@oculum/scanner 1.0.14 → 1.0.15

package/dist/taint/sink-classifier.js

@@ -0,0 +1,1166 @@
+"use strict";
+/**
+ * AST-Based Sink Classifier
+ *
+ * Identifies dangerous sinks using AST analysis with taint-kind awareness.
+ * Replaces regex-based model/sink-patterns.ts + model/sink-matcher.ts.
+ *
+ * Key improvements over regex:
+ * - `.query()` only flagged when called on a DB client (not React Query)
+ * - `fetch()` only flagged when URL is dynamic (not a static string)
+ * - Each sink reports which taint kinds make it dangerous
+ * - AI-specific sinks: prompt construction, system prompt manipulation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifySinks = classifySinks;
+const ast_1 = require("../parse/ast");
+const helpers_1 = require("./helpers");
+const call_analysis_1 = require("../detect/ast-rules/helpers/call-analysis");
+const scope_analysis_1 = require("../detect/ast-rules/helpers/scope-analysis");
+const llm_registry_1 = require("./llm-registry");
+const python_helpers_1 = require("../detect/ast-rules/helpers/python-helpers");
+// ============================================================================
+// Sink → Vulnerable Taint Kinds
+// ============================================================================
+const SINK_KIND_MAP = {
+    sql_query: ["sql"],
+    nosql_query: ["sql"], // NoSQL injection uses 'sql' kind (query manipulation)
+    eval: ["command"],
+    exec: ["command"],
+    inner_html: ["xss"],
+    http_request: ["ssrf"],
+    redirect: ["ssrf"],
+    file_write: ["path"],
+    path_access: ["path"],
+    template_render: ["xss"],
+    command_exec: ["command"],
+    regex_constructor: [], // ReDoS — not command injection, suppress taint findings
+    dynamic_import: ["path"],
+    deserialization: ["command"],
+    response_body: ["xss"], // Reflected XSS via API response
+    header_injection: ["xss"], // CRLF injection via response headers
+    prompt_construction: ["prompt"],
+    system_prompt: ["prompt"],
+};
+// ============================================================================
+// Database Client Detection
+// ============================================================================
+/** Import module patterns that indicate a database client */
+const DB_CLIENT_MODULES = [
+    /^pg$/,
+    /^mysql2?$/,
+    /^better-sqlite3$/,
+    /^sqlite3$/,
+    /^@prisma\/client$/,
+    /^prisma$/,
+    /^knex$/,
+    /^sequelize$/,
+    /^typeorm$/,
+    /^drizzle-orm$/,
+    /^@?planetscale/,
+    /^@neondatabase/,
+    /^@supabase\/supabase-js$/,
+    /^mssql$/,
+    /^tedious$/,
+    /^oracledb$/,
+    /^mongoose$/,
+];
+/** Variable names commonly used for DB clients */
+const DB_CLIENT_NAMES = /^(db|pool|client|connection|conn|knex|prisma|sequelize|sql|supabase|pgClient|pgPool|mysql|mongo)$/i;
+// ============================================================================
+// NoSQL / MongoDB Client Detection
+// ============================================================================
+const NOSQL_CLIENT_MODULES = [/^mongodb$/, /^mongoose$/];
+const NOSQL_CLIENT_NAMES = /^(collection|db|mongo|mongoose|Model)$/i;
+/** MongoDB query methods that accept user-controlled filter objects */
+const NOSQL_QUERY_METHODS = /^(find|findOne|findOneAndUpdate|findOneAndDelete|findOneAndReplace|updateOne|updateMany|deleteOne|deleteMany|aggregate|countDocuments|distinct|replaceOne)$/;
+/** Response/result sink methods — sending data back to client */
+const RESPONSE_METHODS = /^(send|write|end|jsonp)$/;
+const RESPONSE_OBJECT_NAMES = /^(res|response|reply|ctx)$/;
+/** Header setting methods */
+const HEADER_METHODS = /^(setHeader|header|set|writeHead|append)$/;
+/** Response headers where dynamic values carry real security risk */
+const SECURITY_SENSITIVE_HEADERS = /^(location|set-cookie|refresh|link)$/i;
+function isSecuritySensitiveHeader(name) {
+    return SECURITY_SENSITIVE_HEADERS.test(name);
+}
+function extractConstantString(node) {
+    if (node.type === "string") {
+        const fragment = node.descendantsOfType("string_fragment");
+        if (fragment.length > 0)
+            return fragment[0].text;
+        const text = node.text;
+        if ((text.startsWith("'") && text.endsWith("'")) ||
+            (text.startsWith('"') && text.endsWith('"'))) {
+            return text.slice(1, -1);
+        }
+        return null;
+    }
+    if (node.type === "template_string") {
+        if (node.descendantsOfType("template_substitution").length > 0)
+            return null;
+        const text = node.text;
+        return text.startsWith("`") && text.endsWith("`")
+            ? text.slice(1, -1)
+            : null;
+    }
+    return null;
+}
+function hasHardcodedBaseURL(node) {
+    if (node.type !== "template_string")
+        return false;
+    const subs = node.descendantsOfType("template_substitution");
+    if (subs.length === 0)
+        return false;
+    for (const child of node.children) {
+        if (child.type === "string_fragment" ||
+            child.type === "template_string_fragment") {
+            return /^https?:\/\//.test(child.text);
+        }
+        if (child.type === "template_substitution")
+            return false;
+    }
+    return false;
+}
+/** Config object name patterns for redirect URL suppression */
+const CONFIG_OBJ_RE = /^(appCfg|config|settings|cfg|appConfig|dify_config|serverConfig|envConfig)$/i;
+const CONFIG_URL_PROP_RE = /url|host|base|origin|endpoint|domain|callback|redirect/i;
+/** Check if a redirect argument is a config-controlled URL (not user input) */
+function isConfigControlledRedirectURL(node) {
+    // Config object access: appCfg.SITE_URL, config.API_BASE
+    if (node.type === "member_expression") {
+        const obj = node.childForFieldName("object");
+        const prop = node.childForFieldName("property");
+        if (obj &&
+            prop &&
+            CONFIG_OBJ_RE.test(obj.text) &&
+            CONFIG_URL_PROP_RE.test(prop.text))
+            return true;
+    }
+    // Env var URL patterns: process.env.*_URL, *_BASE, *_HOST
+    if (node.type === "member_expression" &&
+        /^process\.env\.\w+(?:_URL|_BASE|_HOST|_ORIGIN|_ENDPOINT|_DOMAIN)$/i.test(node.text)) {
+        return true;
+    }
+    // Template literals where first interpolation is config
+    if (node.type === "template_string") {
