@kernlang/review 3.1.6 → 3.1.8

package/dist/taint-regex.js

@@ -0,0 +1,379 @@
+/**
+ * Taint Tracking — Regex-based fallback engine.
+ *
+ * Used when no ts-morph SourceFile is available.
+ * Works on handler body strings from KERN IR nodes.
+ */
+import { HTTP_PARAM_NAMES, HTTP_PARAM_TYPES, isSanitizerSufficient, SANITIZER_PATTERNS, SINK_PATTERNS, } from './taint-types.js';
+// ── Main Regex Analysis ─────────────────────────────────────────────────
+/**
+ * Regex-based taint analysis — legacy fallback for when no SourceFile is available.
+ */
+export function analyzeTaintRegex(inferred, filePath) {
+    const results = [];
+    for (const r of inferred) {
+        if (r.node.type !== 'fn')
+            continue;
+        const fnName = r.node.props?.name || 'anonymous';
+        const paramsStr = r.node.props?.params || '';
+        // Get handler body
+        const handler = r.node.children?.find((c) => c.type === 'handler');
+        const code = handler?.props?.code || '';
+        if (!code)
+            continue;
+        // Step 1: Classify params as tainted
+        const taintedParams = classifyParams(paramsStr);
+        if (taintedParams.length === 0)
+            continue;
+        // Step 2: Propagate taint through assignments
+        const taintedVars = propagateTaint(code, taintedParams);
+        // Step 3: Find sinks that use tainted variables
+        const sinks = findTaintedSinks(code, taintedVars);
+        if (sinks.length === 0)
+            continue;
+        // Step 4: Check for sanitizers
+        const paths = buildPaths(code, taintedVars, sinks);
+        if (paths.length > 0) {
+            results.push({
+                fnName,
+                filePath,
+                startLine: r.startLine,
+                paths,
+            });
+        }
+    }
+    return results;
+}
+// ── Param Classification ────────────────────────────────────────────────
+/**
+ * Classify function parameters as tainted or safe.
+ */
+export function classifyParams(paramsStr) {
+    const sources = [];
+    if (!paramsStr)
+        return sources;
+    const params = paramsStr.split(',').map((p) => {
+        const parts = p.trim().split(':');
+        return { name: parts[0]?.trim(), type: parts[1]?.trim() || '' };
+    });
+    for (const p of params) {
+        if (!p.name)
+            continue;
+        if (HTTP_PARAM_NAMES.test(p.name) || HTTP_PARAM_TYPES.test(p.type)) {
+            sources.push({ name: p.name, origin: `${p.name} (HTTP input)` });
+        }
+    }
+    return sources;
+}
+// ── Multi-Hop Taint Propagation ─────────────────────────────────────────
+/**
+ * Multi-hop taint propagation using worklist algorithm.
+ * Propagates until fixed point or configurable depth limit.
