ,EAAE,CAAC,CAAC;gBAC/D,IAAI,CAAC,QAAQ,EAAE,OAAO;oBAAE,SAAS;gBAEjC,wCAAwC;gBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACxD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;gBACnD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;gBAEhD,sDAAsD;gBACtD,MAAM,WAAW,GAAa,EAAE,CAAC;gBACjC,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;oBACjC,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC/C,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBAC1B,CAAC;gBACH,CAAC;gBAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAS;gBAEvC,sDAAsD;gBACtD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;gBAClD,MAAM,eAAe,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;gBACrD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5C,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CACxE,CAAC;gBAEF,IAAI,YAAY;oBAAE,SAAS,CAAC,qCAAqC;gBAEjE,8BAA8B;gBAC9B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;oBAClC,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;oBACrE,IAAI,CAAC,MAAM;wBAAE,SAAS;oBAEtB,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU,EAAE,QAAQ;wBACpB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,CAAC,CAAC,SAAS;wBACvB,UAAU,EAAE,YAAY;wBACxB,QAAQ,EAAE,QAAQ;wBAClB,WAAW;wBACX,YAAY,EAAE,IAAI;wBAClB,MAAM;qBACP,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/taint-findings.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Taint Tracking — unified finding generation.
+ *
+ * Converts TaintResult and CrossFileTaintResult into ReviewFinding[].
+ * Shared category labels and suggestion logic eliminates duplication.
+ */
+import type { CrossFileTaintResult, TaintResult, TaintSink } from './taint-types.js';
+import type { ReviewFinding } from './types.js';
+export declare function getSuggestion(category: TaintSink['category']): string;
+/**
+ * Convert taint results into ReviewFinding[] for the unified pipeline.
+ */
+export declare function taintToFindings(results: TaintResult[]): ReviewFinding[];
+/**
+ * Convert cross-file taint results into ReviewFinding[].
+ */
+export declare function crossFileTaintToFindings(results: CrossFileTaintResult[]): ReviewFinding[];

package/dist/taint-findings.js

@@ -0,0 +1,131 @@
+/**
+ * Taint Tracking — unified finding generation.
+ *
+ * Converts TaintResult and CrossFileTaintResult into ReviewFinding[].
+ * Shared category labels and suggestion logic eliminates duplication.
+ */
+import { createFingerprint } from './types.js';
+// ── Shared Constants ────────────────────────────────────────────────────
+const categoryLabels = {
+    command: 'command injection',
+    fs: 'path traversal / file write',
+    sql: 'SQL injection',
+    redirect: 'open redirect',
+    eval: 'code injection',
+    template: 'template injection',
+    codegen: 'code generation injection',
+};
+export function getSuggestion(category) {
+    switch (category) {
+        case 'command':
+            return 'Use spawn() with array arguments, or validate/escape input before passing to exec()';
+        case 'fs':
+            return 'Use path.resolve() + path.normalize() and verify the result stays within allowed directory';
+        case 'sql':
+            return 'Use parameterized queries ($1, ?) instead of string interpolation';
+        case 'redirect':
+            return 'Validate redirect URL against an allowlist of safe destinations';
+        case 'eval':
+            return 'Never pass user input to eval() or new Function() — use safe alternatives';
+        case 'template':
+            return 'Sanitize user input before embedding in templates';
+        case 'codegen':
+            return 'Validate type and format of external values before interpolating into generated source code (e.g., parseInt for numeric values)';
+    }
+}
+// ── Intra-File Findings ─────────────────────────────────────────────────
+/**
+ * Convert taint results into ReviewFinding[] for the unified pipeline.
+ */
+export function taintToFindings(results) {
+    const findings = [];
+    for (const r of results) {
+        // Report unsanitized paths AND insufficient sanitizer paths
+        const reportable = r.paths.filter((p) => !p.sanitized);
+        if (reportable.length === 0)
+            continue;
+        for (const path of reportable) {
+            const severity = path.sink.category === 'command' || path.sink.category === 'eval'
+                ? 'error'
+                : path.sink.category === 'codegen'
+                    ? 'warning' // codegen injection: external values in generated source — validate type/format
+                    : 'warning';
+            const primarySpan = {
+                file: r.filePath,
+                startLine: r.startLine,
+                startCol: 1,
+                endLine: r.startLine,
+                endCol: 1,
+            };
+            if (path.insufficientSanitizer) {
+                // Sanitizer present but wrong for this sink type
+                findings.push({
+                    source: 'kern',
+                    ruleId: `taint-insufficient-sanitizer`,
+                    severity,
+                    category: 'bug',
+                    message: `Insufficient sanitizer: '${path.insufficientSanitizer}' does not protect against ${categoryLabels[path.sink.category]}. ` +
+                        `${path.source.origin} → ${path.sink.name}() is still exploitable.`,
+                    primarySpan,
+                    suggestion: `${path.insufficientSanitizer} is not sufficient for ${path.sink.category} sinks. ${getSuggestion(path.sink.category)}`,
+                    fingerprint: createFingerprint(`taint-insufficient`, r.startLine, 1),
+                });
+            }
+            else {
+                // No sanitizer at all
+                findings.push({
+                    source: 'kern',
+                    ruleId: `taint-${path.sink.category}`,
+                    severity,
+                    category: 'bug',
+                    message: `Taint flow: ${path.source.origin} → ${path.sink.name}() — potential ${categoryLabels[path.sink.category]}. ` +
+                        `Variable '${path.sink.taintedArg}' reaches dangerous sink without sanitization.`,
+                    primarySpan,
+                    suggestion: getSuggestion(path.sink.category),
+                    fingerprint: createFingerprint(`taint-${path.sink.category}`, r.startLine, 1),
+                });
+            }
+        }
+    }
+    return findings;
+}
+// ── Cross-File Findings ─────────────────────────────────────────────────
+/**
+ * Convert cross-file taint results into ReviewFinding[].
