@oculum/scanner 1.0.14 → 1.0.15

package/src/model/sink-patterns.ts

@@ -1,109 +0,0 @@
-/**
- * Shared Sink Patterns — Canonical list of dangerous sink patterns.
- *
- * Single source of truth for sink detection patterns used by:
- * - sink-matcher.ts (intra-file taint path matching)
- * - function-classifier.ts (exported function profiling)
- * - cross-file-taint.ts (cross-file taint analysis)
- */
-
-import type { SinkType } from './taint-types'
-
-// ============================================================================
-// Types
-// ============================================================================
-
-export interface SinkPattern {
-  pattern: RegExp
-  sinkType: SinkType
-}
-
-// ============================================================================
-// Canonical Sink Patterns
-// ============================================================================
-
-export const SINK_PATTERNS: SinkPattern[] = [
-  // SQL injection
-  { pattern: /\.query\s*\(/, sinkType: 'sql_query' },
-  { pattern: /\.raw\s*\(/, sinkType: 'sql_query' },
-  { pattern: /\.execute\s*\(/, sinkType: 'sql_query' },
-  { pattern: /\bsequelize\.query\s*\(/, sinkType: 'sql_query' },
-  { pattern: /\bknex\.raw\s*\(/, sinkType: 'sql_query' },
-  { pattern: /\bcursor\.execute\s*\(/, sinkType: 'sql_query' },
-
-  // Code execution
-  { pattern: /\beval\s*\(/, sinkType: 'eval' },
-  { pattern: /new\s+Function\s*\(/, sinkType: 'eval' },
-
-  // Command execution (Node.js)
-  { pattern: /\bexec\s*\(/, sinkType: 'exec' },
-  { pattern: /\bexecSync\s*\(/, sinkType: 'exec' },
-  { pattern: /\bspawn\s*\(/, sinkType: 'exec' },
-  { pattern: /\bchild_process\./, sinkType: 'exec' },
-
-  // Command execution (Python)
-  { pattern: /\bsubprocess\.run\s*\(/, sinkType: 'command_exec' },
-  { pattern: /\bsubprocess\.call\s*\(/, sinkType: 'command_exec' },
-  { pattern: /\bsubprocess\.Popen\s*\(/, sinkType: 'command_exec' },
-  { pattern: /\bos\.system\s*\(/, sinkType: 'command_exec' },
-  { pattern: /\bos\.popen\s*\(/, sinkType: 'command_exec' },
-
-  // XSS / DOM injection
-  { pattern: /\.innerHTML\s*=/, sinkType: 'inner_html' },
-  { pattern: /\bdangerouslySetInnerHTML\b/, sinkType: 'inner_html' },
-  { pattern: /\bdocument\.write\s*\(/, sinkType: 'inner_html' },
-
-  // HTTP requests (SSRF)
-  { pattern: /\bfetch\s*\(/, sinkType: 'http_request' },
-  { pattern: /\baxios\.\w+\s*\(/, sinkType: 'http_request' },
-  { pattern: /\bgot\s*\(/, sinkType: 'http_request' },
-  { pattern: /\bhttp\.request\s*\(/, sinkType: 'http_request' },
-  { pattern: /\bhttps\.request\s*\(/, sinkType: 'http_request' },
-  { pattern: /\brequests\.\w+\s*\(/, sinkType: 'http_request' },
-
-  // Redirects
-  { pattern: /\bres\.redirect\s*\(/, sinkType: 'redirect' },
-  { pattern: /\bResponse\.redirect\s*\(/, sinkType: 'redirect' },
-  { pattern: /\blocation\.href\s*=/, sinkType: 'redirect' },
-  { pattern: /\bwindow\.location\s*=/, sinkType: 'redirect' },
-
-  // File system
-  { pattern: /\bfs\.writeFile\b/, sinkType: 'file_write' },
-  { pattern: /\bfs\.writeFileSync\b/, sinkType: 'file_write' },
-  { pattern: /\bcreateWriteStream\s*\(/, sinkType: 'file_write' },
-  { pattern: /\bfs\.readFile\b/, sinkType: 'path_access' },
-  { pattern: /\bfs\.readFileSync\b/, sinkType: 'path_access' },
-  { pattern: /\bpath\.join\s*\(/, sinkType: 'path_access' },
-  { pattern: /\bpath\.resolve\s*\(/, sinkType: 'path_access' },
-
-  // Template rendering
-  { pattern: /\bpug\.compile\s*\(/, sinkType: 'template_render' },
-  { pattern: /\bejs\.render\s*\(/, sinkType: 'template_render' },
-  { pattern: /\bhandlebars\.compile\s*\(/, sinkType: 'template_render' },
-
-  // Regex construction (ReDoS)
-  { pattern: /new\s+RegExp\s*\(/, sinkType: 'regex_constructor' },
-  { pattern: /\bre\.compile\s*\(/, sinkType: 'regex_constructor' },
