@oculum/scanner 1.0.14 → 1.0.15

package/src/taint/sink-classifier.ts

@@ -0,0 +1,1402 @@
+/**
+ * AST-Based Sink Classifier
+ *
+ * Identifies dangerous sinks using AST analysis with taint-kind awareness.
+ * Replaces regex-based model/sink-patterns.ts + model/sink-matcher.ts.
+ *
+ * Key improvements over regex:
+ * - `.query()` only flagged when called on a DB client (not React Query)
+ * - `fetch()` only flagged when URL is dynamic (not a static string)
+ * - Each sink reports which taint kinds make it dangerous
+ * - AI-specific sinks: prompt construction, system prompt manipulation
+ */
+
+import type Parser from "tree-sitter";
+import type { ParsedAST } from "../parse/ast";
+import { walkAST } from "../parse/ast";
+import { collectImportBindings, isParameterizedQueryArgs } from "./helpers";
+import {
+  resolveCallTarget,
+  getCallArguments,
+  getObjectLiteralProperty,
+} from "../detect/ast-rules/helpers/call-analysis";
+import {
+  isConstant,
+  collectVariableAliases,
+} from "../detect/ast-rules/helpers/scope-analysis";
+import type { TaintSink, TaintSinkType, TaintKind } from "./types";
+import {
+  isLLMClient,
+  isKnownLLMCall,
+  LANGCHAIN_MESSAGE_CLASSES,
+} from "./llm-registry";
+import {
+  resolvePythonCallTarget,
+  getPythonCallArguments,
+  getPythonKeywordArgument,
+  collectPythonImportBindings,
+  isPythonFString,
+  isPythonDynamicString,
+  getPythonDictProperty,
+  classifyPythonMessageDict,
+  isPyConstantExpression,
+  extractPythonStringValue,
+} from "../detect/ast-rules/helpers/python-helpers";
+
+// ============================================================================
+// Sink → Vulnerable Taint Kinds
+// ============================================================================
+
+const SINK_KIND_MAP: Record<TaintSinkType, readonly TaintKind[]> = {
+  sql_query: ["sql"],
+  nosql_query: ["sql"], // NoSQL injection uses 'sql' kind (query manipulation)
+  eval: ["command"],
+  exec: ["command"],
+  inner_html: ["xss"],
+  http_request: ["ssrf"],
+  redirect: ["ssrf"],
+  file_write: ["path"],
+  path_access: ["path"],
+  template_render: ["xss"],
+  command_exec: ["command"],
+  regex_constructor: [], // ReDoS — not command injection, suppress taint findings
+  dynamic_import: ["path"],
+  deserialization: ["command"],
+  response_body: ["xss"], // Reflected XSS via API response
+  header_injection: ["xss"], // CRLF injection via response headers
+  prompt_construction: ["prompt"],
+  system_prompt: ["prompt"],
+};
+
+// ============================================================================
+// Database Client Detection
+// ============================================================================
+
+/** Import module patterns that indicate a database client */
+const DB_CLIENT_MODULES = [
+  /^pg$/,
+  /^mysql2?$/,
+  /^better-sqlite3$/,
+  /^sqlite3$/,
+  /^@prisma\/client$/,
+  /^prisma$/,
+  /^knex$/,
+  /^sequelize$/,
+  /^typeorm$/,
+  /^drizzle-orm$/,
+  /^@?planetscale/,
+  /^@neondatabase/,
+  /^@supabase\/supabase-js$/,
+  /^mssql$/,
+  /^tedious$/,
+  /^oracledb$/,
+  /^mongoose$/,
+];
+
+/** Variable names commonly used for DB clients */
+const DB_CLIENT_NAMES =
+  /^(db|pool|client|connection|conn|knex|prisma|sequelize|sql|supabase|pgClient|pgPool|mysql|mongo)$/i;
+
+// ============================================================================
+// NoSQL / MongoDB Client Detection
+// ============================================================================
+
+const NOSQL_CLIENT_MODULES = [/^mongodb$/, /^mongoose$/];
+
+const NOSQL_CLIENT_NAMES = /^(collection|db|mongo|mongoose|Model)$/i;
+
+/** MongoDB query methods that accept user-controlled filter objects */
+const NOSQL_QUERY_METHODS =
+  /^(find|findOne|findOneAndUpdate|findOneAndDelete|findOneAndReplace|updateOne|updateMany|deleteOne|deleteMany|aggregate|countDocuments|distinct|replaceOne)$/;
+
+/** Response/result sink methods — sending data back to client */
+const RESPONSE_METHODS = /^(send|write|end|jsonp)$/;
+
+const RESPONSE_OBJECT_NAMES = /^(res|response|reply|ctx)$/;
+
+/** Header setting methods */
+const HEADER_METHODS = /^(setHeader|header|set|writeHead|append)$/;
+
+/** Response headers where dynamic values carry real security risk */
+const SECURITY_SENSITIVE_HEADERS = /^(location|set-cookie|refresh|link)$/i;
+
+function isSecuritySensitiveHeader(name: string): boolean {
+  return SECURITY_SENSITIVE_HEADERS.test(name);
+}
+
+function extractConstantString(node: Parser.SyntaxNode): string | null {
+  if (node.type === "string") {
+    const fragment = node.descendantsOfType("string_fragment");
+    if (fragment.length > 0) return fragment[0].text;
+    const text = node.text;
+    if (
+      (text.startsWith("'") && text.endsWith("'")) ||
+      (text.startsWith('"') && text.endsWith('"'))
+    ) {
+      return text.slice(1, -1);
+    }
+    return null;
+  }
+  if (node.type === "template_string") {
+    if (node.descendantsOfType("template_substitution").length > 0) return null;
+    const text = node.text;
+    return text.startsWith("`") && text.endsWith("`")
+      ? text.slice(1, -1)
+      : null;
+  }
+  return null;
+}
+
+function hasHardcodedBaseURL(node: Parser.SyntaxNode): boolean {
+  if (node.type !== "template_string") return false;
+  const subs = node.descendantsOfType("template_substitution");
+  if (subs.length === 0) return false;
+  for (const child of node.children) {
+    if (
+      child.type === "string_fragment" ||
