circle-ir 3.1.0 → 3.2.0

package/dist/browser/circle-ir.js

@@ -10175,15 +10175,16 @@ function findSources(calls, types, patterns) {
       const skipMethods = ["toString", "hashCode", "equals", "compareTo", "getDescription", "getVulnerabilityCount"];
       if (skipMethods.includes(method.name)) continue;
       for (const param of method.parameters) {
-        if (param.type && isInterproceduralTaintableType(param.type)) {
+        const isTaintable = param.type ? isInterproceduralTaintableType(param.type) : true;
+        if (isTaintable) {
           const paramLine = param.line ?? method.start_line;
           sources.push({
             type: "interprocedural_param",
-            location: `${param.type} ${param.name} in ${method.name}`,
+            location: `${param.type || "any"} ${param.name} in ${method.name}`,
             severity: "medium",
             line: paramLine,
-            confidence: 0.7
-            // Lower confidence since we don't know the call site
+            confidence: param.type ? 0.7 : 0.5
+            // Lower confidence for untyped params
           });
         }
       }
@@ -10209,7 +10210,15 @@ function findSources(calls, types, patterns) {
       }
     }
   }
-  return sources;
+  const sourceMap = /* @__PURE__ */ new Map();
+  for (const source of sources) {
+    const key = `${source.line}:${source.type}`;
+    const existing = sourceMap.get(key);
+    if (!existing || source.confidence > existing.confidence) {
+      sourceMap.set(key, source);
+    }
+  }
+  return Array.from(sourceMap.values());
 }
 function isInterproceduralTaintableType(typeName) {
   const baseType = typeName.split("<")[0].trim();
@@ -10292,22 +10301,44 @@ function isInterproceduralTaintableType(typeName) {
   }
   return false;
 }
+function isParameterizedQueryCall(call, pattern) {
+  if (pattern.type !== "sql_injection") return false;
+  if (call.arguments.length < 2) return false;
+  const secondArg = call.arguments.find((a) => a.position === 1);
+  if (!secondArg) return false;
+  if (secondArg.expression) {
+    const expr = secondArg.expression.trim();
+    if (expr.startsWith("[")) {
+      return true;
+    }
+  }
+  return false;
+}
 function findSinks(calls, patterns) {
-  const sinks = [];
+  const sinkMap = /* @__PURE__ */ new Map();
   for (const call of calls) {
     for (const pattern of patterns) {
       if (matchesSinkPattern(call, pattern)) {
-        sinks.push({
-          type: pattern.type,
-          cwe: pattern.cwe,
-          location: formatCallLocation(call),
-          line: call.location.line,
-          confidence: calculateSinkConfidence(call, pattern)
-        });
+        if (isParameterizedQueryCall(call, pattern)) {
+          continue;
+        }
+        const location = formatCallLocation(call);
+        const key = `${location}:${call.location.line}:${pattern.cwe}`;
+        const confidence = calculateSinkConfidence(call, pattern);
+        const existing = sinkMap.get(key);
+        if (!existing || confidence > existing.confidence) {
+          sinkMap.set(key, {
+            type: pattern.type,
+            cwe: pattern.cwe,
+            location,
+            line: call.location.line,
+            confidence
+          });
+        }
       }
     }
   }
-  return sinks;
+  return Array.from(sinkMap.values());
 }
 function matchesSourcePattern(call, pattern) {
   if (pattern.method) {
@@ -14269,16 +14300,36 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
         confidence = Math.max(confidence, 0.95);
         indicators.push(`import: ${path}`);
       }
-      if (path === "react" || path.startsWith("react/")) {
+      if (path === "react" || path.startsWith("react/") || path === "react-dom") {
         framework = framework || "react";
         confidence = Math.max(confidence, 0.8);
         indicators.push(`import: ${path}`);
       }
+      if (path === "react-native" || path.startsWith("react-native/") || path.startsWith("@react-native/")) {
+        framework = "react-native";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.startsWith("@react-navigation/")) {
+        framework = framework || "react-native";
+        confidence = Math.max(confidence, 0.9);
+        indicators.push(`import: ${path}`);
+      }
+      if (path === "react-router" || path === "react-router-dom" || path.startsWith("react-router/")) {
+        framework = framework || "react";
+        confidence = Math.max(confidence, 0.85);
+        indicators.push(`import: ${path}`);
+      }
       if (path === "next" || path.startsWith("next/")) {
         framework = "nextjs";
         confidence = Math.max(confidence, 0.9);
         indicators.push(`import: ${path}`);
       }
+      if (path === "expo" || path.startsWith("expo-")) {
+        framework = framework || "react-native";
+        confidence = Math.max(confidence, 0.85);
+        indicators.push(`import: ${path}`);
+      }
     }
     if (framework) {
       return { name: framework, confidence, indicators };
@@ -14390,6 +14441,167 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
         severity: "medium",
         confidence: 0.8,
         returnTainted: true
+      },