+ *
+ * Handles all assignment patterns:
+ * - const b = a
+ * - const b = a.trim()
+ * - const {x} = obj
+ * - let b; b = a
+ *
+ * @param code - Handler code string
+ * @param initialTainted - Set of initially tainted variable names
+ * @param maxDepth - Maximum propagation depth (default: 3)
+ * @returns Set of all tainted variable names after fixed point or depth limit
+ */
+export function propagateTaintMultiHop(code, initialTainted, maxDepth = 3) {
+    const tainted = new Set(initialTainted);
+    const worklist = [];
+    const visitedAssignments = new Set();
+    const assignmentDepths = new Map();
+    for (const v of initialTainted) {
+        worklist.push({ varName: v, depth: 0 });
+    }
+    const allAssignments = extractAllAssignments(code);
+    while (worklist.length > 0) {
+        const { varName: currentVar, depth } = worklist.shift();
+        if (depth >= maxDepth)
+            continue;
+        for (const assignment of allAssignments) {
+            const { lhs, rhs, assignId } = assignment;
+            if (visitedAssignments.has(`${assignId}:${depth}`))
+                continue;
+            const rhsDeps = extractDependencies(rhs);
+            if (rhsDeps.has(currentVar)) {
+                visitedAssignments.add(`${assignId}:${depth}`);
+                const existingDepth = assignmentDepths.get(lhs);
+                if (existingDepth !== undefined && existingDepth <= depth + 1) {
+                    continue;
+                }
+                assignmentDepths.set(lhs, depth + 1);
+                if (!tainted.has(lhs)) {
+                    tainted.add(lhs);
+                    worklist.push({ varName: lhs, depth: depth + 1 });
+                }
+                if (isCircularAssignment(lhs, rhs, allAssignments)) {
+                    continue;
+                }
+                for (const dep of rhsDeps) {
+                    if (dep !== currentVar && tainted.has(dep)) {
+                        const depDepth = assignmentDepths.get(dep) ?? 0;
+                        if (depth + 1 > depDepth) {
+                            if (!tainted.has(lhs)) {
+                                tainted.add(lhs);
+                                worklist.push({ varName: lhs, depth: depth + 1 });
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return tainted;
+}
+export function extractAllAssignments(code) {
+    const assignments = [];
+    const lines = code.split('\n');
+    let assignCounter = 0;
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('*'))
+            continue;
+        for (const assign of parseLineAssignments(trimmed, assignCounter)) {
+            assignments.push(assign);
+            assignCounter++;
+        }
+    }
+    return assignments;
+}
+export function parseLineAssignments(line, lineNum) {
+    const assignments = [];
+    const constLetVarRegex = /^(?:const|let|var)\s+/;
+    const declMatch = line.match(constLetVarRegex);
+    if (!declMatch) {
+        const reassignRegex = /^(\w+)\s*=\s*(.+)$/;
+        const reassign = line.match(reassignRegex);
+        if (reassign) {
+            assignments.push({
+                lhs: reassign[1],
+                rhs: reassign[2],
+                assignId: `${lineNum}:reassign`,
+            });
+        }
+        return assignments;
+    }
+    const rest = line.slice(declMatch[0].length);
+    const destructRegex = /^\{\s*([^}]+)\}\s*=\s*(.+)$/;
+    const destructMatch = rest.match(destructRegex);
+    if (destructMatch) {
+        const vars = destructMatch[1]
+            .split(',')
+            .map((v) => {
+            const name = v.trim().split(':')[0].split('=')[0].trim();
+            return name;
+        })
+            .filter((v) => v && !v.startsWith('...'));
+        const rhs = destructMatch[2];
+        for (let i = 0; i < vars.length; i++) {
+            assignments.push({
+                lhs: vars[i],
+                rhs: `${rhs}[${i}]`,
+                assignId: `${lineNum}:destructure:${i}`,
+            });
+        }
+        return assignments;
+    }
+    const simpleAssignRegex = /^(\w+)\s*=\s*(.+)$/;
+    const simpleMatch = rest.match(simpleAssignRegex);
+    if (simpleMatch) {
+        assignments.push({
+            lhs: simpleMatch[1],
+            rhs: simpleMatch[2],
+            assignId: `${lineNum}:simple`,
+        });
+    }
+    return assignments;
+}
+export function extractDependencies(rhs) {
+    const deps = new Set();
+    const RESERVED = new Set([
+        'undefined',
+        'null',
+        'true',
+        'false',
+        'const',
+        'let',
+        'var',
+        'new',
+        'typeof',
+        'instanceof',
+        'return',
+        'await',
+        'async',
+        'function',
+        'if',
+        'else',
+        'for',
+        'while',
+        'switch',
+        'case',
+        'break',
+        'continue',
+        'throw',
+        'try',
+        'catch',
+        'finally',
+    ]);
+    // Match all identifier chains: foo, foo.bar, foo.bar.baz, foo[0].bar
+    const chainRegex = /\b([a-zA-Z_$]\w*)(?:\.\w+|\[[^\]]*\])*/g;
+    let match;
+    while ((match = chainRegex.exec(rhs)) !== null) {
+        const base = match[1];
+        if (!RESERVED.has(base) && !/^\d/.test(base)) {
+            deps.add(base);
+        }
+    }
+    return deps;
+}
+export function isCircularAssignment(lhs, rhs, allAssignments) {
+    const rhsDeps = extractDependencies(rhs);
+    const visited = new Set();
+    const stack = [...rhsDeps];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        if (current === lhs)
+            return true;
+        if (visited.has(current))
+            continue;
+        visited.add(current);
+        for (const assign of allAssignments) {
+            if (assign.lhs === current) {
+                const deps = extractDependencies(assign.rhs);
+                for (const dep of deps) {
+                    if (!visited.has(dep)) {
+                        stack.push(dep);
+                    }
+                }
+            }
+        }
+    }
+    return false;
+}
+// ── Taint Propagation ───────────────────────────────────────────────────
+/**
+ * Propagate taint through variable assignments in handler body.