+      child.type === "template_string_fragment"
+    ) {
+      return /^https?:\/\//.test(child.text);
+    }
+    if (child.type === "template_substitution") return false;
+  }
+  return false;
+}
+
+/** Config object name patterns for redirect URL suppression */
+const CONFIG_OBJ_RE =
+  /^(appCfg|config|settings|cfg|appConfig|dify_config|serverConfig|envConfig)$/i;
+const CONFIG_URL_PROP_RE =
+  /url|host|base|origin|endpoint|domain|callback|redirect/i;
+
+/** Check if a redirect argument is a config-controlled URL (not user input) */
+function isConfigControlledRedirectURL(node: Parser.SyntaxNode): boolean {
+  // Config object access: appCfg.SITE_URL, config.API_BASE
+  if (node.type === "member_expression") {
+    const obj = node.childForFieldName("object");
+    const prop = node.childForFieldName("property");
+    if (
+      obj &&
+      prop &&
+      CONFIG_OBJ_RE.test(obj.text) &&
+      CONFIG_URL_PROP_RE.test(prop.text)
+    )
+      return true;
+  }
+  // Env var URL patterns: process.env.*_URL, *_BASE, *_HOST
+  if (
+    node.type === "member_expression" &&
+    /^process\.env\.\w+(?:_URL|_BASE|_HOST|_ORIGIN|_ENDPOINT|_DOMAIN)$/i.test(
+      node.text,
+    )
+  ) {
+    return true;
+  }
+  // Template literals where first interpolation is config
+  if (node.type === "template_string") {
+    for (const child of node.children) {
+      if (child.type === "template_substitution") {
+        const expr = child.namedChildren[0];
+        if (expr && isConfigControlledRedirectURL(expr)) return true;
+        break;
+      }
+    }
+  }
+  return false;
+}
+
+function isURLArgDynamic(args: Parser.SyntaxNode[]): boolean {
+  if (args.length === 0) return false;
+  const urlArg = args[0];
+  if (isConstant(urlArg)) return false;
+  if (hasHardcodedBaseURL(urlArg)) return false;
+  return true;
+}
+
+// ============================================================================
+// HTTP Client Detection
+// ============================================================================
+
+const HTTP_CLIENT_MODULES = [
+  /^axios$/,
+  /^node-fetch$/,
+  /^got$/,
+  /^undici$/,
+  /^ky$/,
+  /^https?$/,
+  /^superagent$/,
+];
+
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+
+function isDbClient(
+  objText: string,
+  imports: Map<string, { module: string; originalName: string }>,
+): boolean {
+  // Check if the full object text is a known DB client by name
+  if (DB_CLIENT_NAMES.test(objText)) return true;
+
+  // Check each part of a dotted chain (e.g., `models.sequelize` → check `sequelize`)
+  const parts = objText.split(".");
+  for (const part of parts) {
+    if (DB_CLIENT_NAMES.test(part)) return true;
+  }
+
+  // Check if imported from a DB module
+  const rootObj = parts[0];
+  const binding = imports.get(rootObj);
+  if (binding) {
+    return DB_CLIENT_MODULES.some((p) => p.test(binding.module));
+  }
+
+  return false;
+}
+
+function isNoSQLClient(
+  objText: string,
+  imports: Map<string, { module: string; originalName: string }>,
+): boolean {
+  if (NOSQL_CLIENT_NAMES.test(objText)) return true;
+  const parts = objText.split(".");
+  for (const part of parts) {
+    if (NOSQL_CLIENT_NAMES.test(part)) return true;
+  }
+  const rootObj = parts[0];
+  const binding = imports.get(rootObj);
+  if (binding) {
+    return NOSQL_CLIENT_MODULES.some((p) => p.test(binding.module));
+  }
+  return false;
+}
+
+function isHttpClient(
+  objText: string,
+  imports: Map<string, { module: string; originalName: string }>,
+): boolean {
+  const binding = imports.get(objText);
+  if (binding) {
+    return HTTP_CLIENT_MODULES.some((p) => p.test(binding.module));
+  }
+  return /^(axios|got|ky|superagent|http|https)$/i.test(objText);
+}
+
+/**
+ * Check if a NoSQL query's first argument is a safe object literal.
+ * Safe = object with simple field:value pairs, no $ operators, no nested objects.
+ */
+function isSafeNoSQLQuery(args: Parser.SyntaxNode[]): boolean {
+  if (args.length === 0) return false;
+  const firstArg = args[0];
+  if (firstArg.type !== "object") return false;
+
+  const pairs = firstArg.namedChildren.filter((c) => c.type === "pair");
+  if (pairs.length === 0) return false;
+
+  for (const pair of pairs) {
+    const key = pair.childForFieldName("key");
+    if (!key) return false;
+    const keyText = key.text.replace(/['"]/g, "");
+    // If key starts with $, it's a MongoDB operator — not safe
+    if (keyText.startsWith("$")) return false;
+
+    const value = pair.childForFieldName("value");
+    if (!value) continue;
+    // Nested objects could contain $ operators — not safe
+    if (value.type === "object") return false;
+  }
+
+  return true;
+}
+
+function hasDynamicArg(args: Parser.SyntaxNode[]): boolean {
+  if (args.length === 0) return false;
+  return args.some((arg) => !isConstant(arg));
+}
+
+/** Alias for shared parameterized query detection. */
+const isParameterizedCall = isParameterizedQueryArgs;
+
+// ============================================================================
+// Sink Detectors
+// ============================================================================
+
+interface SinkDetection {
+  node: Parser.SyntaxNode;
+  sinkType: TaintSinkType;
+  /** AST nodes to restrict taint checking to (e.g., URL arg only for SSRF). */
+  relevantArgNodes?: Parser.SyntaxNode[];
+}
+
+function detectCallSinks(
+  node: Parser.SyntaxNode,
+  aliases: Map<string, string>,
+  imports: Map<string, { module: string; originalName: string }>,