+ */
+export function crossFileTaintToFindings(results) {
+    const findings = [];
+    for (const r of results) {
+        const severity = r.sinkInCallee.category === 'command' || r.sinkInCallee.category === 'eval'
+            ? 'error'
+            : 'warning';
+        findings.push({
+            source: 'kern',
+            ruleId: `taint-crossfile-${r.sinkInCallee.category}`,
+            severity,
+            category: 'bug',
+            message: `Cross-file taint: ${r.source.origin} in ${r.callerFn}() → ${r.calleeFn}() → ${r.sinkInCallee.name}(). ` +
+                `Tainted data crosses file boundary to reach ${categoryLabels[r.sinkInCallee.category]} sink.`,
+            primarySpan: {
+                file: r.callerFile,
+                startLine: r.callerLine,
+                startCol: 1,
+                endLine: r.callerLine,
+                endCol: 1,
+            },
+            relatedSpans: [
+                {
+                    file: r.calleeFile,
+                    startLine: 1,
+                    startCol: 1,
+                    endLine: 1,
+                    endCol: 1,
+                },
+            ],
+            suggestion: `Validate '${r.taintedArgs.join(', ')}' before passing to ${r.calleeFn}(). ${getSuggestion(r.sinkInCallee.category)}`,
+            fingerprint: createFingerprint(`taint-xfile-${r.sinkInCallee.category}`, r.callerLine, 1),
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=taint-findings.js.map

package/dist/taint-findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-findings.js","sourceRoot":"","sources":["../src/taint-findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,2EAA2E;AAE3E,MAAM,cAAc,GAA0C;IAC5D,OAAO,EAAE,mBAAmB;IAC5B,EAAE,EAAE,6BAA6B;IACjC,GAAG,EAAE,eAAe;IACpB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,gBAAgB;IACtB,QAAQ,EAAE,oBAAoB;IAC9B,OAAO,EAAE,2BAA2B;CACrC,CAAC;AAEF,MAAM,UAAU,aAAa,CAAC,QAA+B;IAC3D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,SAAS;YACZ,OAAO,qFAAqF,CAAC;QAC/F,KAAK,IAAI;YACP,OAAO,4FAA4F,CAAC;QACtG,KAAK,KAAK;YACR,OAAO,mEAAmE,CAAC;QAC7E,KAAK,UAAU;YACb,OAAO,iEAAiE,CAAC;QAC3E,KAAK,MAAM;YACT,OAAO,2EAA2E,CAAC;QACrF,KAAK,UAAU;YACb,OAAO,mDAAmD,CAAC;QAC7D,KAAK,SAAS;YACZ,OAAO,iIAAiI,CAAC;IAC7I,CAAC;AACH,CAAC;AAED,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAsB;IACpD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,4DAA4D;QAC5D,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEtC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM;gBAC/D,CAAC,CAAE,OAAiB;gBACpB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;oBAChC,CAAC,CAAE,SAAmB,CAAC,gFAAgF;oBACvG,CAAC,CAAE,SAAmB,CAAC;YAE7B,MAAM,WAAW,GAAe;gBAC9B,IAAI,EAAE,CAAC,CAAC,QAAQ;gBAChB,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,QAAQ,EAAE,CAAC;gBACX,OAAO,EAAE,CAAC,CAAC,SAAS;gBACpB,MAAM,EAAE,CAAC;aACV,CAAC;YAEF,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAC/B,iDAAiD;gBACjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,8BAA8B;oBACtC,QAAQ;oBACR,QAAQ,EAAE,KAAK;oBACf,OAAO,EACL,4BAA4B,IAAI,CAAC,qBAAqB,8BAA8B,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;wBAC1H,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B;oBACrE,WAAW;oBACX,UAAU,EAAE,GAAG,IAAI,CAAC,qBAAqB,0BAA0B,IAAI,CAAC,IAAI,CAAC,QAAQ,WAAW,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;oBACnI,WAAW,EAAE,iBAAiB,CAAC,oBAAoB,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;iBACrE,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,sBAAsB;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,SAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE;oBACrC,QAAQ;oBACR,QAAQ,EAAE,KAAK;oBACf,OAAO,EACL,eAAe,IAAI,CAAC,MAAM,CAAC,MAAM,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,kBAAkB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;wBAC7G,aAAa,IAAI,CAAC,IAAI,CAAC,UAAU,gDAAgD;oBACnF,WAAW;oBACX,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC7C,WAAW,EAAE,iBAAiB,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;iBAC9E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAA+B;IACtE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,QAAQ,GACZ,CAAC,CAAC,YAAY,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,YAAY,CAAC,QAAQ,KAAK,MAAM;YACzE,CAAC,CAAE,OAAiB;YACpB,CAAC,CAAE,SAAmB,CAAC;QAE3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,mBAAmB,CAAC,CAAC,YAAY,CAAC,QAAQ,EAAE;YACpD,QAAQ;YACR,QAAQ,EAAE,KAAK;YACf,OAAO,EACL,qBAAqB,CAAC,CAAC,MAAM,CAAC,MAAM,OAAO,CAAC,CAAC,QAAQ,QAAQ,CAAC,CAAC,QAAQ,QAAQ,CAAC,CAAC,YAAY,CAAC,IAAI,MAAM;gBACxG,+CAA+C,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ;YAChG,WAAW,EAAE;gBACX,IAAI,EAAE,CAAC,CAAC,UAAU;gBAClB,SAAS,EAAE,CAAC,CAAC,UAAU;gBACvB,QAAQ,EAAE,CAAC;gBACX,OAAO,EAAE,CAAC,CAAC,UAAU;gBACrB,MAAM,EAAE,CAAC;aACV;YACD,YAAY,EAAE;gBACZ;oBACE,IAAI,EAAE,CAAC,CAAC,UAAU;oBAClB,SAAS,EAAE,CAAC;oBACZ,QAAQ,EAAE,CAAC;oBACX,OAAO,EAAE,CAAC;oBACV,MAAM,EAAE,CAAC;iBACV;aACF;YACD,UAAU,EAAE,aAAa,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,QAAQ,OAAO,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE;YACjI,WAAW,EAAE,iBAAiB,CAAC,eAAe,CAAC,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;SAC1F,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/taint-regex.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Taint Tracking — Regex-based fallback engine.
+ *
+ * Used when no ts-morph SourceFile is available.
+ * Works on handler body strings from KERN IR nodes.
+ */
+import type { TaintPath, TaintResult, TaintSink, TaintSource } from './taint-types.js';
+import type { InferResult } from './types.js';
+/**
+ * Regex-based taint analysis — legacy fallback for when no SourceFile is available.
+ */
+export declare function analyzeTaintRegex(inferred: InferResult[], filePath: string): TaintResult[];
+/**
+ * Classify function parameters as tainted or safe.
+ */
+export declare function classifyParams(paramsStr: string): TaintSource[];
+/**
+ * Multi-hop taint propagation using worklist algorithm.
+ * Propagates until fixed point or configurable depth limit.
+ *
+ * Handles all assignment patterns:
+ * - const b = a
+ * - const b = a.trim()
+ * - const {x} = obj
+ * - let b; b = a
+ *
+ * @param code - Handler code string
+ * @param initialTainted - Set of initially tainted variable names
+ * @param maxDepth - Maximum propagation depth (default: 3)
+ * @returns Set of all tainted variable names after fixed point or depth limit
+ */
+export declare function propagateTaintMultiHop(code: string, initialTainted: Set<string>, maxDepth?: number): Set<string>;
+interface Assignment {
+    lhs: string;
+    rhs: string;
+    assignId: string;
+}
+export declare function extractAllAssignments(code: string): Assignment[];
+export declare function parseLineAssignments(line: string, lineNum: number): Assignment[];
+export declare function extractDependencies(rhs: string): Set<string>;
+export declare function isCircularAssignment(lhs: string, rhs: string, allAssignments: Assignment[]): boolean;
+/**
+ * Propagate taint through variable assignments in handler body.
+ * Tracks: const x = req.body.foo → x is tainted.
+ * Returns all tainted variable names with their origins.
+ */
+export declare function propagateTaint(code: string, params: TaintSource[]): TaintSource[];
+/**
+ * Find sink calls that use tainted variables.
+ */
+export declare function findTaintedSinks(code: string, taintedVars: TaintSource[]): TaintSink[];
+/**
+ * Build taint paths and check for sanitizers between source and sink.
+ */
+export declare function buildPaths(code: string, taintedVars: TaintSource[], sinks: TaintSink[]): TaintPath[];
+export declare function detectSanitizers(code: string): Array<{
+    name: string;
+    context: string;
+}>;
+export declare function findClosingParen(code: string, start: number): number;
+export {};