circle-ir 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +15 -0
- package/README.md +200 -0
- package/configs/sinks/code_injection.yaml +672 -0
- package/configs/sinks/command.yaml +917 -0
- package/configs/sinks/deserialization.yaml +105 -0
- package/configs/sinks/ldap.yaml +136 -0
- package/configs/sinks/nodejs.json +629 -0
- package/configs/sinks/path.yaml +715 -0
- package/configs/sinks/python.json +501 -0
- package/configs/sinks/rust.json +339 -0
- package/configs/sinks/sql.yaml +233 -0
- package/configs/sinks/ssrf.yaml +160 -0
- package/configs/sinks/xpath.yaml +121 -0
- package/configs/sinks/xss.yaml +727 -0
- package/configs/sources/db_sources.yaml +90 -0
- package/configs/sources/env_sources.yaml +94 -0
- package/configs/sources/express.json +197 -0
- package/configs/sources/file_sources.yaml +164 -0
- package/configs/sources/http_sources.yaml +379 -0
- package/configs/sources/io_sources.yaml +519 -0
- package/configs/sources/network_sources.yaml +99 -0
- package/configs/sources/python.json +230 -0
- package/configs/sources/rust.json +286 -0
- package/configs/sources/spring.yaml +70 -0
- package/dist/analysis/advisory-db.d.ts +86 -0
- package/dist/analysis/advisory-db.js +104 -0
- package/dist/analysis/advisory-db.js.map +1 -0
- package/dist/analysis/cargo-parser.d.ts +42 -0
- package/dist/analysis/cargo-parser.js +102 -0
- package/dist/analysis/cargo-parser.js.map +1 -0
- package/dist/analysis/config-loader.d.ts +37 -0
- package/dist/analysis/config-loader.js +1561 -0
- package/dist/analysis/config-loader.js.map +1 -0
- package/dist/analysis/constant-propagation/ast-utils.d.ts +25 -0
- package/dist/analysis/constant-propagation/ast-utils.js +34 -0
- package/dist/analysis/constant-propagation/ast-utils.js.map +1 -0
- package/dist/analysis/constant-propagation/evaluator.d.ts +32 -0
- package/dist/analysis/constant-propagation/evaluator.js +296 -0
- package/dist/analysis/constant-propagation/evaluator.js.map +1 -0
- package/dist/analysis/constant-propagation/index.d.ts +62 -0
- package/dist/analysis/constant-propagation/index.js +152 -0
- package/dist/analysis/constant-propagation/index.js.map +1 -0
- package/dist/analysis/constant-propagation/patterns.d.ts +8 -0
- package/dist/analysis/constant-propagation/patterns.js +126 -0
- package/dist/analysis/constant-propagation/patterns.js.map +1 -0
- package/dist/analysis/constant-propagation/propagator.d.ts +180 -0
- package/dist/analysis/constant-propagation/propagator.js +1985 -0
- package/dist/analysis/constant-propagation/propagator.js.map +1 -0
- package/dist/analysis/constant-propagation/types.d.ts +63 -0
- package/dist/analysis/constant-propagation/types.js +5 -0
- package/dist/analysis/constant-propagation/types.js.map +1 -0
- package/dist/analysis/constant-propagation.d.ts +9 -0
- package/dist/analysis/constant-propagation.js +18 -0
- package/dist/analysis/constant-propagation.js.map +1 -0
- package/dist/analysis/dependency-scanner.d.ts +79 -0
- package/dist/analysis/dependency-scanner.js +122 -0
- package/dist/analysis/dependency-scanner.js.map +1 -0
- package/dist/analysis/dfg-verifier.d.ts +116 -0
- package/dist/analysis/dfg-verifier.js +399 -0
- package/dist/analysis/dfg-verifier.js.map +1 -0
- package/dist/analysis/findings.d.ts +11 -0
- package/dist/analysis/findings.js +228 -0
- package/dist/analysis/findings.js.map +1 -0
- package/dist/analysis/index.d.ts +16 -0
- package/dist/analysis/index.js +18 -0
- package/dist/analysis/index.js.map +1 -0
- package/dist/analysis/interprocedural.d.ts +99 -0
- package/dist/analysis/interprocedural.js +526 -0
- package/dist/analysis/interprocedural.js.map +1 -0
- package/dist/analysis/path-finder.d.ts +133 -0
- package/dist/analysis/path-finder.js +354 -0
- package/dist/analysis/path-finder.js.map +1 -0
- package/dist/analysis/rules.d.ts +75 -0
- package/dist/analysis/rules.js +332 -0
- package/dist/analysis/rules.js.map +1 -0