+): SinkDetection | null {
+  const target = resolveCallTarget(node, aliases);
+  if (!target) return null;
+
+  const args = getCallArguments(node);
+
+  // --- eval / new Function ---
+  if (target.name === "eval" && target.type === "direct") {
+    return { node, sinkType: "eval" };
+  }
+  if (target.type === "new" && target.name === "Function") {
+    return { node, sinkType: "eval" };
+  }
+  // setTimeout/setInterval with string arg
+  if (
+    (target.name === "setTimeout" || target.name === "setInterval") &&
+    target.type === "direct" &&
+    args.length > 0 &&
+    args[0].type === "string"
+  ) {
+    return { node, sinkType: "eval" };
+  }
+
+  // --- Command execution ---
+  if (target.name === "exec" || target.name === "execSync") {
+    if (
+      target.type === "direct" ||
+      (target.object && /^(child_process|cp)$/.test(target.object))
+    ) {
+      // Only the command string (first arg) matters; callbacks/options are irrelevant
+      if (args.length > 0 && !isConstant(args[0]))
+        return { node, sinkType: "command_exec", relevantArgNodes: [args[0]] };
+    }
+  }
+  if (
+    target.name === "spawn" ||
+    target.name === "spawnSync" ||
+    target.name === "execFile" ||
+    target.name === "fork"
+  ) {
+    if (
+      target.type === "direct" ||
+      (target.object && /^(child_process|cp)$/.test(target.object))
+    ) {
+      // spawn/execFile with array args uses argv (no shell) — only flag if command name (arg0) is dynamic
+      if (args.length >= 2 && args[1].type === "array") {
+        if (!isConstant(args[0]))
+          return {
+            node,
+            sinkType: "command_exec",
+            relevantArgNodes: [args[0]],
+          };
+      } else if (args.length > 0 && !isConstant(args[0])) {
+        return { node, sinkType: "command_exec", relevantArgNodes: [args[0]] };
+      }
+    }
+  }
+
+  // --- SQL sinks ---
+  if (
+    target.name === "query" ||
+    target.name === "raw" ||
+    target.name === "execute"
+  ) {
+    if (target.object && isDbClient(target.object, imports)) {
+      // Skip parameterized queries — they use bind variables, not string concat
+      if (hasDynamicArg(args) && !isParameterizedCall(args)) {
+        return { node, sinkType: "sql_query" };
+      }
+    }
+    // $queryRaw, $executeRaw (Prisma)
+    if (target.name === "query" && target.object) {
+      if (/\.\$queryRaw$|\.\$executeRaw$/.test(target.fullChain)) {
+        if (hasDynamicArg(args) && !isParameterizedCall(args)) {
+          return { node, sinkType: "sql_query" };
+        }
+      }
+    }
+  }
+  if (
+    target.name === "$queryRaw" ||
+    target.name === "$executeRaw" ||
+    target.name === "$queryRawUnsafe" ||
+    target.name === "$executeRawUnsafe"
+  ) {
+    if (hasDynamicArg(args)) return { node, sinkType: "sql_query" };
+  }
+
+  // --- XSS sinks ---
+  if (target.name === "write" || target.name === "writeln") {
+    if (target.object && /^document$/.test(target.object)) {
+      return { node, sinkType: "inner_html" };
+    }
+  }
+  if (target.name === "insertAdjacentHTML") {
+    return { node, sinkType: "inner_html" };
+  }
+
+  // --- SSRF / HTTP request sinks ---
+  // Only the URL argument (arg 0) is relevant for SSRF — taint in body/headers is not SSRF.
+  if (target.name === "fetch" && target.type === "direct") {
+    if (isURLArgDynamic(args))
+      return { node, sinkType: "http_request", relevantArgNodes: [args[0]] };
+  }
+  if (target.type === "member" && target.object) {
+    if (
+      /^(get|post|put|patch|delete|request)$/.test(target.name) &&
+      (isHttpClient(target.object, imports) ||
+        /^(axios|got|ky|superagent|http|https)$/.test(target.object))
+    ) {
+      if (isURLArgDynamic(args))
+        return { node, sinkType: "http_request", relevantArgNodes: [args[0]] };
+    }
+  }
+
+  // --- Redirect ---
+  if (target.name === "redirect" && target.type === "member") {
+    if (target.object && /^(res|response|Response)$/.test(target.object)) {
+      if (hasDynamicArg(args)) {
+        // Skip config-controlled redirect URLs
+        if (args[0] && isConfigControlledRedirectURL(args[0])) return null;
+        return { node, sinkType: "redirect", relevantArgNodes: [args[0]] };
+      }
+    }
+  }
+
+  // --- File system sinks ---
+  if (
+    target.type === "member" &&
+    target.object &&
+    /^(fs|fsp|fsPromises)$/.test(target.object)
+  ) {
+    if (
+      /^(writeFile|writeFileSync|appendFile|appendFileSync)$/.test(target.name)
+    ) {
+      return { node, sinkType: "file_write" };
+    }
+    if (
+      /^(readFile|readFileSync|readdir|readdirSync|stat|statSync|access|accessSync|unlink|unlinkSync)$/.test(
+        target.name,
+      )
+    ) {
+      if (hasDynamicArg(args)) return { node, sinkType: "path_access" };
+    }
+  }
+  if (
+    target.name === "createWriteStream" ||
+    target.name === "createReadStream"
+  ) {
+    if (hasDynamicArg(args))
+      return {
+        node,
+        sinkType: target.name.includes("Write") ? "file_write" : "path_access",
+      };
+  }
+
+  // --- Path access (path.join with dynamic args) ---
+  if (target.type === "member" && target.object === "path") {
+    if (target.name === "join" || target.name === "resolve") {
+      if (hasDynamicArg(args)) return { node, sinkType: "path_access" };
+    }
+  }
+
+  // --- Template rendering ---
+  if (target.type === "member" && target.object) {
+    if (