-
-  // Dynamic imports
-  { pattern: /\bimport\s*\(/, sinkType: 'dynamic_import' },
-  { pattern: /\brequire\s*\(/, sinkType: 'dynamic_import' },
-
-  // Deserialization
-  { pattern: /\bJSON\.parse\s*\(/, sinkType: 'deserialization' },
-  { pattern: /\bpickle\.load\s*\(/, sinkType: 'deserialization' },
-  { pattern: /\bpickle\.loads\s*\(/, sinkType: 'deserialization' },
-  { pattern: /\byaml\.load\s*\(/, sinkType: 'deserialization' },
-  { pattern: /\byaml\.unsafe_load\s*\(/, sinkType: 'deserialization' },
-]
-
-// ============================================================================
-// Shared Utilities
-// ============================================================================
-
-/**
- * Escape special regex characters in a string for use in RegExp constructors.
- */
-export function escapeRegex(str: string): string {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
-}

package/src/model/source-discovery.ts

@@ -1,209 +0,0 @@
-/**
- * Source Discovery — Identifies user-input sources in code files.
- *
- * Scans for framework-specific patterns (Express, Next.js, Flask, Django, etc.)
- * that represent user-controllable input entering the application.
- */
-
-import type { UserInputSource, UserInputSourceType } from './taint-types'
-
-// ============================================================================
-// Framework Source Patterns
-// ============================================================================
-
-interface SourcePattern {
-  /** Regex to match the source expression in code */
-  pattern: RegExp
-  /** What type of user input this represents */
-  sourceType: UserInputSourceType
-  /** Which framework this pattern belongs to */
-  framework: string
-  /** Confidence in this being actual user input */
-  confidence: 'high' | 'medium' | 'low'
-}
-
-const SOURCE_PATTERNS: SourcePattern[] = [
-  // --- Express/Node.js ---
-  { pattern: /\breq\.body\b/, sourceType: 'http_body', framework: 'express', confidence: 'high' },
-  { pattern: /\breq\.query\b/, sourceType: 'http_query', framework: 'express', confidence: 'high' },
-  { pattern: /\breq\.params\b/, sourceType: 'http_params', framework: 'express', confidence: 'high' },
-  { pattern: /\breq\.headers\b/, sourceType: 'http_headers', framework: 'express', confidence: 'high' },
-  { pattern: /\breq\.cookies\b/, sourceType: 'http_headers', framework: 'express', confidence: 'high' },
-
-  // --- Koa ---
-  { pattern: /\bctx\.request\.body\b/, sourceType: 'http_body', framework: 'koa', confidence: 'high' },
-  { pattern: /\bctx\.query\b/, sourceType: 'http_query', framework: 'koa', confidence: 'high' },
-
-  // --- Next.js App Router ---
-  { pattern: /\bsearchParams\b/, sourceType: 'http_query', framework: 'nextjs', confidence: 'medium' },
-  { pattern: /\bformData\b/, sourceType: 'form_data', framework: 'nextjs', confidence: 'medium' },
-
-  // --- Browser APIs ---
-  { pattern: /\bdocument\.location\b/, sourceType: 'url_search_params', framework: 'browser', confidence: 'medium' },
-  { pattern: /\bwindow\.location\b/, sourceType: 'url_search_params', framework: 'browser', confidence: 'medium' },
-  { pattern: /\blocation\.search\b/, sourceType: 'url_search_params', framework: 'browser', confidence: 'medium' },
-  { pattern: /\blocation\.hash\b/, sourceType: 'url_search_params', framework: 'browser', confidence: 'medium' },
-  { pattern: /new\s+URLSearchParams\b/, sourceType: 'url_search_params', framework: 'browser', confidence: 'medium' },
-  { pattern: /\bdocument\.cookie\b/, sourceType: 'http_headers', framework: 'browser', confidence: 'medium' },
-  { pattern: /\bevent\.target\.value\b/, sourceType: 'form_data', framework: 'browser', confidence: 'medium' },
-
-  // --- WebSocket ---
-  { pattern: /\bws\.on\s*\(\s*['"]message['"]/, sourceType: 'websocket_message', framework: 'websocket', confidence: 'medium' },