- package/dist/analysis/semver.d.ts +27 -0
- package/dist/analysis/semver.js +127 -0
- package/dist/analysis/semver.js.map +1 -0
- package/dist/analysis/taint-matcher.d.ts +15 -0
- package/dist/analysis/taint-matcher.js +634 -0
- package/dist/analysis/taint-matcher.js.map +1 -0
- package/dist/analysis/taint-propagation.d.ts +67 -0
- package/dist/analysis/taint-propagation.js +298 -0
- package/dist/analysis/taint-propagation.js.map +1 -0
- package/dist/analysis/unresolved.d.ts +14 -0
- package/dist/analysis/unresolved.js +202 -0
- package/dist/analysis/unresolved.js.map +1 -0
- package/dist/analyzer.d.ts +43 -0
- package/dist/analyzer.js +1010 -0
- package/dist/analyzer.js.map +1 -0
- package/dist/browser/circle-ir.js +16576 -0
- package/dist/browser.d.ts +38 -0
- package/dist/browser.js +38 -0
- package/dist/browser.js.map +1 -0
- package/dist/core/circle-ir-core.cjs +13626 -0
- package/dist/core/circle-ir-core.d.ts +59 -0
- package/dist/core/circle-ir-core.js +13591 -0
- package/dist/core/extractors/calls.d.ts +13 -0
- package/dist/core/extractors/calls.js +1429 -0
- package/dist/core/extractors/calls.js.map +1 -0
- package/dist/core/extractors/cfg.d.ts +9 -0
- package/dist/core/extractors/cfg.js +519 -0
- package/dist/core/extractors/cfg.js.map +1 -0
- package/dist/core/extractors/dfg.d.ts +12 -0
- package/dist/core/extractors/dfg.js +1081 -0
- package/dist/core/extractors/dfg.js.map +1 -0
- package/dist/core/extractors/exports.d.ts +14 -0
- package/dist/core/extractors/exports.js +80 -0
- package/dist/core/extractors/exports.js.map +1 -0
- package/dist/core/extractors/imports.d.ts +9 -0
- package/dist/core/extractors/imports.js +739 -0
- package/dist/core/extractors/imports.js.map +1 -0
- package/dist/core/extractors/index.d.ts +10 -0
- package/dist/core/extractors/index.js +11 -0
- package/dist/core/extractors/index.js.map +1 -0
- package/dist/core/extractors/meta.d.ts +10 -0
- package/dist/core/extractors/meta.js +109 -0
- package/dist/core/extractors/meta.js.map +1 -0
- package/dist/core/extractors/types.d.ts +10 -0
- package/dist/core/extractors/types.js +1479 -0
- package/dist/core/extractors/types.js.map +1 -0
- package/dist/core/index.d.ts +5 -0
- package/dist/core/index.js +8 -0
- package/dist/core/index.js.map +1 -0
- package/dist/core/parser.d.ts +84 -0
- package/dist/core/parser.js +250 -0
- package/dist/core/parser.js.map +1 -0
- package/dist/core-lib.d.ts +59 -0
- package/dist/core-lib.js +62 -0
- package/dist/core-lib.js.map +1 -0
- package/dist/index.d.ts +15 -0
- package/dist/index.js +20 -0
- package/dist/index.js.map +1 -0
- package/dist/languages/index.d.ts +11 -0
- package/dist/languages/index.js +14 -0
- package/dist/languages/index.js.map +1 -0
- package/dist/languages/plugins/base.d.ts +44 -0
- package/dist/languages/plugins/base.js +82 -0
- package/dist/languages/plugins/base.js.map +1 -0
- package/dist/languages/plugins/index.d.ts +14 -0
- package/dist/languages/plugins/index.js +25 -0
- package/dist/languages/plugins/index.js.map +1 -0
- package/dist/languages/plugins/java.d.ts +49 -0
- package/dist/languages/plugins/java.js +402 -0
- package/dist/languages/plugins/java.js.map +1 -0
- package/dist/languages/plugins/javascript.d.ts +48 -0
- package/dist/languages/plugins/javascript.js +445 -0
- package/dist/languages/plugins/javascript.js.map +1 -0
- package/dist/languages/plugins/python.d.ts +47 -0
- package/dist/languages/plugins/python.js +480 -0
- package/dist/languages/plugins/python.js.map +1 -0
- package/dist/languages/plugins/rust.d.ts +47 -0
- package/dist/languages/plugins/rust.js +405 -0
- package/dist/languages/plugins/rust.js.map +1 -0
- package/dist/languages/registry.d.ts +30 -0
- package/dist/languages/registry.js +80 -0
- package/dist/languages/registry.js.map +1 -0
- package/dist/languages/types.d.ts +184 -0
- package/dist/languages/types.js +8 -0