+      /^(ejs|pug|handlebars|nunjucks|mustache)$/.test(target.object) &&
+      /^(render|compile|renderFile)$/.test(target.name)
+    ) {
+      return { node, sinkType: "template_render" };
+    }
+  }
+
+  // --- RegExp construction ---
+  if (target.type === "new" && target.name === "RegExp") {
+    if (hasDynamicArg(args)) return { node, sinkType: "regex_constructor" };
+  }
+
+  // --- Dynamic import ---
+  // (handled separately for `import()` syntax)
+
+  // --- NoSQL injection (MongoDB) ---
+  if (NOSQL_QUERY_METHODS.test(target.name) && target.object) {
+    if (
+      isNoSQLClient(target.object, imports) ||
+      isDbClient(target.object, imports)
+    ) {
+      if (hasDynamicArg(args)) {
+        // Skip safe NoSQL queries (simple field:value object literals without $ operators)
+        if (isSafeNoSQLQuery(args)) return null;
+        return { node, sinkType: "nosql_query" };
+      }
+    }
+  }
+
+  // --- Response body reflection (reflected XSS via API) ---
+  if (
+    RESPONSE_METHODS.test(target.name) &&
+    target.type === "member" &&
+    target.object
+  ) {
+    if (RESPONSE_OBJECT_NAMES.test(target.object)) {
+      // Skip object literals — Express auto-serializes to JSON (Content-Type: application/json)
+      if (
+        args.length > 0 &&
+        (args[0].type === "object" || args[0].type === "dictionary")
+      ) {
+        // Not an XSS vector — JSON responses are safe
+      } else if (hasDynamicArg(args)) {
+        return { node, sinkType: "response_body" };
+      }
+    }
+  }
+
+  // --- Header injection ---
+  if (
+    HEADER_METHODS.test(target.name) &&
+    target.type === "member" &&
+    target.object
+  ) {
+    if (RESPONSE_OBJECT_NAMES.test(target.object)) {
+      // writeHead with dynamic headers object — always flag
+      if (target.name === "writeHead" && hasDynamicArg(args)) {
+        return { node, sinkType: "header_injection" };
+      }
+      // setHeader/header/set/append: check name and value
+      if (args.length >= 2 && !isConstant(args[args.length - 1])) {
+        // If header name is a known constant, only flag security-sensitive headers
+        if (isConstant(args[0])) {
+          const headerName = extractConstantString(args[0]);
+          if (headerName && !isSecuritySensitiveHeader(headerName)) {
+            return null; // Safe custom header (e.g., X-Request-Id)
+          }
+        }
+        return { node, sinkType: "header_injection" };
+      }
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Walk an object argument for message-related properties (system, prompt, messages, content).
+ * Returns sink detections for dynamic values in LLM API call arguments.
+ */
+function detectMessageArgSinks(
+  argNode: Parser.SyntaxNode,
+  callNode: Parser.SyntaxNode,
+): SinkDetection[] {
+  if (argNode.type !== "object") return [];
+
+  const results: SinkDetection[] = [];
+
+  // Check "system" property → system_prompt sink
+  const systemValue = getObjectLiteralProperty(argNode, "system");
+  if (systemValue && !isConstant(systemValue)) {
+    results.push({ node: callNode, sinkType: "system_prompt" });
+  }
+
+  // Check "prompt" property → prompt_construction sink
+  const promptValue = getObjectLiteralProperty(argNode, "prompt");
+  if (promptValue && !isConstant(promptValue)) {
+    results.push({ node: callNode, sinkType: "prompt_construction" });
+  }
+
+  // Check "messages" property → walk array for role/content objects
+  const messagesValue = getObjectLiteralProperty(argNode, "messages");
+  if (messagesValue && messagesValue.type === "array") {
+    for (const elem of messagesValue.namedChildren) {
+      if (elem.type === "object") {
+        const sinkType = classifyMessageObject(elem);
+        if (sinkType) {
+          results.push({ node: callNode, sinkType });
+        }
+      }
+    }
+  }
+
+  // Check "content" property directly (some APIs use flat object with content)
+  const contentValue = getObjectLiteralProperty(argNode, "content");
+  if (
+    contentValue &&
+    !isConstant(contentValue) &&
+    !systemValue &&
+    !messagesValue
+  ) {
+    results.push({ node: callNode, sinkType: "prompt_construction" });
+  }
+
+  return results;
+}
+
+/**
+ * Classify a message object {role: '...', content: ...} as system_prompt or prompt_construction.
+ * Returns null if content is static.
+ */
+function classifyMessageObject(
+  objNode: Parser.SyntaxNode,
+): TaintSinkType | null {
+  const contentValue = getObjectLiteralProperty(objNode, "content");
+  if (!contentValue || isConstant(contentValue)) return null;
+
+  const roleValue = getObjectLiteralProperty(objNode, "role");
+  if (roleValue) {
+    const roleText = roleValue.text.replace(/^['"`]|['"`]$/g, "");
+    if (roleText === "system") return "system_prompt";
+    // User input in user/assistant role is expected — not a prompt injection vector
+    if (roleText === "user" || roleText === "assistant") return null;
+  }
+
+  return "prompt_construction";
+}
+
+/**
+ * Detect LLM API prompt sinks — comprehensive coverage of all major LLM SDKs.
+ *
+ * Covers:
+ * 1. OpenAI: openai.chat.completions.create({ messages: [...] })
+ * 2. Anthropic: anthropic.messages.create({ system: ..., messages: [...] })
+ * 3. Vercel AI SDK: generateText({ prompt, system, messages })
+ * 4. LangChain: new SystemMessage(...), new HumanMessage(...), chain.invoke(...)
+ * 5. Google AI: model.generateContent(...)
+ * 6. Generic: model.chat(...), model.generate(...)