-  { pattern: /\bsocket\.on\s*\(\s*['"]message['"]/, sourceType: 'websocket_message', framework: 'websocket', confidence: 'medium' },
-
-  // --- AWS Lambda ---
-  { pattern: /\bevent\.body\b/, sourceType: 'http_body', framework: 'aws-lambda', confidence: 'high' },
-  { pattern: /\bevent\.queryStringParameters\b/, sourceType: 'http_query', framework: 'aws-lambda', confidence: 'high' },
-
-  // --- Python Flask ---
-  { pattern: /\brequest\.args\b/, sourceType: 'http_query', framework: 'flask', confidence: 'high' },
-  { pattern: /\brequest\.form\b/, sourceType: 'form_data', framework: 'flask', confidence: 'high' },
-  { pattern: /\brequest\.json\b/, sourceType: 'http_body', framework: 'flask', confidence: 'high' },
-  { pattern: /\brequest\.data\b/, sourceType: 'http_body', framework: 'flask', confidence: 'high' },
-
-  // --- Python Django ---
-  { pattern: /\brequest\.GET\b/, sourceType: 'http_query', framework: 'django', confidence: 'high' },
-  { pattern: /\brequest\.POST\b/, sourceType: 'form_data', framework: 'django', confidence: 'high' },
-  { pattern: /\brequest\.body\b/, sourceType: 'http_body', framework: 'django', confidence: 'high' },
-
-  // --- CLI ---
-  { pattern: /\bprocess\.argv\b/, sourceType: 'cli_args', framework: 'node', confidence: 'low' },
-  { pattern: /\bsys\.argv\b/, sourceType: 'cli_args', framework: 'python', confidence: 'low' },
-  { pattern: /\binput\s*\(/, sourceType: 'cli_args', framework: 'python', confidence: 'low' },
-]
-
-// ============================================================================
-// Variable Extraction
-// ============================================================================
-
-/** Pattern for direct assignment: const/let/var NAME = ... */
-const DIRECT_ASSIGNMENT = /\b(?:const|let|var)\s+(\w+)\s*=\s*(.+)/
-
-/** Pattern for destructuring: const/let/var { A, B } = ... */
-const DESTRUCTURE_ASSIGNMENT = /\b(?:const|let|var)\s+\{\s*([^}]+)\}\s*=\s*(.+)/
-
-/** Pattern for array destructuring: const/let/var [ A, B ] = ... */
-const ARRAY_DESTRUCTURE = /\b(?:const|let|var)\s+\[\s*([^\]]+)\]\s*=\s*(.+)/
-
-/**
- * Extract variable name(s) from an assignment line that contains a source expression.
- */
-function extractVariables(line: string, sourceExpression: string): string[] {
-  const variables: string[] = []
-
-  // Try destructuring first: const { a, b } = req.body
-  const destructureMatch = line.match(DESTRUCTURE_ASSIGNMENT)
-  if (destructureMatch) {
-    const rhs = destructureMatch[2].trim()
-    if (rhs.includes(sourceExpression) || sourceMatchesRhs(rhs, sourceExpression)) {
-      const names = destructureMatch[1].split(',').map(n => {
-        // Handle renaming: `originalName: newName`
-        const parts = n.trim().split(':')
-        return (parts.length > 1 ? parts[1] : parts[0]).trim()
-      }).filter(n => n.length > 0 && n !== '...')
-      variables.push(...names)
-    }
-    return variables
-  }
-
-  // Try array destructuring: const [ a, b ] = ...
-  const arrayMatch = line.match(ARRAY_DESTRUCTURE)
-  if (arrayMatch) {
-    const rhs = arrayMatch[2].trim()
-    if (rhs.includes(sourceExpression) || sourceMatchesRhs(rhs, sourceExpression)) {
-      const names = arrayMatch[1].split(',').map(n => n.trim()).filter(n => n.length > 0 && n !== '...')
-      variables.push(...names)
-    }
-    return variables
-  }
-
-  // Try direct assignment: const name = req.body
-  const directMatch = line.match(DIRECT_ASSIGNMENT)
-  if (directMatch) {
-    const rhs = directMatch[2].trim()
-    if (rhs.includes(sourceExpression) || sourceMatchesRhs(rhs, sourceExpression)) {
-      variables.push(directMatch[1])
-    }
-  }
-
-  return variables
-}
-
-/**
- * Check if a source pattern's expression is part of the RHS of an assignment.
