@oculum/scanner 1.0.14 → 1.0.15

package/src/__tests__/taint/cross-file-propagation.test.ts

@@ -0,0 +1,910 @@
+/**
+ * Tests for Cross-File Taint Propagation (Phase 3, Part 2)
+ *
+ * Verifies that taint flows across file boundaries through imported function
+ * calls. Uses the full taint engine with CallResolutionContext to test
+ * inter-procedural analysis.
+ *
+ * Multi-file test fixtures: each test creates 2-3 inline files, builds the
+ * cross-file index, and runs taint analysis with cross-file context.
+ */
+
+import type { ScanFile } from '../../shared/types'
+import { parseFiles, clearASTCache } from '../../parse/ast'
+import { buildModuleGraph } from '../../model/module-graph'
+import { buildCrossFileIndex } from '../../taint/cross-file-index'
+import { analyzeTaintsForFile } from '../../taint/taint-analyzer'
+import { analyzeTaintsForProject } from '../../taint/cross-file-analyzer'
+import type { TaintFinding, CallResolutionContext } from '../../taint/propagation-types'
+import type { TaintKind } from '../../taint/types'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+let testCounter = 0
+
+function makeFile(path: string, content: string): ScanFile {
+  return {
+    path,
+    content,
+    language: path.endsWith('.js') ? 'javascript' : 'typescript',
+    size: content.length,
+  }
+}
+
+function analyzeProject(files: ScanFile[]): TaintFinding[] {
+  const asts = parseFiles(files.map(f => ({ path: f.path, content: f.content })))
+  const moduleGraph = buildModuleGraph(files)
+  return analyzeTaintsForProject(files, asts, moduleGraph)
+}
+
+function analyzeWithContext(files: ScanFile[], targetFile: string): TaintFinding[] {
+  const asts = parseFiles(files.map(f => ({ path: f.path, content: f.content })))
+  const moduleGraph = buildModuleGraph(files)
+  const crossFileIndex = buildCrossFileIndex(files, asts, moduleGraph)
+
+  const callContext: CallResolutionContext = {
+    crossFileIndex,
+    allASTs: asts,
+    callStack: new Set(),
+    maxDepth: 5,
+    resultCache: new Map(),
+  }
+
+  const ast = asts.get(targetFile)
+  if (!ast) return []
+  return analyzeTaintsForFile(ast, targetFile, callContext)
+}
+
+beforeEach(() => {
+  clearASTCache()
+  testCounter++
+})
+
+// ============================================================================
+// Simple Cross-File Taint Flow
+// ============================================================================
+
+describe('Cross-File Propagation: Basic flow', () => {
+  it('detects taint flowing through an imported function to a sink in callee', () => {
+    // Source in routes.ts, sink in db.ts (via imported function)
+    const files = [
+      makeFile('src/routes.ts', `
+        import { query } from './db'
+        function handler(req, res) {
+          const input = req.body
+          query(input)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // The taint should flow: req.body → input → query(input) → db.execute(sql)
+    // Finding should be in the callee (db.ts) where the sink is
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('detects taint via return value from imported function', () => {
+    // Callee returns tainted data, caller uses it in a sink
+    const files = [
+      makeFile('src/handler.ts', `
+        import { formatInput } from './input'
+        function process(req, res) {
+          const input = req.body
+          const data = formatInput(input)
+          db.query(data)
+        }
+      `),
+      makeFile('src/input.ts', `
+        export function formatInput(data) {
+          return data + ' extra'
+        }
+      `),
+    ]
+
+    const findings = analyzeWithContext(files, 'src/handler.ts')
+
+    // The callee returns tainted data (propagates through), and the caller uses it in db.query()
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('detects taint in two-hop chain: A → B → C', () => {
+    const files = [
+      makeFile('src/route.ts', `
+        import { processInput } from './service'
+        function handler(req, res) {
+          const userInput = req.body
+          processInput(userInput)
+        }
+      `),
+      makeFile('src/service.ts', `
+        import { runQuery } from './db'
+        export function processInput(data) {
+          const formatted = data
+          runQuery(formatted)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function runQuery(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // Source (req.body) → processInput → runQuery → db.execute
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('detects taint in intra-file inter-procedural flow', () => {
+    // Both functions in same file — tests local function resolution
+    // Uses analyzeProject because callee findings (from handleLogin) are
+    // stored in the result cache, and only the project orchestrator collects them.