+ * 7. messages.push({ role, content }) — existing pattern
+ */
+function detectLLMSinks(
+  node: Parser.SyntaxNode,
+  imports: Map<string, { module: string; originalName: string }>,
+): SinkDetection[] {
+  const results: SinkDetection[] = [];
+
+  // --- Pattern 7: messages.push({ role, content }) ---
+  if (node.type === "call_expression") {
+    const fn = node.childForFieldName("function");
+    if (fn?.type === "member_expression") {
+      const prop = fn.childForFieldName("property");
+      const obj = fn.childForFieldName("object");
+      if (
+        prop?.text === "push" &&
+        obj &&
+        (/message/i.test(obj.text) ||
+          /msgs?$/i.test(obj.text) ||
+          /prompt/i.test(obj.text))
+      ) {
+        const args = getCallArguments(node);
+        if (args.length > 0 && args[0].type === "object") {
+          const sinkType = classifyMessageObject(args[0]);
+          if (sinkType) {
+            results.push({ node, sinkType });
+          }
+        }
+      }
+    }
+  }
+
+  // --- Pattern 4: LangChain new SystemMessage(...) / new HumanMessage(...) ---
+  if (node.type === "new_expression") {
+    const ctor = node.childForFieldName("constructor");
+    if (ctor?.type === "identifier" && ctor.text in LANGCHAIN_MESSAGE_CLASSES) {
+      const args = getCallArguments(node);
+      if (args.length > 0 && !isConstant(args[0])) {
+        results.push({
+          node,
+          sinkType: LANGCHAIN_MESSAGE_CLASSES[ctor.text],
+        });
+      }
+    }
+    return results;
+  }
+
+  if (node.type !== "call_expression") return results;
+
+  const target = resolveCallTarget(node);
+  if (!target) return results;
+  const args = getCallArguments(node);
+  if (args.length === 0) return results;
+
+  // --- Pattern 3: Vercel AI SDK direct calls ---
+  // generateText({ prompt, system, messages }), streamText(...), generateObject(...)
+  if (
+    target.type === "direct" &&
+    /^(generateText|streamText|generateObject|streamObject)$/.test(target.name)
+  ) {
+    const binding = imports.get(target.name);
+    const isVercelSDK =
+      binding &&
+      (/^ai$/.test(binding.module) || /^@ai-sdk\//.test(binding.module));
+    // Even without import tracking, these names are strong enough
+    if (isVercelSDK || !binding) {
+      if (args[0].type === "object") {
+        results.push(...detectMessageArgSinks(args[0], node));
+      } else if (!isConstant(args[0])) {
+        results.push({ node, sinkType: "prompt_construction" });
+      }
+    }
+    return results;
+  }
+
+  // --- Member call patterns (1, 2, 5, 6) ---
+  if (target.type !== "member" || !target.object) return results;
+
+  const isLLM = isLLMClient(target.object, imports);
+
+  // --- Pattern 1: OpenAI completions.create ---
+  // openai.chat.completions.create({ messages: [...] })
+  if (target.name === "create" && /completions$/.test(target.object) && isLLM) {
+    if (args[0].type === "object") {
+      results.push(...detectMessageArgSinks(args[0], node));
+    }
+    return results;
+  }
+
+  // --- Pattern 2: Anthropic messages.create ---
+  // anthropic.messages.create({ system: ..., messages: [...] })
+  if (target.name === "create" && /messages$/.test(target.object) && isLLM) {
+    if (args[0].type === "object") {
+      results.push(...detectMessageArgSinks(args[0], node));
+    }
+    return results;
+  }
+
+  // --- Pattern 5: Google AI generateContent ---
+  if (target.name === "generateContent" && isLLM) {
+    if (args[0].type === "object") {
+      results.push(...detectMessageArgSinks(args[0], node));
+    } else if (!isConstant(args[0])) {
+      results.push({ node, sinkType: "prompt_construction" });
+    }
+    return results;
+  }
+
+  // --- Pattern 6: Generic .chat() / .generate() / .invoke() on LLM client ---
+  if (/^(chat|generate|invoke|complete)$/.test(target.name) && isLLM) {
+    if (args[0].type === "object") {
+      results.push(...detectMessageArgSinks(args[0], node));
+    } else if (!isConstant(args[0])) {
+      results.push({ node, sinkType: "prompt_construction" });
+    }
+    return results;
+  }
+
+  return results;
+}
+
+// ============================================================================
+// Main Classifier
+// ============================================================================
+
+/**
+ * Classify all taint sinks in a parsed AST.
+ *
+ * Walks the AST looking for:
+ * 1. Dangerous function calls (eval, exec, query, fetch, etc.)
+ * 2. Dangerous property assignments (innerHTML)
+ * 3. Prompt construction patterns (messages.push with dynamic content)
+ */
+export function classifySinks(
+  ast: ParsedAST,
+  imports?: Map<string, { module: string; originalName: string }>,
+  aliases?: Map<string, string>,
+): TaintSink[] {
+  // Route to Python-specific classifier
+  if (ast.language === "python") {
+    return classifyPythonSinks(ast, imports);
+  }
+
+  const sinks: TaintSink[] = [];
+  const seen = new Set<string>();
+  const root = ast.tree.rootNode;
+
+  if (!imports) imports = collectImportBindings(root);
+  if (!aliases) aliases = collectVariableAliases(root);
+
+  walkAST(root, (node) => {
+    // --- Call expression sinks ---
+    if (node.type === "call_expression" || node.type === "new_expression") {
+      const detection = detectCallSinks(node, aliases, imports);
+      if (detection) {
+        const key = `${detection.node.startPosition.row}:${detection.node.startPosition.column}:${detection.sinkType}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          const sink: TaintSink = {
+            node: detection.node,
+            line: detection.node.startPosition.row + 1,
+            expression: detection.node.text.slice(0, 200), // truncate long expressions
+            sinkType: detection.sinkType,
+            vulnerableToKinds: new Set(SINK_KIND_MAP[detection.sinkType]),
+          };
+          if (detection.relevantArgNodes) {
+            sink.relevantArgNodes = detection.relevantArgNodes;
+          }
+          sinks.push(sink);
+        }
+      }
+
+      // Check for LLM prompt sinks
+      const llmSinks = detectLLMSinks(node, imports);
+      for (const llmSink of llmSinks) {
+        const key = `${llmSink.node.startPosition.row}:${llmSink.node.startPosition.column}:${llmSink.sinkType}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          sinks.push({
+            node: llmSink.node,
+            line: llmSink.node.startPosition.row + 1,
+            expression: llmSink.node.text.slice(0, 200),
+            sinkType: llmSink.sinkType,
+            vulnerableToKinds: new Set(SINK_KIND_MAP[llmSink.sinkType]),
+          });
+        }
+      }
+    }
+