+ * Tracks: const x = req.body.foo → x is tainted.
+ * Returns all tainted variable names with their origins.
+ */
+export function propagateTaint(code, params) {
+    const tainted = new Map();
+    for (const p of params) {
+        tainted.set(p.name, p);
+    }
+    const initialTainted = new Set(tainted.keys());
+    const propagated = propagateTaintMultiHop(code, initialTainted);
+    for (const v of propagated) {
+        if (!tainted.has(v)) {
+            tainted.set(v, { name: v, origin: `derived` });
+        }
+    }
+    return Array.from(tainted.values());
+}
+// ── Sink Detection ──────────────────────────────────────────────────────
+/**
+ * Find sink calls that use tainted variables.
+ */
+export function findTaintedSinks(code, taintedVars) {
+    const sinks = [];
+    const taintedNames = new Set(taintedVars.map((v) => v.name));
+    for (const { pattern, name, category } of SINK_PATTERNS) {
+        // Scan ALL matches using a global copy (original patterns are non-global)
+        const globalPattern = new RegExp(pattern.source, 'g');
+        let match;
+        while ((match = globalPattern.exec(code)) !== null) {
+            // Extract the argument region after the match
+            const callStart = match.index + match[0].length;
+            const parenDepth = findClosingParen(code, callStart);
+            const argText = code.slice(callStart, parenDepth);
+            // Check if any tainted variable is used in the arguments
+            for (const tName of taintedNames) {
+                if (new RegExp(`\\b${tName}\\b`).test(argText)) {
+                    sinks.push({ name, category, taintedArg: tName });
+                    break;
+                }
+            }
+            // Also check for template literals with tainted vars in any sink category
+            const templateMatch = argText.match(/`[^`]*\$\{(\w+)\}[^`]*`/);
+            if (templateMatch && taintedNames.has(templateMatch[1])) {
+                sinks.push({ name: `${name} (template)`, category, taintedArg: templateMatch[1] });
+            }
+        }
+    }
+    // Check template literals used in exec/spawn-like contexts
+    const templateExecRegex = /`[^`]*\$\{(\w+)\}[^`]*`/g;
+    let tm;
+    while ((tm = templateExecRegex.exec(code)) !== null) {
+        if (taintedNames.has(tm[1])) {
+            // Check if this template is used as argument to a command-like function
+            const before = code.slice(Math.max(0, tm.index - 50), tm.index);
+            if (/exec\s*\(|spawn\s*\(|execSync\s*\(/.test(before)) {
+            }
+        }
+    }
+    return sinks;
+}
+// ── Path Building ───────────────────────────────────────────────────────
+/**
+ * Build taint paths and check for sanitizers between source and sink.