+        for (const child of node.children) {
+            if (child.type === "template_substitution") {
+                const expr = child.namedChildren[0];
+                if (expr && isConfigControlledRedirectURL(expr))
+                    return true;
+                break;
+            }
+        }
+    }
+    return false;
+}
+function isURLArgDynamic(args) {
+    if (args.length === 0)
+        return false;
+    const urlArg = args[0];
+    if ((0, scope_analysis_1.isConstant)(urlArg))
+        return false;
+    if (hasHardcodedBaseURL(urlArg))
+        return false;
+    return true;
+}
+// ============================================================================
+// HTTP Client Detection
+// ============================================================================
+const HTTP_CLIENT_MODULES = [
+    /^axios$/,
+    /^node-fetch$/,
+    /^got$/,
+    /^undici$/,
+    /^ky$/,
+    /^https?$/,
+    /^superagent$/,
+];
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+function isDbClient(objText, imports) {
+    // Check if the full object text is a known DB client by name
+    if (DB_CLIENT_NAMES.test(objText))
+        return true;
+    // Check each part of a dotted chain (e.g., `models.sequelize` → check `sequelize`)
+    const parts = objText.split(".");
+    for (const part of parts) {
+        if (DB_CLIENT_NAMES.test(part))
+            return true;
+    }
+    // Check if imported from a DB module
+    const rootObj = parts[0];
+    const binding = imports.get(rootObj);
+    if (binding) {
+        return DB_CLIENT_MODULES.some((p) => p.test(binding.module));
+    }
+    return false;
+}
+function isNoSQLClient(objText, imports) {
+    if (NOSQL_CLIENT_NAMES.test(objText))
+        return true;
+    const parts = objText.split(".");
+    for (const part of parts) {
+        if (NOSQL_CLIENT_NAMES.test(part))
+            return true;
+    }
+    const rootObj = parts[0];
+    const binding = imports.get(rootObj);
+    if (binding) {
+        return NOSQL_CLIENT_MODULES.some((p) => p.test(binding.module));
+    }
+    return false;
+}
+function isHttpClient(objText, imports) {
+    const binding = imports.get(objText);
+    if (binding) {
+        return HTTP_CLIENT_MODULES.some((p) => p.test(binding.module));
+    }
+    return /^(axios|got|ky|superagent|http|https)$/i.test(objText);
+}
+/**
+ * Check if a NoSQL query's first argument is a safe object literal.
+ * Safe = object with simple field:value pairs, no $ operators, no nested objects.
+ */
+function isSafeNoSQLQuery(args) {
+    if (args.length === 0)
+        return false;
+    const firstArg = args[0];
+    if (firstArg.type !== "object")
+        return false;
+    const pairs = firstArg.namedChildren.filter((c) => c.type === "pair");
+    if (pairs.length === 0)
+        return false;
+    for (const pair of pairs) {
+        const key = pair.childForFieldName("key");
+        if (!key)
+            return false;
+        const keyText = key.text.replace(/['"]/g, "");
+        // If key starts with $, it's a MongoDB operator — not safe
+        if (keyText.startsWith("$"))
+            return false;
+        const value = pair.childForFieldName("value");
+        if (!value)
+            continue;
+        // Nested objects could contain $ operators — not safe
+        if (value.type === "object")
+            return false;
+    }
+    return true;
+}
+function hasDynamicArg(args) {
+    if (args.length === 0)
+        return false;
+    return args.some((arg) => !(0, scope_analysis_1.isConstant)(arg));
+}
+/** Alias for shared parameterized query detection. */
+const isParameterizedCall = helpers_1.isParameterizedQueryArgs;
+function detectCallSinks(node, aliases, imports) {
+    const target = (0, call_analysis_1.resolveCallTarget)(node, aliases);
+    if (!target)
+        return null;
+    const args = (0, call_analysis_1.getCallArguments)(node);
+    // --- eval / new Function ---
+    if (target.name === "eval" && target.type === "direct") {
+        return { node, sinkType: "eval" };
+    }
+    if (target.type === "new" && target.name === "Function") {
+        return { node, sinkType: "eval" };
+    }
+    // setTimeout/setInterval with string arg
+    if ((target.name === "setTimeout" || target.name === "setInterval") &&
+        target.type === "direct" &&
+        args.length > 0 &&
+        args[0].type === "string") {
+        return { node, sinkType: "eval" };
+    }
+    // --- Command execution ---
+    if (target.name === "exec" || target.name === "execSync") {
+        if (target.type === "direct" ||
+            (target.object && /^(child_process|cp)$/.test(target.object))) {
+            // Only the command string (first arg) matters; callbacks/options are irrelevant
+            if (args.length > 0 && !(0, scope_analysis_1.isConstant)(args[0]))
+                return { node, sinkType: "command_exec", relevantArgNodes: [args[0]] };
+        }
+    }
+    if (target.name === "spawn" ||
+        target.name === "spawnSync" ||
+        target.name === "execFile" ||
+        target.name === "fork") {
+        if (target.type === "direct" ||
+            (target.object && /^(child_process|cp)$/.test(target.object))) {
+            // spawn/execFile with array args uses argv (no shell) — only flag if command name (arg0) is dynamic
+            if (args.length >= 2 && args[1].type === "array") {
+                if (!(0, scope_analysis_1.isConstant)(args[0]))
+                    return {
+                        node,
+                        sinkType: "command_exec",
+                        relevantArgNodes: [args[0]],
+                    };
+            }
+            else if (args.length > 0 && !(0, scope_analysis_1.isConstant)(args[0])) {
+                return { node, sinkType: "command_exec", relevantArgNodes: [args[0]] };
+            }
+        }
+    }
+    // --- SQL sinks ---
+    if (target.name === "query" ||
+        target.name === "raw" ||
+        target.name === "execute") {
+        if (target.object && isDbClient(target.object, imports)) {
+            // Skip parameterized queries — they use bind variables, not string concat
+            if (hasDynamicArg(args) && !isParameterizedCall(args)) {
+                return { node, sinkType: "sql_query" };
+            }
+        }