- */
-function sourceMatchesRhs(rhs: string, sourceExpression: string): boolean {
-  // Handle cases like `req.body.email` matching the `req.body` source
-  return rhs.includes(sourceExpression)
-}
-
-// ============================================================================
-// Main Discovery Function
-// ============================================================================
-
-/**
- * Discover user-input sources in a file.
- *
- * Scans each line for framework-specific input patterns and extracts
- * the variable names that receive user-controlled data.
- */
-export function discoverSources(content: string, filePath: string): UserInputSource[] {
-  const lines = content.split('\n')
-  const sources: UserInputSource[] = []
-  const seen = new Set<string>()
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i]
-    const lineNumber = i + 1
-
-    // Skip comments
-    const trimmed = line.trim()
-    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
-      continue
-    }
-
-    for (const sp of SOURCE_PATTERNS) {
-      const match = sp.pattern.exec(line)
-      if (!match) continue
-
-      const expression = match[0]
-
-      // Extract variables assigned from this source
-      const variables = extractVariables(line, expression)
-
-      if (variables.length > 0) {
-        for (const variable of variables) {
-          const key = `${lineNumber}:${variable}:${sp.sourceType}`
-          if (seen.has(key)) continue
-          seen.add(key)
-
-          sources.push({
-            line: lineNumber,
-            expression,
-            variable,
-            sourceType: sp.sourceType,
-            frameworkSource: sp.framework,
-            confidence: sp.confidence,
-          })
-        }
-      } else {
-        // Source found but no variable assignment (e.g., inline usage like `db.query(req.query.id)`)
-        // Still record it — the taint tracker and sink matcher can use the expression directly
-        const key = `${lineNumber}:${expression}:${sp.sourceType}`
-        if (seen.has(key)) continue
-        seen.add(key)
-
-        sources.push({
-          line: lineNumber,
-          expression,
-          variable: expression,
-          sourceType: sp.sourceType,
-          frameworkSource: sp.framework,
-          confidence: sp.confidence,
-        })
-      }
-    }
-  }
-
-  return sources
-}

package/src/model/taint-tracker.ts

@@ -1,333 +0,0 @@
-/**
- * Taint Propagation Tracker — Propagates taint through variable assignments.
- *
- * Walks lines forward from discovered sources, tracking how tainted data
- * flows through assignments, destructuring, template literals, etc.
- * Marks variables as sanitised when they pass through known sanitisers.
- */
-
-import type { UserInputSource, TaintedVariable, TaintPropagationType } from './taint-types'
-import type { SanitiserInfo } from './taint-types'
-import { isSanitiserCall } from './sanitiser-detection'
-
-// ============================================================================
-// Scope Tracking
-// ============================================================================
-
-/**
- * Track brace depth for approximate scope analysis.
- * Counts { and } while ignoring those inside string literals and comments.
- */
-function countBraceChanges(line: string, inMultiLineComment: boolean): { delta: number; inComment: boolean } {
-  let delta = 0
-  let inComment = inMultiLineComment
-  let inString: string | null = null
-  let escaped = false
-
-  for (let i = 0; i < line.length; i++) {
-    const ch = line[i]
-    const next = i < line.length - 1 ? line[i + 1] : ''
-
-    if (escaped) {
-      escaped = false
-      continue
-    }
-
-    if (ch === '\\') {
-      escaped = true
-      continue
-    }
-
-    // Handle multi-line comments
-    if (inComment) {
-      if (ch === '*' && next === '/') {
-        inComment = false
-        i++ // skip /
-      }
-      continue
-    }
-
-    // Handle single-line comments
-    if (!inString && ch === '/' && next === '/') {
-      break // rest of line is comment
-    }
-
-    // Handle multi-line comment start
-    if (!inString && ch === '/' && next === '*') {
-      inComment = true
-      i++ // skip *
-      continue
-    }
-
-    // Handle string literals
-    if (!inString && (ch === '"' || ch === "'" || ch === '`')) {
-      inString = ch
-      continue
-    }
-
-    if (inString && ch === inString) {
-      inString = null
-      continue
-    }
-
-    // Count braces outside strings and comments
-    if (!inString) {
-      if (ch === '{') delta++
-      if (ch === '}') delta--
-    }
-  }
-
-  return { delta, inComment }
-}
-
-// ============================================================================
-// Propagation Detection
-// ============================================================================
-
-/** Check if a tainted variable appears on the right side of an expression */
-function findTaintedVarInExpression(
-  line: string,
-  taintedVars: Map<string, TaintedVariable>
-): { varName: string; variable: TaintedVariable } | null {
-  for (const [name, tv] of taintedVars) {
-    // Use word boundary to avoid partial matches (e.g., "url" matching "urlParser")
-    const regex = new RegExp(`\\b${escapeRegex(name)}\\b`)
-    if (regex.test(line)) {
-      return { varName: name, variable: tv }
-    }
-  }
-  return null
-}
-
-function escapeRegex(str: string): string {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
-}
-
-/**
- * Detect what type of propagation is happening on a line.