+ */
+export function buildPaths(code, taintedVars, sinks) {
+    const paths = [];
+    const foundSanitizers = detectSanitizers(code);
+    for (const sink of sinks) {
+        // Find the source that produced this tainted arg
+        const source = taintedVars.find((v) => v.name === sink.taintedArg);
+        if (!source)
+            continue;
+        // Check if any sanitizer was applied to this specific variable
+        const sanitizer = foundSanitizers.find((s) => new RegExp(`\\b${sink.taintedArg}\\b`).test(s.context) ||
+            new RegExp(`${s.name}\\s*\\([^)]*\\b${sink.taintedArg}\\b`).test(code));
+        // Check sanitizer sufficiency — is this the RIGHT sanitizer for this sink?
+        const hasSanitizer = sanitizer != null;
+        const sufficient = sanitizer != null ? isSanitizerSufficient(sanitizer.name, sink.category) : false;
+        paths.push({
+            source,
+            sink,
+            sanitized: hasSanitizer && sufficient,
+            sanitizer: sanitizer?.name,
+            insufficientSanitizer: hasSanitizer && !sufficient ? sanitizer.name : undefined,
+        });
+    }
+    return paths;
+}
+// ── Sanitizer Detection ─────────────────────────────────────────────────
+export function detectSanitizers(code) {
+    const found = [];
+    for (const { pattern, name } of SANITIZER_PATTERNS) {
+        const globalPattern = new RegExp(pattern.source, 'g');
+        let match;
+        while ((match = globalPattern.exec(code)) !== null) {
+            const start = Math.max(0, match.index - 50);
+            const end = Math.min(code.length, match.index + match[0].length + 50);
+            found.push({ name, context: code.slice(start, end) });
+        }
+    }
+    return found;
+}
+// ── Utilities ───────────────────────────────────────────────────────────
+export function findClosingParen(code, start) {
+    let depth = 1;
+    for (let i = start; i < code.length; i++) {
+        if (code[i] === '(')
+            depth++;
+        if (code[i] === ')') {
+            depth--;
+            if (depth === 0)
+                return i;
+        }
+    }
+    return Math.min(start + 500, code.length); // fallback
+}
+//# sourceMappingURL=taint-regex.js.map

package/dist/taint-regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-regex.js","sourceRoot":"","sources":["../src/taint-regex.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,EACrB,kBAAkB,EAClB,aAAa,GACd,MAAM,kBAAkB,CAAC;AAG1B,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAuB,EAAE,QAAgB;IACzE,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI;YAAE,SAAS;QAEnC,MAAM,MAAM,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAe,IAAI,WAAW,CAAC;QAC7D,MAAM,SAAS,GAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,MAAiB,IAAI,EAAE,CAAC;QAEzD,mBAAmB;QACnB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;QACnE,MAAM,IAAI,GAAI,OAAO,EAAE,KAAK,EAAE,IAAe,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,qCAAqC;QACrC,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEzC,8CAA8C;QAC9C,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAExD,gDAAgD;QAChD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEjC,+BAA+B;QAC/B,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC;QAEnD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM;gBACN,QAAQ;gBACR,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,KAAK;aACN,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS;QAAE,OAAO,OAAO,CAAC;IAE/B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC5C,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,CAAC,IAAI;YAAE,SAAS;QACtB,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2EAA2E;AAE3E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY,EAAE,cAA2B,EAAE,WAAmB,CAAC;IACpG,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,cAAc,CAAC,CAAC;IAChD,MAAM,QAAQ,GAA8C,EAAE,CAAC;IAC/D,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC7C,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEnD,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,cAAc,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAEnD,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAG,CAAC;QAEzD,IAAI,KAAK,IAAI,QAAQ;YAAE,SAAS;QAEhC,KAAK,MAAM,UAAU,IAAI,cAAc,EAAE,CAAC;YACxC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC;YAE1C,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,QAAQ,IAAI,KAAK,EAAE,CAAC;gBAAE,SAAS;YAE7D,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAEzC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC5B,kBAAkB,CAAC,GAAG,CAAC,GAAG,QAAQ,IAAI,KAAK,EAAE,CAAC,CAAC;gBAE/C,MAAM,aAAa,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAChD,IAAI,aAAa,KAAK,SAAS,IAAI,aAAa,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBACD,gBAAgB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBAErC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACjB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC;gBACpD,CAAC;gBAED,IAAI,oBAAoB,CAAC,GAAG,EAAE,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;oBACnD,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;oBAC1B,IAAI,GAAG,KAAK,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;wBAChD,IAAI,KAAK,GAAG,CAAC,GAAG,QAAQ,EAAE,CAAC;4BACzB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gCACtB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