+        // $queryRaw, $executeRaw (Prisma)
+        if (target.name === "query" && target.object) {
+            if (/\.\$queryRaw$|\.\$executeRaw$/.test(target.fullChain)) {
+                if (hasDynamicArg(args) && !isParameterizedCall(args)) {
+                    return { node, sinkType: "sql_query" };
+                }
+            }
+        }
+    }
+    if (target.name === "$queryRaw" ||
+        target.name === "$executeRaw" ||
+        target.name === "$queryRawUnsafe" ||
+        target.name === "$executeRawUnsafe") {
+        if (hasDynamicArg(args))
+            return { node, sinkType: "sql_query" };
+    }
+    // --- XSS sinks ---
+    if (target.name === "write" || target.name === "writeln") {
+        if (target.object && /^document$/.test(target.object)) {
+            return { node, sinkType: "inner_html" };
+        }
+    }
+    if (target.name === "insertAdjacentHTML") {
+        return { node, sinkType: "inner_html" };
+    }
+    // --- SSRF / HTTP request sinks ---
+    // Only the URL argument (arg 0) is relevant for SSRF — taint in body/headers is not SSRF.
+    if (target.name === "fetch" && target.type === "direct") {
+        if (isURLArgDynamic(args))
+            return { node, sinkType: "http_request", relevantArgNodes: [args[0]] };
+    }
+    if (target.type === "member" && target.object) {
+        if (/^(get|post|put|patch|delete|request)$/.test(target.name) &&
+            (isHttpClient(target.object, imports) ||
+                /^(axios|got|ky|superagent|http|https)$/.test(target.object))) {
+            if (isURLArgDynamic(args))
+                return { node, sinkType: "http_request", relevantArgNodes: [args[0]] };
+        }
+    }
+    // --- Redirect ---
+    if (target.name === "redirect" && target.type === "member") {
+        if (target.object && /^(res|response|Response)$/.test(target.object)) {
+            if (hasDynamicArg(args)) {
+                // Skip config-controlled redirect URLs
+                if (args[0] && isConfigControlledRedirectURL(args[0]))
+                    return null;
+                return { node, sinkType: "redirect", relevantArgNodes: [args[0]] };
+            }
+        }
+    }
+    // --- File system sinks ---
+    if (target.type === "member" &&
+        target.object &&
+        /^(fs|fsp|fsPromises)$/.test(target.object)) {
+        if (/^(writeFile|writeFileSync|appendFile|appendFileSync)$/.test(target.name)) {
+            return { node, sinkType: "file_write" };
+        }
+        if (/^(readFile|readFileSync|readdir|readdirSync|stat|statSync|access|accessSync|unlink|unlinkSync)$/.test(target.name)) {
+            if (hasDynamicArg(args))
+                return { node, sinkType: "path_access" };
+        }
+    }
+    if (target.name === "createWriteStream" ||
+        target.name === "createReadStream") {
+        if (hasDynamicArg(args))
+            return {
+                node,
+                sinkType: target.name.includes("Write") ? "file_write" : "path_access",
+            };
+    }
+    // --- Path access (path.join with dynamic args) ---
+    if (target.type === "member" && target.object === "path") {
+        if (target.name === "join" || target.name === "resolve") {
+            if (hasDynamicArg(args))
+                return { node, sinkType: "path_access" };
+        }
+    }
+    // --- Template rendering ---
+    if (target.type === "member" && target.object) {
+        if (/^(ejs|pug|handlebars|nunjucks|mustache)$/.test(target.object) &&
+            /^(render|compile|renderFile)$/.test(target.name)) {
+            return { node, sinkType: "template_render" };
+        }
+    }
+    // --- RegExp construction ---
+    if (target.type === "new" && target.name === "RegExp") {
+        if (hasDynamicArg(args))
+            return { node, sinkType: "regex_constructor" };
+    }
+    // --- Dynamic import ---
+    // (handled separately for `import()` syntax)
+    // --- NoSQL injection (MongoDB) ---
+    if (NOSQL_QUERY_METHODS.test(target.name) && target.object) {
+        if (isNoSQLClient(target.object, imports) ||
+            isDbClient(target.object, imports)) {
+            if (hasDynamicArg(args)) {
+                // Skip safe NoSQL queries (simple field:value object literals without $ operators)
+                if (isSafeNoSQLQuery(args))
+                    return null;
+                return { node, sinkType: "nosql_query" };
+            }
+        }
+    }
+    // --- Response body reflection (reflected XSS via API) ---
+    if (RESPONSE_METHODS.test(target.name) &&
+        target.type === "member" &&
+        target.object) {
+        if (RESPONSE_OBJECT_NAMES.test(target.object)) {
+            // Skip object literals — Express auto-serializes to JSON (Content-Type: application/json)
+            if (args.length > 0 &&
+                (args[0].type === "object" || args[0].type === "dictionary")) {
+                // Not an XSS vector — JSON responses are safe
+            }
+            else if (hasDynamicArg(args)) {
+                return { node, sinkType: "response_body" };
+            }
+        }
+    }
+    // --- Header injection ---
+    if (HEADER_METHODS.test(target.name) &&
+        target.type === "member" &&
+        target.object) {
+        if (RESPONSE_OBJECT_NAMES.test(target.object)) {
+            // writeHead with dynamic headers object — always flag
+            if (target.name === "writeHead" && hasDynamicArg(args)) {
+                return { node, sinkType: "header_injection" };
+            }
+            // setHeader/header/set/append: check name and value
+            if (args.length >= 2 && !(0, scope_analysis_1.isConstant)(args[args.length - 1])) {
+                // If header name is a known constant, only flag security-sensitive headers
+                if ((0, scope_analysis_1.isConstant)(args[0])) {
+                    const headerName = extractConstantString(args[0]);
+                    if (headerName && !isSecuritySensitiveHeader(headerName)) {
+                        return null; // Safe custom header (e.g., X-Request-Id)
+                    }
+                }
+                return { node, sinkType: "header_injection" };
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Walk an object argument for message-related properties (system, prompt, messages, content).