+      // =========================================================
+      // React Router Sources
+      // =========================================================
+      {
+        method: "useParams",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "useSearchParams",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "useLocation",
+        type: "url_param",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      // =========================================================
+      // Next.js Sources
+      // =========================================================
+      {
+        method: "useRouter",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+        // router.query, router.asPath
+      },
+      {
+        method: "useSearchParams",
+        // Next.js App Router
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "usePathname",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        // getServerSideProps/getStaticProps context.params
+        method: "params",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      // =========================================================
+      // React Native Sources
+      // =========================================================
+      {
+        // React Navigation route params
+        method: "useRoute",
+        type: "navigation_param",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        // Deep linking
+        method: "getInitialURL",
+        class: "Linking",
+        type: "url_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "addEventListener",
+        class: "Linking",
+        type: "url_param",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        method: "parse",
+        class: "Linking",
+        type: "url_param",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        // Clipboard content
+        method: "getString",
+        class: "Clipboard",
+        type: "user_input",
+        severity: "medium",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "getStringAsync",
+        class: "Clipboard",
+        type: "user_input",
+        severity: "medium",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        // AsyncStorage (may contain user data)
+        method: "getItem",
+        class: "AsyncStorage",
+        type: "storage_input",
+        severity: "medium",
+        confidence: 0.7,
+        returnTainted: true
+      },
+      {
+        method: "multiGet",
+        class: "AsyncStorage",
+        type: "storage_input",
+        severity: "medium",
+        confidence: 0.7,
+        returnTainted: true
+      },
+      {
+        // SecureStore (Expo)
+        method: "getItemAsync",
+        class: "SecureStore",
+        type: "storage_input",
+        severity: "medium",
+        confidence: 0.7,
+        returnTainted: true
+      },
+      // =========================================================
+      // Browser/DOM Sources (React web apps)
+      // =========================================================
+      {
+        method: "localStorage.getItem",
+        type: "storage_input",
+        severity: "medium",
+        confidence: 0.7,
+        returnTainted: true
+      },
+      {
+        method: "sessionStorage.getItem",
+        type: "storage_input",
+        severity: "medium",
+        confidence: 0.7,
+        returnTainted: true
+      },
+      {
+        method: "postMessage",
+        type: "message_input",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
       }
     ];
   }
@@ -14569,6 +14781,158 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
         cwe: "CWE-1321",
         severity: "high",
         argPositions: [0, 1]
+      },
+      // =========================================================
+      // React XSS Sinks
+      // =========================================================
+      {
+        // Most common React XSS vector
+        method: "dangerouslySetInnerHTML",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "critical",
+        argPositions: [0]
+        // The __html property value
+      },
+      {
+        // Rendering user-controlled href with javascript:
+        method: "href",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        // createRef().current.innerHTML
+        method: "current.innerHTML",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
+        argPositions: [0]
+      },
+      // =========================================================
+      // React Native Sinks
+      // =========================================================
+      {
+        // WebView with user-controlled source
+        method: "source",
+        class: "WebView",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "critical",
+        argPositions: [0]
+        // { html: userInput } or { uri: userInput }
+      },
+      {
+        // Open arbitrary URLs
+        method: "openURL",
+        class: "Linking",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "canOpenURL",
+        class: "Linking",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "medium",
+        argPositions: [0]
+      },
+      {
+        // Expo WebBrowser
+        method: "openBrowserAsync",