+    const files = [
+      makeFile('src/login.ts', `
+        function handleLogin(credentials) {
+          db.query(credentials)
+        }
+        function login(req, res) {
+          const creds = req.body
+          handleLogin(creds)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+// ============================================================================
+// Sanitization in Cross-File Flow
+// ============================================================================
+
+describe('Cross-File Propagation: Sanitization', () => {
+  it('no finding when callee sanitizes before sink', () => {
+    const files = [
+      makeFile('src/routes.ts', `
+        import { safeQuery } from './db'
+        function handler(req, res) {
+          const input = req.body
+          safeQuery(input)
+        }
+      `),
+      makeFile('src/db.ts', `
+        import sqlstring from 'sqlstring'
+        export function safeQuery(data) {
+          const safe = sqlstring.escape(data)
+          db.execute(safe)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // The callee sanitizes the input — should have no SQL finding
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+
+  it('no finding when caller sanitizes before passing to callee', () => {
+    const files = [
+      makeFile('src/routes.ts', `
+        import { query } from './db'
+        import sqlstring from 'sqlstring'
+        function handler(req, res) {
+          const input = req.body
+          const safe = sqlstring.escape(input)
+          query(safe)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeWithContext(files, 'src/routes.ts')
+
+    // Caller sanitizes before calling — no taint should reach the callee sink
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+
+  it('finding when sanitizer clears wrong kind (XSS sanitizer, SQL sink)', () => {
+    const files = [
+      makeFile('src/routes.ts', `
+        import { query } from './db'
+        import DOMPurify from 'dompurify'
+        function handler(req, res) {
+          const input = req.body
+          const sanitized = DOMPurify.sanitize(input)
+          query(sanitized)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // DOMPurify only clears XSS, but the sink is SQL — taint should survive
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+// ============================================================================
+// Multiple Parameters
+// ============================================================================
+
+describe('Cross-File Propagation: Parameter mapping', () => {
+  it('only tainted parameter flows to sink', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { insertUser } from './db'
+        function register(req, res) {
+          const name = req.body.name
+          const id = 42
+          insertUser(id, name)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function insertUser(id, name) {
+          db.query("INSERT INTO users VALUES (" + id + ", " + name + ")")
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // name is tainted (from req.body), id is not
+    // The sink uses both — but taint comes from name
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('no finding when untainted param is used in sink', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { logAndQuery } from './db'
+        function handler(req, res) {
+          const input = req.body
+          const safeId = 'SELECT 1'
+          logAndQuery(input, safeId)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function logAndQuery(logData, sql) {
+          console.log(logData)
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // logData is tainted but goes to console.log (not a sink)
+    // sql is NOT tainted (static string) and goes to db.execute
+    // Should have no SQL finding
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+})
+
+// ============================================================================
+// Recursion Guard and Depth Limit
+// ============================================================================
+
+describe('Cross-File Propagation: Recursion and depth', () => {
+  it('handles recursive calls without infinite loop', () => {
+    const files = [
+      makeFile('src/a.ts', `
+        import { processB } from './b'
+        export function processA(data) {
+          return processB(data)
+        }
+        function handler(req, res) {
+          const input = req.body
+          processA(input)
+        }
+      `),
+      makeFile('src/b.ts', `
+        import { processA } from './a'
+        export function processB(data) {
+          return processA(data)
+        }
+      `),
+    ]
+
+    // This should complete without hanging — recursion guard cuts the cycle
+    const findings = analyzeProject(files)
+    // Just verify it doesn't hang or throw
+    expect(Array.isArray(findings)).toBe(true)
+  })
+
+  it('respects maxDepth limit', () => {