+ * Returns sink detections for dynamic values in LLM API call arguments.
+ */
+function detectMessageArgSinks(argNode, callNode) {
+    if (argNode.type !== "object")
+        return [];
+    const results = [];
+    // Check "system" property → system_prompt sink
+    const systemValue = (0, call_analysis_1.getObjectLiteralProperty)(argNode, "system");
+    if (systemValue && !(0, scope_analysis_1.isConstant)(systemValue)) {
+        results.push({ node: callNode, sinkType: "system_prompt" });
+    }
+    // Check "prompt" property → prompt_construction sink
+    const promptValue = (0, call_analysis_1.getObjectLiteralProperty)(argNode, "prompt");
+    if (promptValue && !(0, scope_analysis_1.isConstant)(promptValue)) {
+        results.push({ node: callNode, sinkType: "prompt_construction" });
+    }
+    // Check "messages" property → walk array for role/content objects
+    const messagesValue = (0, call_analysis_1.getObjectLiteralProperty)(argNode, "messages");
+    if (messagesValue && messagesValue.type === "array") {
+        for (const elem of messagesValue.namedChildren) {
+            if (elem.type === "object") {
+                const sinkType = classifyMessageObject(elem);
+                if (sinkType) {
+                    results.push({ node: callNode, sinkType });
+                }
+            }
+        }
+    }
+    // Check "content" property directly (some APIs use flat object with content)
+    const contentValue = (0, call_analysis_1.getObjectLiteralProperty)(argNode, "content");
+    if (contentValue &&
+        !(0, scope_analysis_1.isConstant)(contentValue) &&
+        !systemValue &&
+        !messagesValue) {
+        results.push({ node: callNode, sinkType: "prompt_construction" });
+    }
+    return results;
+}
+/**
+ * Classify a message object {role: '...', content: ...} as system_prompt or prompt_construction.
+ * Returns null if content is static.
+ */
+function classifyMessageObject(objNode) {
+    const contentValue = (0, call_analysis_1.getObjectLiteralProperty)(objNode, "content");
+    if (!contentValue || (0, scope_analysis_1.isConstant)(contentValue))
+        return null;
+    const roleValue = (0, call_analysis_1.getObjectLiteralProperty)(objNode, "role");
+    if (roleValue) {
+        const roleText = roleValue.text.replace(/^['"`]|['"`]$/g, "");
+        if (roleText === "system")
+            return "system_prompt";
+        // User input in user/assistant role is expected — not a prompt injection vector
+        if (roleText === "user" || roleText === "assistant")
+            return null;
+    }
+    return "prompt_construction";
+}
+/**
+ * Detect LLM API prompt sinks — comprehensive coverage of all major LLM SDKs.
+ *
+ * Covers:
+ * 1. OpenAI: openai.chat.completions.create({ messages: [...] })
+ * 2. Anthropic: anthropic.messages.create({ system: ..., messages: [...] })
+ * 3. Vercel AI SDK: generateText({ prompt, system, messages })
+ * 4. LangChain: new SystemMessage(...), new HumanMessage(...), chain.invoke(...)
+ * 5. Google AI: model.generateContent(...)
+ * 6. Generic: model.chat(...), model.generate(...)
+ * 7. messages.push({ role, content }) — existing pattern
+ */
+function detectLLMSinks(node, imports) {
+    const results = [];
+    // --- Pattern 7: messages.push({ role, content }) ---
+    if (node.type === "call_expression") {
+        const fn = node.childForFieldName("function");
+        if (fn?.type === "member_expression") {
+            const prop = fn.childForFieldName("property");
+            const obj = fn.childForFieldName("object");
+            if (prop?.text === "push" &&
+                obj &&
+                (/message/i.test(obj.text) ||
+                    /msgs?$/i.test(obj.text) ||
+                    /prompt/i.test(obj.text))) {
+                const args = (0, call_analysis_1.getCallArguments)(node);
+                if (args.length > 0 && args[0].type === "object") {
+                    const sinkType = classifyMessageObject(args[0]);
+                    if (sinkType) {
+                        results.push({ node, sinkType });
+                    }
+                }
+            }
+        }
+    }
+    // --- Pattern 4: LangChain new SystemMessage(...) / new HumanMessage(...) ---
+    if (node.type === "new_expression") {
+        const ctor = node.childForFieldName("constructor");
+        if (ctor?.type === "identifier" && ctor.text in llm_registry_1.LANGCHAIN_MESSAGE_CLASSES) {
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length > 0 && !(0, scope_analysis_1.isConstant)(args[0])) {
+                results.push({
+                    node,
+                    sinkType: llm_registry_1.LANGCHAIN_MESSAGE_CLASSES[ctor.text],
+                });
+            }
+        }
+        return results;
+    }
+    if (node.type !== "call_expression")
+        return results;
+    const target = (0, call_analysis_1.resolveCallTarget)(node);
+    if (!target)
+        return results;
+    const args = (0, call_analysis_1.getCallArguments)(node);
+    if (args.length === 0)
+        return results;
+    // --- Pattern 3: Vercel AI SDK direct calls ---
+    // generateText({ prompt, system, messages }), streamText(...), generateObject(...)