- */
-function detectPropagationType(line: string): TaintPropagationType | null {
-  const trimmed = line.trim()
-
-  // Destructuring: const { a, b } = taintedVar
-  if (/(?:const|let|var)\s+\{[^}]+\}\s*=/.test(trimmed)) {
-    return 'destructure'
-  }
-
-  // Spread: { ...taintedVar }
-  if (/\.\.\.\w+/.test(trimmed)) {
-    return 'spread'
-  }
-
-  // Template literal: `${taintedVar}`
-  if (/`[^`]*\$\{[^}]+\}[^`]*`/.test(trimmed)) {
-    return 'template_literal'
-  }
-
-  // String concatenation: "..." + taintedVar
-  if (/['"][^'"]*['"]\s*\+/.test(trimmed) || /\+\s*['"][^'"]*['"]/.test(trimmed)) {
-    return 'string_concat'
-  }
-
-  // Ternary/nullish: taintedVar ?? default, taintedVar || default
-  if (/\?\?|\|\|/.test(trimmed) && /(?:const|let|var)\s+\w+\s*=/.test(trimmed)) {
-    return 'ternary'
-  }
-
-  // Array push: arr.push(taintedVar)
-  if (/\.push\s*\(/.test(trimmed)) {
-    return 'array_push'
-  }
-
-  // Object spread: { ...taintedVar, key: value }
-  if (/\{[^}]*\.\.\.\w+/.test(trimmed)) {
-    return 'object_spread'
-  }
-
-  // Method chain: taintedVar.trim().toLowerCase() — result still tainted
-  if (/\.\w+\s*\(/.test(trimmed)) {
-    return 'method_chain'
-  }
-
-  // Direct assignment: const x = taintedVar
-  if (/(?:const|let|var)\s+\w+\s*=/.test(trimmed) || /\w+\s*=(?!=)/.test(trimmed)) {
-    return 'direct_assignment'
-  }
-
-  return null
-}
-
-/**
- * Extract the newly assigned variable name from a line.
- */
-function extractAssignedVariable(line: string): string[] {
-  const trimmed = line.trim()
-
-  // Destructuring: const { a, b } = ...
-  const destructMatch = trimmed.match(/(?:const|let|var)\s+\{\s*([^}]+)\}\s*=/)
-  if (destructMatch) {
-    return destructMatch[1].split(',').map(n => {
-      const parts = n.trim().split(':')
-      return (parts.length > 1 ? parts[1] : parts[0]).trim()
-    }).filter(n => n.length > 0 && n !== '...')
-  }
-
-  // Array destructuring: const [a, b] = ...
-  const arrayMatch = trimmed.match(/(?:const|let|var)\s+\[\s*([^\]]+)\]\s*=/)
-  if (arrayMatch) {
-    return arrayMatch[1].split(',').map(n => n.trim()).filter(n => n.length > 0 && n !== '...')
-  }
-
-  // Direct assignment: const x = ... or let x = ...
-  const directMatch = trimmed.match(/(?:const|let|var)\s+(\w+)\s*=/)
-  if (directMatch) {
-    return [directMatch[1]]
-  }
-
-  // Re-assignment: x = ... (no const/let/var)
-  const reassignMatch = trimmed.match(/^(\w+)\s*=(?!=)/)
-  if (reassignMatch) {
-    return [reassignMatch[1]]
-  }
-
-  return []
-}
-
-/**
- * Determine variable scope type from declaration keyword.