+    // Create a chain of 7 hops — should stop at depth 5
+    const files = [
+      makeFile('src/entry.ts', `
+        import { fn1 } from './hop1'
+        function handler(req, res) {
+          const input = req.body
+          fn1(input)
+        }
+      `),
+      makeFile('src/hop1.ts', `
+        import { fn2 } from './hop2'
+        export function fn1(data) { fn2(data) }
+      `),
+      makeFile('src/hop2.ts', `
+        import { fn3 } from './hop3'
+        export function fn2(data) { fn3(data) }
+      `),
+      makeFile('src/hop3.ts', `
+        import { fn4 } from './hop4'
+        export function fn3(data) { fn4(data) }
+      `),
+      makeFile('src/hop4.ts', `
+        import { fn5 } from './hop5'
+        export function fn4(data) { fn5(data) }
+      `),
+      makeFile('src/hop5.ts', `
+        import { fn6 } from './hop6'
+        export function fn5(data) { fn6(data) }
+      `),
+      makeFile('src/hop6.ts', `
+        import { fn7 } from './hop7'
+        export function fn6(data) { fn7(data) }
+      `),
+      makeFile('src/hop7.ts', `
+        export function fn7(data) {
+          db.execute(data)
+        }
+      `),
+    ]
+
+    // Should complete without error — maxDepth=5 prevents following all 7 hops
+    const findings = analyzeProject(files)
+    expect(Array.isArray(findings)).toBe(true)
+  })
+})
+
+// ============================================================================
+// Import Styles
+// ============================================================================
+
+describe('Cross-File Propagation: Import styles', () => {
+  it('resolves default import function call', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import runQuery from './db'
+        function handler(req, res) {
+          const sql = req.body.query
+          runQuery(sql)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export default function runQuery(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('resolves through barrel file re-export', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { query } from './db'
+        function handler(req, res) {
+          const input = req.body
+          query(input)
+        }
+      `),
+      makeFile('src/db/index.ts', `
+        export { query } from './queries'
+      `),
+      makeFile('src/db/queries.ts', `
+        export function query(sql) {
+          pool.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+// ============================================================================
+// Multiple Taint Kinds
+// ============================================================================
+
+describe('Cross-File Propagation: Multiple taint kinds', () => {
+  it('tracks multiple taint kinds through cross-file call', () => {
+    // req.body carries sql+xss+command taint
+    // The callee has both a SQL sink and an eval sink
+    const files = [
+      makeFile('src/handler.ts', `
+        import { processData } from './processor'
+        function handler(req, res) {
+          const input = req.body
+          processData(input)
+        }
+      `),
+      makeFile('src/processor.ts', `
+        export function processData(data) {
+          eval(data)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // Should find at least one finding with command kind (eval sink)
+    const commandFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('command')
+    )
+    expect(commandFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('tracks XSS through cross-file innerHTML sink', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { render } from './renderer'
+        function handler(req, res) {
+          const content = req.body.html
+          render(content)
+        }
+      `),
+      makeFile('src/renderer.ts', `
+        export function render(html) {
+          document.getElementById('output').innerHTML = html
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const xssFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('xss')
+    )
+    expect(xssFindings.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+// ============================================================================
+// Negative Cases
+// ============================================================================
+
+describe('Cross-File Propagation: Negative cases', () => {
+  it('no finding when no source exists', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { query } from './db'
+        function handler() {
+          const data = 'static string'
+          query(data)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+
+  it('no finding when callee has parameterized query', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { findUser } from './db'
+        function handler(req, res) {
+          const id = req.params.id
+          findUser(id)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function findUser(id) {
+          db.query('SELECT * FROM users WHERE id = $1', [id])