+    if (target.type === "direct" &&
+        /^(generateText|streamText|generateObject|streamObject)$/.test(target.name)) {
+        const binding = imports.get(target.name);
+        const isVercelSDK = binding &&
+            (/^ai$/.test(binding.module) || /^@ai-sdk\//.test(binding.module));
+        // Even without import tracking, these names are strong enough
+        if (isVercelSDK || !binding) {
+            if (args[0].type === "object") {
+                results.push(...detectMessageArgSinks(args[0], node));
+            }
+            else if (!(0, scope_analysis_1.isConstant)(args[0])) {
+                results.push({ node, sinkType: "prompt_construction" });
+            }
+        }
+        return results;
+    }
+    // --- Member call patterns (1, 2, 5, 6) ---
+    if (target.type !== "member" || !target.object)
+        return results;
+    const isLLM = (0, llm_registry_1.isLLMClient)(target.object, imports);
+    // --- Pattern 1: OpenAI completions.create ---
+    // openai.chat.completions.create({ messages: [...] })
+    if (target.name === "create" && /completions$/.test(target.object) && isLLM) {
+        if (args[0].type === "object") {
+            results.push(...detectMessageArgSinks(args[0], node));
+        }
+        return results;
+    }
+    // --- Pattern 2: Anthropic messages.create ---
+    // anthropic.messages.create({ system: ..., messages: [...] })
+    if (target.name === "create" && /messages$/.test(target.object) && isLLM) {
+        if (args[0].type === "object") {
+            results.push(...detectMessageArgSinks(args[0], node));
+        }
+        return results;
+    }
+    // --- Pattern 5: Google AI generateContent ---
+    if (target.name === "generateContent" && isLLM) {
+        if (args[0].type === "object") {
+            results.push(...detectMessageArgSinks(args[0], node));
+        }
+        else if (!(0, scope_analysis_1.isConstant)(args[0])) {
+            results.push({ node, sinkType: "prompt_construction" });
+        }
+        return results;
+    }
+    // --- Pattern 6: Generic .chat() / .generate() / .invoke() on LLM client ---
+    if (/^(chat|generate|invoke|complete)$/.test(target.name) && isLLM) {
+        if (args[0].type === "object") {
+            results.push(...detectMessageArgSinks(args[0], node));
+        }
+        else if (!(0, scope_analysis_1.isConstant)(args[0])) {
+            results.push({ node, sinkType: "prompt_construction" });
+        }
+        return results;
+    }
+    return results;
+}
+// ============================================================================
+// Main Classifier
+// ============================================================================
+/**
+ * Classify all taint sinks in a parsed AST.
+ *
+ * Walks the AST looking for:
+ * 1. Dangerous function calls (eval, exec, query, fetch, etc.)
+ * 2. Dangerous property assignments (innerHTML)
+ * 3. Prompt construction patterns (messages.push with dynamic content)
+ */
+function classifySinks(ast, imports, aliases) {
+    // Route to Python-specific classifier
+    if (ast.language === "python") {
+        return classifyPythonSinks(ast, imports);
+    }
+    const sinks = [];
+    const seen = new Set();
+    const root = ast.tree.rootNode;
+    if (!imports)
+        imports = (0, helpers_1.collectImportBindings)(root);
+    if (!aliases)
+        aliases = (0, scope_analysis_1.collectVariableAliases)(root);
+    (0, ast_1.walkAST)(root, (node) => {
+        // --- Call expression sinks ---
+        if (node.type === "call_expression" || node.type === "new_expression") {
+            const detection = detectCallSinks(node, aliases, imports);
+            if (detection) {
+                const key = `${detection.node.startPosition.row}:${detection.node.startPosition.column}:${detection.sinkType}`;
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    const sink = {
+                        node: detection.node,
+                        line: detection.node.startPosition.row + 1,
+                        expression: detection.node.text.slice(0, 200), // truncate long expressions
+                        sinkType: detection.sinkType,
+                        vulnerableToKinds: new Set(SINK_KIND_MAP[detection.sinkType]),
+                    };
+                    if (detection.relevantArgNodes) {
+                        sink.relevantArgNodes = detection.relevantArgNodes;
+                    }
+                    sinks.push(sink);
+                }
+            }
+            // Check for LLM prompt sinks
+            const llmSinks = detectLLMSinks(node, imports);
+            for (const llmSink of llmSinks) {
+                const key = `${llmSink.node.startPosition.row}:${llmSink.node.startPosition.column}:${llmSink.sinkType}`;
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    sinks.push({
+                        node: llmSink.node,
+                        line: llmSink.node.startPosition.row + 1,
+                        expression: llmSink.node.text.slice(0, 200),
+                        sinkType: llmSink.sinkType,
+                        vulnerableToKinds: new Set(SINK_KIND_MAP[llmSink.sinkType]),
+                    });
+                }
+            }
+        }
+        // --- Property assignment sinks ---
+        if (node.type === "assignment_expression") {
+            const left = node.childForFieldName("left");
+            if (left?.type === "member_expression") {
+                const prop = left.childForFieldName("property");
+                if (prop && (prop.text === "innerHTML" || prop.text === "outerHTML")) {
+                    const right = node.childForFieldName("right");
+                    if (right && !(0, scope_analysis_1.isConstant)(right)) {
+                        const key = `${node.startPosition.row}:${node.startPosition.column}:inner_html`;
+                        if (!seen.has(key)) {
+                            seen.add(key);
+                            sinks.push({
+                                node,
+                                line: node.startPosition.row + 1,
+                                expression: node.text.slice(0, 200),
+                                sinkType: "inner_html",