+        class: "WebBrowser",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "openAuthSessionAsync",
+        class: "WebBrowser",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "high",
+        argPositions: [0]
+      },
+      // =========================================================
+      // Next.js Sinks
+      // =========================================================
+      {
+        // Server-side redirect
+        method: "redirect",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        // Router push with user-controlled URL
+        method: "push",
+        class: "router",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "medium",
+        argPositions: [0]
+      },
+      {
+        method: "replace",
+        class: "router",
+        type: "open_redirect",
+        cwe: "CWE-601",
+        severity: "medium",
+        argPositions: [0]
+      },
+      // =========================================================
+      // React/General JS Security Sinks
+      // =========================================================
+      {
+        // Dynamic component loading
+        method: "createElement",
+        class: "React",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: [0]
+        // When first arg is user-controlled string
+      },
+      {
+        // Importing user-controlled modules
+        method: "import",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: "require",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "critical",
+        argPositions: [0]
+      },
+      // =========================================================
+      // Data Exposure Sinks (React Native)
+      // =========================================================
+      {
+        // Logging sensitive data
+        method: "log",
+        class: "console",
+        type: "information_exposure",
+        cwe: "CWE-532",
+        severity: "low",
+        argPositions: [0]
+      },
+      {
+        // Storing sensitive data insecurely
+        method: "setItem",
+        class: "AsyncStorage",
+        type: "insecure_storage",
+        cwe: "CWE-922",
+        severity: "medium",
+        argPositions: [1]
       }
     ];
   }
@@ -15650,6 +16014,113 @@ function findGetterSources(types, instanceFieldTaint, sourceCode) {
   }
   return sources;
 }
+var JS_DOM_XSS_SINKS = [
+  { pattern: /\.innerHTML\s*=/, type: "xss", cwe: "CWE-79", severity: "critical" },
+  { pattern: /\.outerHTML\s*=/, type: "xss", cwe: "CWE-79", severity: "critical" },
+  { pattern: /document\.write\s*\(/, type: "xss", cwe: "CWE-79", severity: "critical" },
+  { pattern: /document\.writeln\s*\(/, type: "xss", cwe: "CWE-79", severity: "critical" },
+  { pattern: /\.insertAdjacentHTML\s*\(/, type: "xss", cwe: "CWE-79", severity: "critical" },
+  { pattern: /\.src\s*=/, type: "xss", cwe: "CWE-79", severity: "high" },
+  { pattern: /\.href\s*=/, type: "xss", cwe: "CWE-79", severity: "high" }
+];
+var JS_TAINTED_PATTERNS = [
+  { pattern: /\breq\.query\b/, type: "http_param" },
+  { pattern: /\breq\.params\b/, type: "http_param" },
+  { pattern: /\breq\.body\b/, type: "http_body" },
+  { pattern: /\breq\.headers\b/, type: "http_header" },
+  { pattern: /\breq\.cookies\b/, type: "http_cookie" },
+  { pattern: /\breq\.url\b/, type: "http_path" },
+  { pattern: /\breq\.path\b/, type: "http_path" },
+  { pattern: /\breq\.originalUrl\b/, type: "http_path" },
+  { pattern: /\breq\.files?\b/, type: "file_input" },
+  { pattern: /\brequest\.query\b/, type: "http_param" },
+  { pattern: /\brequest\.params\b/, type: "http_param" },
+  { pattern: /\brequest\.body\b/, type: "http_body" },
+  { pattern: /\brequest\.headers\b/, type: "http_header" },
+  { pattern: /\bctx\.query\b/, type: "http_param" },
+  { pattern: /\bctx\.params\b/, type: "http_param" },
+  { pattern: /\bctx\.request\b/, type: "http_body" },
+  { pattern: /\bprocess\.env\b/, type: "env_input" },
+  { pattern: /\bprocess\.argv\b/, type: "io_input" },
+  { pattern: /\blocation\.search\b/, type: "http_param" },
+  { pattern: /\blocation\.hash\b/, type: "http_param" },
+  { pattern: /\blocation\.href\b/, type: "http_path" },
+  { pattern: /\bdocument\.getElementById\b/, type: "dom_input" },
+  { pattern: /\bdocument\.querySelector\b/, type: "dom_input" },
+  { pattern: /\.value\b/, type: "dom_input" }
+];
+function findJavaScriptAssignmentSources(sourceCode, language) {
+  const sources = [];
+  if (!["javascript", "typescript"].includes(language)) {
+    return sources;
+  }
+  const lines = sourceCode.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    const lineNumber = lineNum + 1;
+    const assignmentMatch = line.match(/(?:(?:var|let|const)\s+)?(\w+)\s*=\s*(.+)/);
+    if (assignmentMatch) {
+      const varName = assignmentMatch[1];
+      const rhs = assignmentMatch[2];
+      for (const { pattern, type } of JS_TAINTED_PATTERNS) {
+        if (pattern.test(rhs)) {
+          const alreadyExists = sources.some(
+            (s) => s.line === lineNumber && s.type === type
+          );
+          if (!alreadyExists) {
+            sources.push({
+              type,