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // Parameterized query should be excluded by sink classifier
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+
+  it('no finding when source is in test file', () => {
+    const files = [
+      makeFile('src/__tests__/handler.test.ts', `
+        import { query } from '../db'
+        function handler(req, res) {
+          const input = req.body
+          query(input)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+    // Test files should be skipped by the project analyzer
+    expect(findings.length).toBe(0)
+  })
+})
+
+// ============================================================================
+// Path Recording
+// ============================================================================
+
+describe('Cross-File Propagation: Path recording', () => {
+  it('includes call_entry and call_return steps in path', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { query } from './db'
+        function handler(req, res) {
+          const input = req.body
+          query(input)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const asts = parseFiles(files.map(f => ({ path: f.path, content: f.content })))
+    const moduleGraph = buildModuleGraph(files)
+    const crossFileIndex = buildCrossFileIndex(files, asts, moduleGraph)
+
+    const callContext: CallResolutionContext = {
+      crossFileIndex,
+      allASTs: asts,
+      callStack: new Set(),
+      maxDepth: 5,
+      resultCache: new Map(),
+    }
+
+    const ast = asts.get('src/handler.ts')
+    if (!ast) throw new Error('AST not found')
+    const findings = analyzeTaintsForFile(ast, 'src/handler.ts', callContext)
+
+    // Also check callee findings from cache
+    const allFindings = [...findings]
+    for (const result of callContext.resultCache.values()) {
+      if (result && result.calleeFindings.length > 0) {
+        allFindings.push(...result.calleeFindings)
+      }
+    }
+
+    // Filter SQL findings
+    const sqlFindings = allFindings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+
+    if (sqlFindings.length > 0) {
+      // Check that cache was populated with cross-file results
+      expect(callContext.resultCache.size).toBeGreaterThan(0)
+
+      // Check that at least one cached result has call_entry/call_return steps
+      let hasCallSteps = false
+      for (const result of callContext.resultCache.values()) {
+        if (!result) continue
+        for (const step of result.steps) {
+          if (step.stepType === 'call_entry' || step.stepType === 'call_return') {
+            hasCallSteps = true
+            break
+          }
+        }
+      }
+      expect(hasCallSteps).toBe(true)
+    }
+  })
+
+  it('path includes correct file paths for cross-file steps', () => {
+    const files = [
+      makeFile('src/route.ts', `
+        import { execute } from './db'
+        function handler(req, res) {
+          const input = req.body
+          execute(input)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function execute(sql) {
+          conn.query(sql)
+        }
+      `),
+    ]
+
+    const asts = parseFiles(files.map(f => ({ path: f.path, content: f.content })))
+    const moduleGraph = buildModuleGraph(files)
+    const crossFileIndex = buildCrossFileIndex(files, asts, moduleGraph)
+
+    const callContext: CallResolutionContext = {
+      crossFileIndex,
+      allASTs: asts,
+      callStack: new Set(),
+      maxDepth: 5,
+      resultCache: new Map(),
+    }
+
+    const ast = asts.get('src/route.ts')
+    if (!ast) throw new Error('AST not found')
+    analyzeTaintsForFile(ast, 'src/route.ts', callContext)
+
+    // Verify cached result has correct file path references
+    for (const result of callContext.resultCache.values()) {
+      if (!result) continue
+      for (const step of result.steps) {
+        if (step.stepType === 'call_entry') {
+          expect(step.filePath).toBe('src/db.ts')
+          expect(step.functionName).toBe('execute')
+        }
+        if (step.stepType === 'call_return') {
+          expect(step.filePath).toBe('src/route.ts')
+        }
+      }
+    }
+  })
+})
+
+// ============================================================================
+// Return Value Tracking
+// ============================================================================
+
+describe('Cross-File Propagation: Return value tracking', () => {
+  it('tracks taint through return value used in caller sink', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { formatQuery } from './formatter'
+        function handler(req, res) {
+          const input = req.body
+          const query = formatQuery(input)
+          db.execute(query)
+        }
+      `),
+      makeFile('src/formatter.ts', `
+        export function formatQuery(data) {
+          return "SELECT * FROM users WHERE name = '" + data + "'"
+        }
+      `),
+    ]
+