+                                vulnerableToKinds: new Set(SINK_KIND_MAP.inner_html),
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        // --- JSX dangerouslySetInnerHTML ---
+        if (node.type === "jsx_attribute") {
+            // In tree-sitter TSX, attribute name is a property_identifier child (not a named field)
+            const attrName = node.namedChildren.find((c) => c.type === "property_identifier" || c.type === "jsx_identifier");
+            if (attrName?.text === "dangerouslySetInnerHTML") {
+                const key = `${node.startPosition.row}:${node.startPosition.column}:inner_html`;
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    sinks.push({
+                        node,
+                        line: node.startPosition.row + 1,
+                        expression: node.text.slice(0, 200),
+                        sinkType: "inner_html",
+                        vulnerableToKinds: new Set(SINK_KIND_MAP.inner_html),
+                    });
+                }
+            }
+        }
+        // --- Dynamic import() ---
+        if (node.type === "call_expression") {
+            const fn = node.childForFieldName("function");
+            if (fn?.type === "import") {
+                const args = (0, call_analysis_1.getCallArguments)(node);
+                if (hasDynamicArg(args)) {
+                    const key = `${node.startPosition.row}:${node.startPosition.column}:dynamic_import`;
+                    if (!seen.has(key)) {
+                        seen.add(key);
+                        sinks.push({
+                            node,
+                            line: node.startPosition.row + 1,
+                            expression: node.text.slice(0, 200),
+                            sinkType: "dynamic_import",
+                            vulnerableToKinds: new Set(SINK_KIND_MAP.dynamic_import),
+                        });
+                    }
+                }
+            }
+        }
+        return false;
+    });
+    return sinks;
+}
+// ============================================================================
+// Python Sink Classifier
+// ============================================================================
+/** Python DB client module patterns */
+const PY_DB_CLIENT_MODULES = [
+    /^psycopg2?$/,
+    /^sqlite3$/,
+    /^mysql\.connector$/,
+    /^pymysql$/,
+    /^cx_Oracle$/,
+    /^pyodbc$/,
+    /^sqlalchemy$/,
+    /^django\.db/,
+];
+const PY_DB_CLIENT_NAMES = /^(cursor|conn|connection|db|engine|session)$/i;
+/** Python HTTP client module patterns */
+const PY_HTTP_CLIENT_MODULES = [
+    /^requests$/,
+    /^httpx$/,
+    /^urllib/,
+    /^aiohttp$/,
+];
+function isPyDbClient(objText, imports) {
+    if (PY_DB_CLIENT_NAMES.test(objText))
+        return true;
+    const parts = objText.split(".");
+    for (const part of parts) {
+        if (PY_DB_CLIENT_NAMES.test(part))
+            return true;
+    }
+    const rootObj = parts[0];
+    const binding = imports.get(rootObj);
+    if (binding) {
+        return PY_DB_CLIENT_MODULES.some((p) => p.test(binding.module));
+    }
+    return false;
+}
+function isPyHttpClient(objText, imports, httpClientVars) {
+    if (httpClientVars?.has(objText))
+        return true;
+    const binding = imports.get(objText);
+    if (binding) {
+        return PY_HTTP_CLIENT_MODULES.some((p) => p.test(binding.module));
+    }
+    return /^(requests|httpx|urllib|aiohttp|session|http_client)$/i.test(objText);
+}
+/** Collect variables assigned from HTTP client constructors (e.g. client = httpx.Client()) */
+function collectPyHttpClientVars(root, imports) {
+    const clientVars = new Set();
+    (0, ast_1.walkAST)(root, (node) => {
+        if (node.type === "assignment") {
+            const left = node.childForFieldName("left");
+            const right = node.childForFieldName("right");
+            if (left?.type === "identifier" && right?.type === "call") {
+                const fn = right.childForFieldName("function");
+                if (fn?.type === "attribute") {
+                    const obj = fn.childForFieldName("object");
+                    const attr = fn.childForFieldName("attribute");
+                    if (obj &&
+                        attr &&
+                        /^(Client|Session|ClientSession|AsyncClient)$/i.test(attr.text)) {
+                        const objText = obj.text;
+                        if (/^(requests|httpx|urllib|aiohttp)$/i.test(objText)) {
+                            clientVars.add(left.text);
+                        }
+                        else {
+                            const binding = imports.get(objText);
+                            if (binding &&
+                                PY_HTTP_CLIENT_MODULES.some((p) => p.test(binding.module))) {
+                                clientVars.add(left.text);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return false;
+    });
+    return clientVars;
+}
+/** Check if a Python AST node is a constant (string literal, number, etc.) */
+function isPyConstant(node) {
+    if (node.type === "string" && !(0, python_helpers_1.isPythonFString)(node))
+        return true;
+    if (node.type === "integer" || node.type === "float" || node.type === "none")
+        return true;
+    if (node.type === "true" || node.type === "false")
+        return true;
+    if (node.type === "concatenated_string") {
+        return node.namedChildren.every((c) => c.type === "string" && !(0, python_helpers_1.isPythonFString)(c));
+    }
+    return false;
+}
+/** Check if a Python call has a parameterized query (2nd arg is tuple/list) */
+function isPyParameterizedQuery(args) {
+    if (args.length < 2)
+        return false;
+    const firstArg = args[0];
+    // First arg must be a static string with placeholders
+    if (!isPyConstant(firstArg))
+        return false;
+    const text = firstArg.text;
+    if (!/(%s|%d|\?|:\w+)/.test(text))
+        return false;
+    // Second arg is tuple or list (bind params)
+    const secondArg = args[1];
+    return secondArg?.type === "tuple" || secondArg?.type === "list";
+}
+/**
+ * Walk a Python `messages=` argument (list of message dicts) and classify each.