+              location: `${varName} = ${rhs.trim().substring(0, 50)}${rhs.length > 50 ? "..." : ""}`,
+              severity: "high",
+              line: lineNumber,
+              confidence: 1,
+              variable: varName
+            });
+          }
+          break;
+        }
+      }
+    }
+  }
+  return sources;
+}
+function findJavaScriptDOMSinks(sourceCode, language) {
+  const sinks = [];
+  if (!["javascript", "typescript"].includes(language)) {
+    return sinks;
+  }
+  const lines = sourceCode.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    const lineNumber = lineNum + 1;
+    for (const { pattern, type, cwe, severity } of JS_DOM_XSS_SINKS) {
+      if (pattern.test(line)) {
+        let method = "innerHTML";
+        if (line.includes(".outerHTML")) method = "outerHTML";
+        else if (line.includes("document.write(")) method = "document.write";
+        else if (line.includes("document.writeln(")) method = "document.writeln";
+        else if (line.includes(".insertAdjacentHTML")) method = "insertAdjacentHTML";
+        else if (line.includes(".src")) method = "src";
+        else if (line.includes(".href")) method = "href";
+        const alreadyExists = sinks.some(
+          (s) => s.line === lineNumber && s.cwe === cwe
+        );
+        if (!alreadyExists) {
+          sinks.push({
+            type,
+            cwe,
+            severity,
+            line: lineNumber,
+            location: line.trim().substring(0, 80),
+            method
+          });
+        }
+        break;
+      }
+    }
+  }
+  return sinks;
+}
 var initialized = false;
 async function initAnalyzer(options = {}) {
   if (initialized) return;
@@ -15802,11 +16273,30 @@ async function analyze(code, filePath, language, options = {}) {
   const taint = analyzeTaint(calls, types, baseConfig);
   const getterSources = findGetterSources(types, constPropResult.instanceFieldTaint, code);
   taint.sources.push(...getterSources);
+  const jsAssignmentSources = findJavaScriptAssignmentSources(code, language);
+  taint.sources.push(...jsAssignmentSources);
+  const jsDOMSinks = findJavaScriptDOMSinks(code, language);
+  for (const domSink of jsDOMSinks) {
+    const alreadyExists = taint.sinks.some(
+      (s) => s.line === domSink.line && s.cwe === domSink.cwe
+    );
+    if (!alreadyExists) {
+      taint.sinks.push({
+        type: "xss",
+        cwe: domSink.cwe,
+        line: domSink.line,
+        location: domSink.location,
+        method: domSink.method,
+        confidence: 1
+      });
+    }
+  }
   logger.debug("Initial taint analysis", {
     sources: taint.sources.length,
     sinks: taint.sinks.length,
     sanitizers: taint.sanitizers?.length ?? 0,
-    getterSources: getterSources.length
+    getterSources: getterSources.length,
+    jsDOMSinks: jsDOMSinks.length
   });
   taint.sinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
   taint.sinks = filterCleanArraySinks(
@@ -15948,6 +16438,49 @@ async function analyze(code, filePath, language, options = {}) {
         taint.sinks.push(sink);
       }
     }
+    if (interProc.propagatedSinks.length > 0 && taint.sources.length > 0) {
+      if (!taint.flows) {
+        taint.flows = [];
+      }
+      const sanitizerMethodNames = /* @__PURE__ */ new Set();
+      for (const san of taint.sanitizers ?? []) {
+        if (san.type === "javadoc_sanitizer") {
+          const match = san.method.match(/^(\w+)\(\)$/);
+          if (match) sanitizerMethodNames.add(match[1]);
+          else sanitizerMethodNames.add(san.method);
+        }
+      }
+      for (const sink of interProc.propagatedSinks) {
+        if (sink.type === "external_taint_escape") continue;
+        for (const edge of interProc.callEdges) {
+          if (!interProc.taintedMethods.has(edge.calleeMethod)) continue;
+          const method = interProc.methodNodes.get(edge.calleeMethod);
+          if (!method) continue;
+          if (sink.line < method.startLine || sink.line > method.endLine) continue;
+          if (sanitizerMethodNames.has(method.name)) continue;
+          for (const source of taint.sources) {
+            if (source.line > edge.callLine) continue;
+            if (source.type === "interprocedural_param" && source.confidence < 0.6) continue;
+            if (taint.flows.some((f) => f.source_line === source.line && f.sink_line === sink.line)) continue;
+            taint.flows.push({
+              source_line: source.line,
+              sink_line: sink.line,
+              source_type: source.type,
+              sink_type: sink.type,
+              path: [
+                { variable: source.location, line: source.line, type: "source" },
+                { variable: `call to ${method.name}()`, line: edge.callLine, type: "use" },
+                { variable: sink.location, line: sink.line, type: "sink" }
+              ],
+              confidence: sink.confidence * source.confidence * 0.85,
+              sanitized: false
+            });
+            break;
+          }
+          break;
+        }
+      }
+    }
     const taintBridges = findTaintBridges(interProc);
     taint.interprocedural = {
       tainted_methods: Array.from(interProc.taintedMethods),