gCACjB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC;4BACpD,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAUD,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAE9E,KAAK,MAAM,MAAM,IAAI,oBAAoB,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,CAAC;YAClE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzB,aAAa,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,OAAe;IAChE,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,aAAa,GAAG,oBAAoB,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAC3C,IAAI,QAAQ,EAAE,CAAC;YACb,WAAW,CAAC,IAAI,CAAC;gBACf,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;gBAChB,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;gBAChB,QAAQ,EAAE,GAAG,OAAO,WAAW;aAChC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAE7C,MAAM,aAAa,GAAG,6BAA6B,CAAC;IACpD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAChD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC;aAC1B,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,WAAW,CAAC,IAAI,CAAC;gBACf,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;gBACZ,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG;gBACnB,QAAQ,EAAE,GAAG,OAAO,gBAAgB,CAAC,EAAE;aACxC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAClD,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,IAAI,CAAC;YACf,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;YACnB,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;YACnB,QAAQ,EAAE,GAAG,OAAO,SAAS;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;QACvB,WAAW;QACX,MAAM;QACN,MAAM;QACN,OAAO;QACP,OAAO;QACP,KAAK;QACL,KAAK;QACL,KAAK;QACL,QAAQ;QACR,YAAY;QACZ,QAAQ;QACR,OAAO;QACP,OAAO;QACP,UAAU;QACV,IAAI;QACJ,MAAM;QACN,KAAK;QACL,OAAO;QACP,QAAQ;QACR,MAAM;QACN,OAAO;QACP,UAAU;QACV,OAAO;QACP,KAAK;QACL,OAAO;QACP,SAAS;KACV,CAAC,CAAC;IAEH,qEAAqE;IACrE,MAAM,UAAU,GAAG,yCAAyC,CAAC;IAC7D,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW,EAAE,GAAW,EAAE,cAA4B;IACzF,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,KAAK,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;IAE3B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAG,CAAC;QAC7B,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACjC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,SAAS;QACnC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAErB,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACtB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2EAA2E;AAE3E;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY,EAAE,MAAqB;IAChE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE/C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAEhE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AACtC,CAAC;AAED,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,WAA0B;IACvE,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;QACxD,0EAA0E;QAC1E,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnD,8CAA8C;YAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAChD,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;YAElD,yDAAyD;YACzD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;gBACjC,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC/C,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;oBAClD,MAAM;gBACR,CAAC;YACH,CAAC;YAED,0EAA0E;YAC1E,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;YAC/D,IAAI,aAAa,IAAI,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxD,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,IAAI,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;IACH,CAAC;IAED,2DAA2D;IAC3D,MAAM,iBAAiB,GAAG,0BAA0B,CAAC;IACrD,IAAI,EAAE,CAAC;IACP,OAAO,CAAC,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5B,wEAAwE;YACxE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;YAChE,IAAI,oCAAoC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2EAA2E;AAE3E;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,WAA0B,EAAE,KAAkB;IACrF,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAE/C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,iDAAiD;QACjD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM;YAAE,SAAS;QAEtB,+DAA+D;QAC/D,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,EAAE,CACJ,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;YACtD,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,kBAAkB,IAAI,CAAC,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACzE,CAAC;QAEF,2EAA2E;QAC3E,MAAM,YAAY,GAAG,SAAS,IAAI,IAAI,CAAC;QACvC,MAAM,UAAU,GAAG,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAEpG,KAAK,CAAC,IAAI,CAAC;YACT,MAAM;YACN,IAAI;YACJ,SAAS,EAAE,YAAY,IAAI,UAAU;YACrC,SAAS,EAAE,SAAS,EAAE,IAAI;YAC1B,qBAAqB,EAAE,YAAY,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SAChF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2EAA2E;AAE3E,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,KAAK,GAA6C,EAAE,CAAC;IAE3D,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;YACtE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2EAA2E;AAE3E,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,KAAa;IAC1D,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACpB,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC;gBAAE,OAAO,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW;AACxD,CAAC"}

package/dist/taint-types.d.ts

@@ -0,0 +1,128 @@
+/**
+ * Taint Tracking — shared types, classification tables, and sanitizer sufficiency.