+    // --- Property assignment sinks ---
+    if (node.type === "assignment_expression") {
+      const left = node.childForFieldName("left");
+      if (left?.type === "member_expression") {
+        const prop = left.childForFieldName("property");
+        if (prop && (prop.text === "innerHTML" || prop.text === "outerHTML")) {
+          const right = node.childForFieldName("right");
+          if (right && !isConstant(right)) {
+            const key = `${node.startPosition.row}:${node.startPosition.column}:inner_html`;
+            if (!seen.has(key)) {
+              seen.add(key);
+              sinks.push({
+                node,
+                line: node.startPosition.row + 1,
+                expression: node.text.slice(0, 200),
+                sinkType: "inner_html",
+                vulnerableToKinds: new Set(SINK_KIND_MAP.inner_html),
+              });
+            }
+          }
+        }
+      }
+    }
+
+    // --- JSX dangerouslySetInnerHTML ---
+    if (node.type === "jsx_attribute") {
+      // In tree-sitter TSX, attribute name is a property_identifier child (not a named field)
+      const attrName = node.namedChildren.find(
+        (c) => c.type === "property_identifier" || c.type === "jsx_identifier",
+      );
+      if (attrName?.text === "dangerouslySetInnerHTML") {
+        const key = `${node.startPosition.row}:${node.startPosition.column}:inner_html`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          sinks.push({
+            node,
+            line: node.startPosition.row + 1,
+            expression: node.text.slice(0, 200),
+            sinkType: "inner_html",
+            vulnerableToKinds: new Set(SINK_KIND_MAP.inner_html),
+          });
+        }
+      }
+    }
+
+    // --- Dynamic import() ---
+    if (node.type === "call_expression") {
+      const fn = node.childForFieldName("function");
+      if (fn?.type === "import") {
+        const args = getCallArguments(node);
+        if (hasDynamicArg(args)) {
+          const key = `${node.startPosition.row}:${node.startPosition.column}:dynamic_import`;
+          if (!seen.has(key)) {
+            seen.add(key);
+            sinks.push({
+              node,
+              line: node.startPosition.row + 1,
+              expression: node.text.slice(0, 200),
+              sinkType: "dynamic_import",
+              vulnerableToKinds: new Set(SINK_KIND_MAP.dynamic_import),
+            });
+          }
+        }
+      }
+    }
+
+    return false;
+  });
+
+  return sinks;
+}
+
+// ============================================================================
+// Python Sink Classifier
+// ============================================================================
+
+/** Python DB client module patterns */
+const PY_DB_CLIENT_MODULES = [
+  /^psycopg2?$/,
+  /^sqlite3$/,
+  /^mysql\.connector$/,
+  /^pymysql$/,
+  /^cx_Oracle$/,
+  /^pyodbc$/,
+  /^sqlalchemy$/,
+  /^django\.db/,
+];
+const PY_DB_CLIENT_NAMES = /^(cursor|conn|connection|db|engine|session)$/i;
+
+/** Python HTTP client module patterns */
+const PY_HTTP_CLIENT_MODULES = [
+  /^requests$/,
+  /^httpx$/,
+  /^urllib/,
+  /^aiohttp$/,
+];
+
+function isPyDbClient(
+  objText: string,
+  imports: Map<string, { module: string; originalName: string }>,
+): boolean {
+  if (PY_DB_CLIENT_NAMES.test(objText)) return true;
+  const parts = objText.split(".");
+  for (const part of parts) {
+    if (PY_DB_CLIENT_NAMES.test(part)) return true;
+  }
+  const rootObj = parts[0];
+  const binding = imports.get(rootObj);
+  if (binding) {
+    return PY_DB_CLIENT_MODULES.some((p) => p.test(binding.module));
+  }
+  return false;
+}
+
+function isPyHttpClient(
+  objText: string,
+  imports: Map<string, { module: string; originalName: string }>,
+  httpClientVars?: Set<string>,
+): boolean {
+  if (httpClientVars?.has(objText)) return true;
+  const binding = imports.get(objText);
+  if (binding) {
+    return PY_HTTP_CLIENT_MODULES.some((p) => p.test(binding.module));
+  }
+  return /^(requests|httpx|urllib|aiohttp|session|http_client)$/i.test(objText);
+}
+
+/** Collect variables assigned from HTTP client constructors (e.g. client = httpx.Client()) */
+function collectPyHttpClientVars(
+  root: Parser.SyntaxNode,
+  imports: Map<string, { module: string; originalName: string }>,
+): Set<string> {
+  const clientVars = new Set<string>();
+  walkAST(root, (node) => {
+    if (node.type === "assignment") {
+      const left = node.childForFieldName("left");
+      const right = node.childForFieldName("right");
+      if (left?.type === "identifier" && right?.type === "call") {
+        const fn = right.childForFieldName("function");
+        if (fn?.type === "attribute") {
+          const obj = fn.childForFieldName("object");
+          const attr = fn.childForFieldName("attribute");
+          if (
+            obj &&
+            attr &&
+            /^(Client|Session|ClientSession|AsyncClient)$/i.test(attr.text)
+          ) {
+            const objText = obj.text;
+            if (/^(requests|httpx|urllib|aiohttp)$/i.test(objText)) {
+              clientVars.add(left.text);
+            } else {
+              const binding = imports.get(objText);
+              if (
+                binding &&
+                PY_HTTP_CLIENT_MODULES.some((p) => p.test(binding.module))
+              ) {
+                clientVars.add(left.text);
+              }
+            }
+          }
+        }
+      }
+    }
+    return false;
+  });
+  return clientVars;
+}
+
+/** Check if a Python AST node is a constant (string literal, number, etc.) */
+function isPyConstant(node: Parser.SyntaxNode): boolean {
+  if (node.type === "string" && !isPythonFString(node)) return true;
+  if (node.type === "integer" || node.type === "float" || node.type === "none")
+    return true;
+  if (node.type === "true" || node.type === "false") return true;
+  if (node.type === "concatenated_string") {
+    return node.namedChildren.every(
+      (c) => c.type === "string" && !isPythonFString(c),
+    );
+  }
+  return false;
+}
+
+/** Check if a Python call has a parameterized query (2nd arg is tuple/list) */
+function isPyParameterizedQuery(args: Parser.SyntaxNode[]): boolean {
+  if (args.length < 2) return false;
+  const firstArg = args[0];
+  // First arg must be a static string with placeholders
+  if (!isPyConstant(firstArg)) return false;
+  const text = firstArg.text;
+  if (!/(%s|%d|\?|:\w+)/.test(text)) return false;
+  // Second arg is tuple or list (bind params)
+  const secondArg = args[1];
+  return secondArg?.type === "tuple" || secondArg?.type === "list";
+}
+
+/**
+ * Walk a Python `messages=` argument (list of message dicts) and classify each.