+    const findings = analyzeWithContext(files, 'src/handler.ts')
+
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('return value taint cleared when callee sanitizes', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { safeFormat } from './formatter'
+        function handler(req, res) {
+          const input = req.body
+          const query = safeFormat(input)
+          db.execute(query)
+        }
+      `),
+      makeFile('src/formatter.ts', `
+        import sqlstring from 'sqlstring'
+        export function safeFormat(data) {
+          return sqlstring.escape(data)
+        }
+      `),
+    ]
+
+    const findings = analyzeWithContext(files, 'src/handler.ts')
+
+    // safeFormat sanitizes the data, so return value should not be SQL-tainted
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    expect(sqlFindings.length).toBe(0)
+  })
+})
+
+// ============================================================================
+// Caching Behavior
+// ============================================================================
+
+describe('Cross-File Propagation: Caching', () => {
+  it('caches callee analysis results', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { query } from './db'
+        function handler1(req, res) {
+          const a = req.body
+          query(a)
+        }
+        function handler2(req, res) {
+          const b = req.body
+          query(b)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const asts = parseFiles(files.map(f => ({ path: f.path, content: f.content })))
+    const moduleGraph = buildModuleGraph(files)
+    const crossFileIndex = buildCrossFileIndex(files, asts, moduleGraph)
+
+    const callContext: CallResolutionContext = {
+      crossFileIndex,
+      allASTs: asts,
+      callStack: new Set(),
+      maxDepth: 5,
+      resultCache: new Map(),
+    }
+
+    const ast = asts.get('src/handler.ts')
+    if (!ast) throw new Error('AST not found')
+    analyzeTaintsForFile(ast, 'src/handler.ts', callContext)
+
+    // The cache should contain at least one entry for the query function
+    expect(callContext.resultCache.size).toBeGreaterThan(0)
+  })
+})
+
+// ============================================================================
+// SSRF and Other Taint Kinds
+// ============================================================================
+
+describe('Cross-File Propagation: Various sink types', () => {
+  it('detects SSRF through cross-file fetch call', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { proxyRequest } from './proxy'
+        function handler(req, res) {
+          const url = req.query.target
+          proxyRequest(url)
+        }
+      `),
+      makeFile('src/proxy.ts', `
+        export function proxyRequest(url) {
+          fetch(url)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const ssrfFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('ssrf')
+    )
+    expect(ssrfFindings.length).toBeGreaterThanOrEqual(1)
+  })
+
+  it('detects command injection through cross-file exec call', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { runCommand } from './executor'
+        function handler(req, res) {
+          const cmd = req.body.command
+          runCommand(cmd)
+        }
+      `),
+      makeFile('src/executor.ts', `
+        import { exec } from 'child_process'
+        export function runCommand(cmd) {
+          exec(cmd)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    const cmdFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('command')
+    )
+    expect(cmdFindings.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+// ============================================================================
+// Deduplication
+// ============================================================================
+
+describe('Cross-File Propagation: Deduplication', () => {
+  it('deduplicates same source-sink-kind findings from multiple paths', () => {
+    const files = [
+      makeFile('src/handler.ts', `
+        import { query } from './db'
+        function handler(req, res) {
+          const input = req.body
+          const input2 = req.body
+          query(input)
+          query(input2)
+        }
+      `),
+      makeFile('src/db.ts', `
+        export function query(sql) {
+          db.execute(sql)
+        }
+      `),
+    ]
+
+    const findings = analyzeProject(files)
+
+    // Both calls go to the same callee sink line — should be deduped
+    const sqlFindings = findings.filter(f =>
+      [...f.matchingKinds].includes('sql')
+    )
+    // Dedup key includes source line + sink line, so if source lines differ
+    // we may get 2 findings (which is correct). Just verify no duplicates.
+    const keys = sqlFindings.map(f =>
+      `${f.filePath}:${f.source.line}:${f.sink.line}:${[...f.matchingKinds].sort().join(',')}`
+    )
+    const uniqueKeys = new Set(keys)
+    expect(uniqueKeys.size).toBe(keys.length)
+  })
+})