+ */
+function walkPythonMessagesArg(messagesNode, callNode) {
+    const results = [];
+    if (messagesNode.type === "list") {
+        for (const elem of messagesNode.namedChildren) {
+            if (elem.type === "dictionary") {
+                const sinkType = (0, python_helpers_1.classifyPythonMessageDict)(elem);
+                if (sinkType)
+                    results.push({ node: callNode, sinkType });
+            }
+        }
+    }
+    else if (!isPyConstant(messagesNode)) {
+        // Dynamic variable passed as messages — conservative prompt_construction
+        results.push({ node: callNode, sinkType: "prompt_construction" });
+    }
+    return results;
+}
+/**
+ * Detect Python LLM prompt sinks — comprehensive coverage of all major Python LLM SDKs.
+ *
+ * Covers:
+ * P1: OpenAI — client.chat.completions.create(messages=[...])
+ * P2: Anthropic — client.messages.create(system=..., messages=[...])
+ * P3: LangChain message classes — SystemMessage(content=x), HumanMessage(content=x)
+ * P4: Generic LLM methods — llm.invoke(x), chain.run(x), model.predict(x)
+ * P5: messages.append({"role": ..., "content": dynamic})
+ * P6: Google AI — model.generate_content(x) (via P4)
+ * P7: LlamaIndex — query_engine.query(x) (via P4)
+ */
+function detectPythonLLMSinks(node, target, args, imports) {
+    const results = [];
+    // --- P3: LangChain message classes (direct call, not member) ---
+    // SystemMessage(content=text), HumanMessage(content=text)
+    if (target.type === "direct" && target.name in llm_registry_1.LANGCHAIN_MESSAGE_CLASSES) {
+        // Verify import from langchain module (or allow without import for heuristic)
+        const binding = imports.get(target.name);
+        const isLangChain = binding && /^langchain/.test(binding.module);
+        if (isLangChain || !binding) {
+            // Check content= keyword arg
+            const contentArg = (0, python_helpers_1.getPythonKeywordArgument)(node, "content");
+            if (contentArg && !isPyConstant(contentArg)) {
+                results.push({
+                    node,
+                    sinkType: llm_registry_1.LANGCHAIN_MESSAGE_CLASSES[target.name],
+                });
+                return results;
+            }
+            // Check first positional arg
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                results.push({
+                    node,
+                    sinkType: llm_registry_1.LANGCHAIN_MESSAGE_CLASSES[target.name],
+                });
+                return results;
+            }
+        }
+        return results;
+    }
+    // --- P5: messages.append({"role": ..., "content": dynamic}) ---
+    if (target.type === "member" &&
+        target.name === "append" &&
+        target.object &&
+        /messages?|msgs?|prompt/i.test(target.object)) {
+        if (args.length > 0 && args[0].type === "dictionary") {
+            const sinkType = (0, python_helpers_1.classifyPythonMessageDict)(args[0]);
+            if (sinkType)
+                results.push({ node, sinkType });
+        }
+        return results;
+    }
+    // From here, we only handle member calls on LLM clients
+    if (target.type !== "member" || !target.object)
+        return results;
+    const isLLM = (0, llm_registry_1.isLLMClient)(target.object, imports);
+    if (!isLLM)
+        return results;
+    // --- P1: OpenAI — client.chat.completions.create(messages=[...]) ---
+    if (target.name === "create" && /completions$/.test(target.object)) {
+        const messagesArg = (0, python_helpers_1.getPythonKeywordArgument)(node, "messages");
+        if (messagesArg) {
+            results.push(...walkPythonMessagesArg(messagesArg, node));
+        }
+        return results;
+    }
+    // --- P2: Anthropic — client.messages.create(system=..., messages=[...]) ---
+    if (target.name === "create" && /messages$/.test(target.object)) {
+        // Check system= keyword arg
+        const systemArg = (0, python_helpers_1.getPythonKeywordArgument)(node, "system");
+        if (systemArg && !isPyConstant(systemArg)) {
+            results.push({ node, sinkType: "system_prompt" });
+        }
+        // Walk messages= keyword arg
+        const messagesArg = (0, python_helpers_1.getPythonKeywordArgument)(node, "messages");
+        if (messagesArg) {
+            results.push(...walkPythonMessagesArg(messagesArg, node));
+        }
+        return results;
+    }
+    // --- P4/P6/P7: Generic LLM methods ---
+    // invoke, predict, run, chat, generate, complete, query, completion, send_message, generate_content
+    if (/^(invoke|predict|run|chat|generate|complete|query|completion|send_message|generate_content)$/.test(target.name)) {
+        // Check known keyword args first
+        for (const kwName of ["input", "prompt", "query", "messages"]) {
+            const kwArg = (0, python_helpers_1.getPythonKeywordArgument)(node, kwName);
+            if (kwArg && !isPyConstant(kwArg)) {
+                if (kwName === "messages") {
+                    results.push(...walkPythonMessagesArg(kwArg, node));
+                }
+                else {
+                    results.push({ node, sinkType: "prompt_construction" });
+                }
+                return results;
+            }
+        }
+        // Fall back to first positional arg
+        if (args.length > 0 && !isPyConstant(args[0])) {
+            results.push({ node, sinkType: "prompt_construction" });
+        }
+        return results;
+    }
+    return results;
+}
+function classifyPythonSinks(ast, precomputedImports) {
+    const sinks = [];
+    const seen = new Set();
+    const root = ast.tree.rootNode;
+    const imports = precomputedImports ?? (0, python_helpers_1.collectPythonImportBindings)(root);
+    const httpClientVars = collectPyHttpClientVars(root, imports);
+    (0, ast_1.walkAST)(root, (node) => {
+        if (node.type !== "call")
+            return false;
+        const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+        if (!target)
+            return false;
+        const args = (0, python_helpers_1.getPythonCallArguments)(node);
+        const key = `${node.startPosition.row}:${node.startPosition.column}`;
+        // --- SQL sinks ---
+        if (target.type === "member" && target.object) {