+ */
+function walkPythonMessagesArg(
+  messagesNode: Parser.SyntaxNode,
+  callNode: Parser.SyntaxNode,
+): Array<{ node: Parser.SyntaxNode; sinkType: TaintSinkType }> {
+  const results: Array<{ node: Parser.SyntaxNode; sinkType: TaintSinkType }> =
+    [];
+  if (messagesNode.type === "list") {
+    for (const elem of messagesNode.namedChildren) {
+      if (elem.type === "dictionary") {
+        const sinkType = classifyPythonMessageDict(elem);
+        if (sinkType) results.push({ node: callNode, sinkType });
+      }
+    }
+  } else if (!isPyConstant(messagesNode)) {
+    // Dynamic variable passed as messages — conservative prompt_construction
+    results.push({ node: callNode, sinkType: "prompt_construction" });
+  }
+  return results;
+}
+
+/**
+ * Detect Python LLM prompt sinks — comprehensive coverage of all major Python LLM SDKs.
+ *
+ * Covers:
+ * P1: OpenAI — client.chat.completions.create(messages=[...])
+ * P2: Anthropic — client.messages.create(system=..., messages=[...])
+ * P3: LangChain message classes — SystemMessage(content=x), HumanMessage(content=x)
+ * P4: Generic LLM methods — llm.invoke(x), chain.run(x), model.predict(x)
+ * P5: messages.append({"role": ..., "content": dynamic})
+ * P6: Google AI — model.generate_content(x) (via P4)
+ * P7: LlamaIndex — query_engine.query(x) (via P4)
+ */
+function detectPythonLLMSinks(
+  node: Parser.SyntaxNode,
+  target: {
+    type: string;
+    name: string;
+    object?: string;
+    fullChain: string;
+    aliased: boolean;
+  },
+  args: Parser.SyntaxNode[],
+  imports: Map<string, { module: string; originalName: string }>,
+): Array<{ node: Parser.SyntaxNode; sinkType: TaintSinkType }> {
+  const results: Array<{ node: Parser.SyntaxNode; sinkType: TaintSinkType }> =
+    [];
+
+  // --- P3: LangChain message classes (direct call, not member) ---
+  // SystemMessage(content=text), HumanMessage(content=text)
+  if (target.type === "direct" && target.name in LANGCHAIN_MESSAGE_CLASSES) {
+    // Verify import from langchain module (or allow without import for heuristic)
+    const binding = imports.get(target.name);
+    const isLangChain = binding && /^langchain/.test(binding.module);
+    if (isLangChain || !binding) {
+      // Check content= keyword arg
+      const contentArg = getPythonKeywordArgument(node, "content");
+      if (contentArg && !isPyConstant(contentArg)) {
+        results.push({
+          node,
+          sinkType: LANGCHAIN_MESSAGE_CLASSES[target.name],
+        });
+        return results;
+      }
+      // Check first positional arg
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        results.push({
+          node,
+          sinkType: LANGCHAIN_MESSAGE_CLASSES[target.name],
+        });
+        return results;
+      }
+    }
+    return results;
+  }
+
+  // --- P5: messages.append({"role": ..., "content": dynamic}) ---
+  if (
+    target.type === "member" &&
+    target.name === "append" &&
+    target.object &&
+    /messages?|msgs?|prompt/i.test(target.object)
+  ) {
+    if (args.length > 0 && args[0].type === "dictionary") {
+      const sinkType = classifyPythonMessageDict(args[0]);
+      if (sinkType) results.push({ node, sinkType });
+    }
+    return results;
+  }
+
+  // From here, we only handle member calls on LLM clients
+  if (target.type !== "member" || !target.object) return results;
+  const isLLM = isLLMClient(target.object, imports);
+  if (!isLLM) return results;
+
+  // --- P1: OpenAI — client.chat.completions.create(messages=[...]) ---
+  if (target.name === "create" && /completions$/.test(target.object)) {
+    const messagesArg = getPythonKeywordArgument(node, "messages");
+    if (messagesArg) {
+      results.push(...walkPythonMessagesArg(messagesArg, node));
+    }
+    return results;
+  }
+
+  // --- P2: Anthropic — client.messages.create(system=..., messages=[...]) ---
+  if (target.name === "create" && /messages$/.test(target.object)) {
+    // Check system= keyword arg
+    const systemArg = getPythonKeywordArgument(node, "system");
+    if (systemArg && !isPyConstant(systemArg)) {
+      results.push({ node, sinkType: "system_prompt" });
+    }
+    // Walk messages= keyword arg
+    const messagesArg = getPythonKeywordArgument(node, "messages");
+    if (messagesArg) {
+      results.push(...walkPythonMessagesArg(messagesArg, node));
+    }
+    return results;
+  }
+
+  // --- P4/P6/P7: Generic LLM methods ---
+  // invoke, predict, run, chat, generate, complete, query, completion, send_message, generate_content
+  if (
+    /^(invoke|predict|run|chat|generate|complete|query|completion|send_message|generate_content)$/.test(
+      target.name,
+    )
+  ) {
+    // Check known keyword args first
+    for (const kwName of ["input", "prompt", "query", "messages"]) {
+      const kwArg = getPythonKeywordArgument(node, kwName);
+      if (kwArg && !isPyConstant(kwArg)) {
+        if (kwName === "messages") {
+          results.push(...walkPythonMessagesArg(kwArg, node));
+        } else {
+          results.push({ node, sinkType: "prompt_construction" });
+        }
+        return results;
+      }
+    }
+    // Fall back to first positional arg
+    if (args.length > 0 && !isPyConstant(args[0])) {
+      results.push({ node, sinkType: "prompt_construction" });
+    }
+    return results;
+  }
+
+  return results;
+}
+
+function classifyPythonSinks(
+  ast: ParsedAST,
+  precomputedImports?: Map<string, { module: string; originalName: string }>,
+): TaintSink[] {
+  const sinks: TaintSink[] = [];
+  const seen = new Set<string>();
+  const root = ast.tree.rootNode;
+  const imports = precomputedImports ?? collectPythonImportBindings(root);
+  const httpClientVars = collectPyHttpClientVars(root, imports);
+
+  walkAST(root, (node) => {
+    if (node.type !== "call") return false;
+
+    const target = resolvePythonCallTarget(node);
+    if (!target) return false;
+
+    const args = getPythonCallArguments(node);