- */
-function getDeclarationType(line: string): 'block' | 'function' | 'reassign' {
-  const trimmed = line.trim()
-  if (/^(?:const|let)\b/.test(trimmed)) return 'block'
-  if (/^var\b/.test(trimmed)) return 'function'
-  return 'reassign'
-}
-
-// ============================================================================
-// Main Propagation Function
-// ============================================================================
-
-/**
- * Propagate taint through variable assignments in a file.
- *
- * Algorithm:
- * 1. Initialize tainted vars from sources
- * 2. Walk lines forward, tracking brace depth for scope
- * 3. For each line, check if any tainted var appears on the right side
- * 4. If sanitiser wraps the expression, mark sanitised
- * 5. When exiting a scope, remove block-scoped (const/let) vars at that depth
- */
-export function propagateTaint(
-  content: string,
-  _filePath: string,
-  sources: UserInputSource[],
-  sanitisers: SanitiserInfo[]
-): TaintedVariable[] {
-  const lines = content.split('\n')
-  const taintedVars = new Map<string, TaintedVariable>()
-  const allTaintedVars: TaintedVariable[] = []
-
-  // Track scope for variable lifetime
-  let braceDepth = 0
-  let inMultiLineComment = false
-  const scopeVars = new Map<string, number>() // variable name -> declared scope depth
-
-  // Initialize tainted vars from sources
-  for (const source of sources) {
-    const tv: TaintedVariable = {
-      name: source.variable,
-      taintedAt: source.line,
-      source,
-      propagation: 'direct_assignment',
-      sanitised: false,
-      scopeDepth: 0,
-    }
-    taintedVars.set(source.variable, tv)
-    allTaintedVars.push(tv)
-  }
-
-  // Walk lines forward
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i]
-    const lineNumber = i + 1
-    const trimmed = line.trim()
-
-    // Skip empty lines and comments
-    if (trimmed === '' || trimmed.startsWith('//')) {
-      continue
-    }
-
-    // Update brace depth
-    const braceResult = countBraceChanges(line, inMultiLineComment)
-    inMultiLineComment = braceResult.inComment
-
-    // Handle scope exit: remove block-scoped vars declared at the exiting depth
-    if (braceResult.delta < 0) {
-      const newDepth = braceDepth + braceResult.delta
-      for (const [varName, declDepth] of scopeVars) {
-        if (declDepth > newDepth) {
-          taintedVars.delete(varName)
-          scopeVars.delete(varName)
-        }
-      }
-    }
-
-    braceDepth = Math.max(0, braceDepth + braceResult.delta)
-
-    // Skip lines that are only closing braces
-    if (/^[}\])\s;]*$/.test(trimmed)) continue
-
-    // Check if any tainted variable appears in this line (on the right side of an assignment)
-    const found = findTaintedVarInExpression(line, taintedVars)
-    if (!found) continue
-
-    // Check if this line is an assignment that creates a new tainted variable
-    const assignedVars = extractAssignedVariable(line)
-    if (assignedVars.length === 0) continue
-
-    // Don't re-taint the same variable (e.g., `userInput = userInput.trim()`)
-    const newVars = assignedVars.filter(v => v !== found.varName)
-    if (newVars.length === 0) {
-      // Still might be a method chain on the same variable — update it
-      // Check if sanitiser is applied
-      const sanitResult = isSanitiserCall(line, sanitisers)
-      if (sanitResult.sanitised && taintedVars.has(found.varName)) {
-        const existing = taintedVars.get(found.varName)!
-        existing.sanitised = true
-        existing.sanitisedAt = lineNumber
-        existing.sanitisationMethod = sanitResult.method
-      }
-      continue
-    }
-
-    // Detect propagation type
-    const propagationType = detectPropagationType(line) ?? 'direct_assignment'
-    const declType = getDeclarationType(line)
-
-    // Check if sanitised at this assignment
-    const sanitResult = isSanitiserCall(line, sanitisers)
-
-    for (const varName of newVars) {
-      const tv: TaintedVariable = {
-        name: varName,
-        taintedAt: lineNumber,
-        source: found.variable.source,
-        propagation: propagationType,
-        sanitised: sanitResult.sanitised,
-        sanitisedAt: sanitResult.sanitised ? lineNumber : undefined,
-        sanitisationMethod: sanitResult.method,
-        scopeDepth: braceDepth,
-      }
-
-      taintedVars.set(varName, tv)
-      allTaintedVars.push(tv)
-
-      // Track scope for block-scoped vars
-      if (declType === 'block') {
-        scopeVars.set(varName, braceDepth)
-      }
-    }
-  }
-
-  return allTaintedVars
-}