+            if (/^(execute|executemany)$/.test(target.name) &&
+                isPyDbClient(target.object, imports)) {
+                // Skip parameterized queries
+                if (args.length > 0 &&
+                    !isPyConstant(args[0]) &&
+                    !isPyParameterizedQuery(args)) {
+                    addPySink(sinks, seen, node, "sql_query", key);
+                }
+            }
+            // Django ORM .raw() / .extra()
+            if (/^(raw|extra)$/.test(target.name)) {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "sql_query", key);
+                }
+            }
+        }
+        // SQLAlchemy text() wrapping dynamic content
+        if (target.type === "direct" && target.name === "text") {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                const binding = imports.get("text");
+                if (binding && /^sqlalchemy/.test(binding.module)) {
+                    addPySink(sinks, seen, node, "sql_query", key);
+                }
+            }
+        }
+        // --- Command execution sinks ---
+        if (target.type === "member" && target.object) {
+            // subprocess.run/call/Popen/check_output
+            if (/^subprocess/.test(target.object) &&
+                /^(run|call|Popen|check_output|check_call)$/.test(target.name)) {
+                // subprocess with list first arg + no shell=True is safe
+                const shellKw = (0, python_helpers_1.getPythonKeywordArgument)(node, "shell");
+                const hasShellTrue = shellKw?.type === "true";
+                if (args.length > 0 && args[0].type === "list" && !hasShellTrue) {
+                    // Safe — list args without shell=True, skip
+                }
+                else if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "command_exec", key);
+                }
+            }
+            // os.system, os.popen, os.exec*
+            if (/^os$/.test(target.object) &&
+                /^(system|popen|exec[lv]?[pe]?)$/.test(target.name)) {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "command_exec", key);
+                }
+            }
+        }
+        // --- File / path sinks ---
+        if (target.type === "direct" && target.name === "open") {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                addPySink(sinks, seen, node, "path_access", key);
+            }
+        }
+        if (target.type === "member" && target.object) {
+            if (/^(shutil|os)$/.test(target.object) &&
+                /^(copy|copy2|move|rmtree|remove|unlink|rename|makedirs)$/.test(target.name)) {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "path_access", key);
+                }
+            }
+        }
+        // pathlib.Path(dynamic)
+        if (target.type === "member" &&
+            target.object === "pathlib" &&
+            target.name === "Path") {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                addPySink(sinks, seen, node, "path_access", key);
+            }
+        }
+        if (target.type === "direct" && target.name === "Path") {
+            const binding = imports.get("Path");
+            if (binding && /^pathlib$/.test(binding.module)) {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "path_access", key);
+                }
+            }
+        }
+        // --- Template / XSS sinks ---
+        if (target.type === "direct") {
+            if (target.name === "render_template_string") {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "template_render", key);
+                }
+            }
+            if (target.name === "Markup") {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "template_render", key);
+                }
+            }
+            if (target.name === "mark_safe") {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "template_render", key);
+                }
+            }
+        }
+        // --- SSRF sinks ---
+        if (target.type === "member" && target.object) {
+            if (isPyHttpClient(target.object, imports, httpClientVars) &&
+                /^(get|post|put|delete|patch|request|head|options)$/.test(target.name)) {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "http_request", key, [args[0]]);
+                }
+            }
+        }
+        // urllib.request.urlopen
+        if (target.type === "member" && target.object) {
+            if (/urllib.*request/.test(target.object) && target.name === "urlopen") {
+                if (args.length > 0 && !isPyConstant(args[0])) {
+                    addPySink(sinks, seen, node, "http_request", key, [args[0]]);
+                }
+            }
+        }
+        // --- Redirect sinks ---
+        if (target.type === "direct" && target.name === "redirect") {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                addPySink(sinks, seen, node, "redirect", key, [args[0]]);
+            }
+        }
+        if (target.type === "direct" && target.name === "HttpResponseRedirect") {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                addPySink(sinks, seen, node, "redirect", key, [args[0]]);
+            }
+        }
+        // --- Eval sinks ---
+        if (target.type === "direct" && /^(eval|exec|compile)$/.test(target.name)) {
+            if (args.length > 0 && !isPyConstant(args[0])) {
+                addPySink(sinks, seen, node, "eval", key);
+            }
+        }
+        // --- Prompt / LLM sinks (comprehensive) ---
+        const llmSinks = detectPythonLLMSinks(node, target, args, imports);
+        for (const llmSink of llmSinks) {
+            addPySink(sinks, seen, llmSink.node, llmSink.sinkType, key);
+        }
+        return false;
+    });
+    return sinks;
+}
+function addPySink(sinks, seen, node, sinkType, key, relevantArgNodes) {
+    const fullKey = `${key}:${sinkType}`;
+    if (seen.has(fullKey))
+        return;
+    seen.add(fullKey);
+    const sink = {
+        node,
+        line: node.startPosition.row + 1,
+        expression: node.text.slice(0, 200),
+        sinkType,
+        vulnerableToKinds: new Set(SINK_KIND_MAP[sinkType]),
+    };
+    if (relevantArgNodes) {
+        sink.relevantArgNodes = relevantArgNodes;
+    }
+    sinks.push(sink);
+}
+//# sourceMappingURL=sink-classifier.js.map