+    const key = `${node.startPosition.row}:${node.startPosition.column}`;
+
+    // --- SQL sinks ---
+    if (target.type === "member" && target.object) {
+      if (
+        /^(execute|executemany)$/.test(target.name) &&
+        isPyDbClient(target.object, imports)
+      ) {
+        // Skip parameterized queries
+        if (
+          args.length > 0 &&
+          !isPyConstant(args[0]) &&
+          !isPyParameterizedQuery(args)
+        ) {
+          addPySink(sinks, seen, node, "sql_query", key);
+        }
+      }
+      // Django ORM .raw() / .extra()
+      if (/^(raw|extra)$/.test(target.name)) {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "sql_query", key);
+        }
+      }
+    }
+    // SQLAlchemy text() wrapping dynamic content
+    if (target.type === "direct" && target.name === "text") {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        const binding = imports.get("text");
+        if (binding && /^sqlalchemy/.test(binding.module)) {
+          addPySink(sinks, seen, node, "sql_query", key);
+        }
+      }
+    }
+
+    // --- Command execution sinks ---
+    if (target.type === "member" && target.object) {
+      // subprocess.run/call/Popen/check_output
+      if (
+        /^subprocess/.test(target.object) &&
+        /^(run|call|Popen|check_output|check_call)$/.test(target.name)
+      ) {
+        // subprocess with list first arg + no shell=True is safe
+        const shellKw = getPythonKeywordArgument(node, "shell");
+        const hasShellTrue = shellKw?.type === "true";
+        if (args.length > 0 && args[0].type === "list" && !hasShellTrue) {
+          // Safe — list args without shell=True, skip
+        } else if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "command_exec", key);
+        }
+      }
+      // os.system, os.popen, os.exec*
+      if (
+        /^os$/.test(target.object) &&
+        /^(system|popen|exec[lv]?[pe]?)$/.test(target.name)
+      ) {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "command_exec", key);
+        }
+      }
+    }
+
+    // --- File / path sinks ---
+    if (target.type === "direct" && target.name === "open") {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        addPySink(sinks, seen, node, "path_access", key);
+      }
+    }
+    if (target.type === "member" && target.object) {
+      if (
+        /^(shutil|os)$/.test(target.object) &&
+        /^(copy|copy2|move|rmtree|remove|unlink|rename|makedirs)$/.test(
+          target.name,
+        )
+      ) {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "path_access", key);
+        }
+      }
+    }
+    // pathlib.Path(dynamic)
+    if (
+      target.type === "member" &&
+      target.object === "pathlib" &&
+      target.name === "Path"
+    ) {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        addPySink(sinks, seen, node, "path_access", key);
+      }
+    }
+    if (target.type === "direct" && target.name === "Path") {
+      const binding = imports.get("Path");
+      if (binding && /^pathlib$/.test(binding.module)) {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "path_access", key);
+        }
+      }
+    }
+
+    // --- Template / XSS sinks ---
+    if (target.type === "direct") {
+      if (target.name === "render_template_string") {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "template_render", key);
+        }
+      }
+      if (target.name === "Markup") {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "template_render", key);
+        }
+      }
+      if (target.name === "mark_safe") {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "template_render", key);
+        }
+      }
+    }
+
+    // --- SSRF sinks ---
+    if (target.type === "member" && target.object) {
+      if (
+        isPyHttpClient(target.object, imports, httpClientVars) &&
+        /^(get|post|put|delete|patch|request|head|options)$/.test(target.name)
+      ) {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "http_request", key, [args[0]]);
+        }
+      }
+    }
+    // urllib.request.urlopen
+    if (target.type === "member" && target.object) {
+      if (/urllib.*request/.test(target.object) && target.name === "urlopen") {
+        if (args.length > 0 && !isPyConstant(args[0])) {
+          addPySink(sinks, seen, node, "http_request", key, [args[0]]);
+        }
+      }
+    }
+
+    // --- Redirect sinks ---
+    if (target.type === "direct" && target.name === "redirect") {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        addPySink(sinks, seen, node, "redirect", key, [args[0]]);
+      }
+    }
+    if (target.type === "direct" && target.name === "HttpResponseRedirect") {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        addPySink(sinks, seen, node, "redirect", key, [args[0]]);
+      }
+    }
+
+    // --- Eval sinks ---
+    if (target.type === "direct" && /^(eval|exec|compile)$/.test(target.name)) {
+      if (args.length > 0 && !isPyConstant(args[0])) {
+        addPySink(sinks, seen, node, "eval", key);
+      }
+    }
+
+    // --- Prompt / LLM sinks (comprehensive) ---
+    const llmSinks = detectPythonLLMSinks(node, target, args, imports);
+    for (const llmSink of llmSinks) {
+      addPySink(sinks, seen, llmSink.node, llmSink.sinkType, key);
+    }
+
+    return false;
+  });
+
+  return sinks;
+}
+
+function addPySink(
+  sinks: TaintSink[],
+  seen: Set<string>,
+  node: Parser.SyntaxNode,
+  sinkType: TaintSinkType,
+  key: string,
+  relevantArgNodes?: Parser.SyntaxNode[],
+): void {
+  const fullKey = `${key}:${sinkType}`;
+  if (seen.has(fullKey)) return;
+  seen.add(fullKey);
+
+  const sink: TaintSink = {
+    node,
+    line: node.startPosition.row + 1,
+    expression: node.text.slice(0, 200),
+    sinkType,
+    vulnerableToKinds: new Set(SINK_KIND_MAP[sinkType]),
+  };
+  if (relevantArgNodes) {
+    sink.relevantArgNodes = relevantArgNodes;
+  }
+  sinks.push(sink);
+}