+ */
+export interface TaintSource {
+    name: string;
+    origin: string;
+    line?: number;
+}
+export interface TaintSink {
+    name: string;
+    category: 'command' | 'fs' | 'sql' | 'redirect' | 'eval' | 'template' | 'codegen';
+    taintedArg: string;
+    line?: number;
+}
+export interface TaintPath {
+    source: TaintSource;
+    sink: TaintSink;
+    sanitized: boolean;
+    sanitizer?: string;
+    insufficientSanitizer?: string;
+}
+export interface TaintResult {
+    fnName: string;
+    filePath: string;
+    startLine: number;
+    paths: TaintPath[];
+}
+export interface CrossFileTaintResult {
+    callerFile: string;
+    callerFn: string;
+    callerLine: number;
+    calleeFile: string;
+    calleeFn: string;
+    taintedArgs: string[];
+    sinkInCallee: TaintSink;
+    source: TaintSource;
+}
+/** Map of exported function names → file path + param info */
+export interface ExportedFunction {
+    filePath: string;
+    fnName: string;
+    params: string;
+    hasSink: boolean;
+    sinks: TaintSink[];
+}
+/** A function in the file that contains sinks — tracks which params flow to those sinks */
+export interface InternalSinkFunction {
+    name: string;
+    /** Parameter indices whose values reach a sink in the function body */
+    taintedParamIndices: Set<number>;
+    /** Sink categories reachable from each param index (multiple categories per param) */
+    sinkCategories: Map<number, Set<TaintSink['category']>>;
+}
+/** Param names/types that indicate HTTP handler context */
+export declare const HTTP_PARAM_NAMES: RegExp;
+export declare const HTTP_PARAM_TYPES: RegExp;
+/** User input access patterns — what flows from HTTP params */
+export declare const USER_INPUT_ACCESS: readonly [{
+    readonly pattern: RegExp;
+    readonly origin: "req.body";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "req.query";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "req.params";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "req.headers";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "request.body";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "request.query";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "request.params";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "process.argv";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "process.env";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "db.query";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "findOne";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "findById";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "getItem";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "collection.find";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "vectorStore.search";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "similaritySearch";
+}, {
+    readonly pattern: RegExp;
+    readonly origin: "index.query";
+}];
+export interface SinkPattern {
+    pattern: RegExp;
+    name: string;
+    category: TaintSink['category'];
+}
+export declare const SINK_PATTERNS: SinkPattern[];
+export declare const SANITIZER_PATTERNS: {
+    pattern: RegExp;
+    name: string;
+}[];
+export type SinkCategory = TaintSink['category'];
+/**
+ * Check if a sanitizer is actually sufficient for a given sink category.
+ * Returns true if the sanitizer protects against the sink, false if it's
+ * a mismatch (e.g., parseInt used to "sanitize" command injection).
+ */
+export declare function isSanitizerSufficient(sanitizerName: string, sinkCategory: SinkCategory): boolean;
+export declare const SINK_NAMES: Map<string, "command" | "fs" | "sql" | "redirect" | "eval" | "template" | "codegen">;
+export declare const SANITIZER_PATTERN_NAMES: string[];