- package/dist/languages/types.js.map +1 -0
- package/dist/resolution/cross-file.d.ts +146 -0
- package/dist/resolution/cross-file.js +439 -0
- package/dist/resolution/cross-file.js.map +1 -0
- package/dist/resolution/index.d.ts +12 -0
- package/dist/resolution/index.js +10 -0
- package/dist/resolution/index.js.map +1 -0
- package/dist/resolution/symbol-table.d.ts +136 -0
- package/dist/resolution/symbol-table.js +336 -0
- package/dist/resolution/symbol-table.js.map +1 -0
- package/dist/resolution/type-hierarchy.d.ts +124 -0
- package/dist/resolution/type-hierarchy.js +515 -0
- package/dist/resolution/type-hierarchy.js.map +1 -0
- package/dist/types/config.d.ts +45 -0
- package/dist/types/config.js +5 -0
- package/dist/types/config.js.map +1 -0
- package/dist/types/index.d.ts +392 -0
- package/dist/types/index.js +7 -0
- package/dist/types/index.js.map +1 -0
- package/dist/utils/logger.d.ts +85 -0
- package/dist/utils/logger.js +198 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/wasm/tree-sitter-java.wasm +0 -0
- package/dist/wasm/tree-sitter-javascript.wasm +0 -0
- package/dist/wasm/tree-sitter-python.wasm +0 -0
- package/dist/wasm/tree-sitter-rust.wasm +0 -0
- package/dist/wasm/web-tree-sitter.wasm +0 -0
- package/docs/SPEC.md +1021 -0
- package/examples/browser-example.html +610 -0
- package/examples/node-example.ts +215 -0
- package/package.json +107 -0
- package/wasm/tree-sitter-java.wasm +0 -0
- package/wasm/tree-sitter-javascript.wasm +0 -0
- package/wasm/tree-sitter-python.wasm +0 -0
- package/wasm/tree-sitter-rust.wasm +0 -0
|
@@ -0,0 +1,1561 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Configuration loader for taint source/sink definitions
|
|
3
|
+
*
|
|
4
|
+
* Loads YAML configs from configs/sources/ and configs/sinks/
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Parse YAML/JSON configuration content.
|
|
8
|
+
* Uses JSON since the config files are actually JSON despite .yaml extension.
|
|
9
|
+
*/
|
|
10
|
+
export function parseConfig(content) {
|
|
11
|
+
return JSON.parse(content);
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Load and merge multiple source configs.
|
|
15
|
+
*/
|
|
16
|
+
export function loadSourceConfigs(configs) {
|
|
17
|
+
const patterns = [];
|
|
18
|
+
for (const config of configs) {
|
|
19
|
+
if (config.sources) {
|
|
20
|
+
patterns.push(...config.sources);
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
return patterns;
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* Load and merge multiple sink configs.
|
|
27
|
+
*/
|
|
28
|
+
export function loadSinkConfigs(configs) {
|
|
29
|
+
const sinks = [];
|
|
30
|
+
const sanitizers = [];
|
|
31
|
+
for (const config of configs) {
|
|
32
|
+
if (config.sinks) {
|
|
33
|
+
sinks.push(...config.sinks);
|
|
34
|
+
}
|
|
35
|
+
if (config.sanitizers) {
|
|
36
|
+
sanitizers.push(...config.sanitizers);
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
return { sinks, sanitizers };
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Create a combined taint configuration from raw config contents.
|
|
43
|
+
*/
|
|
44
|
+
export function createTaintConfig(sourceContents, sinkContents) {
|
|
45
|
+
const sourceConfigs = sourceContents.map((c) => parseConfig(c));
|
|
46
|
+
const sinkConfigs = sinkContents.map((c) => parseConfig(c));
|
|
47
|
+
const sources = loadSourceConfigs(sourceConfigs);
|
|
48
|
+
const { sinks, sanitizers } = loadSinkConfigs(sinkConfigs);
|
|
49
|
+
return { sources, sinks, sanitizers };
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Embedded default configurations (subset for standalone use).
|
|
53
|
+
* Full configs should be loaded from files when available.
|
|
54
|
+
*/
|
|
55
|
+
export const DEFAULT_SOURCES = [
|
|
56
|
+
// HTTP Sources (Servlet API)
|
|
57
|
+
{ method: 'getParameter', class: 'HttpServletRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
58
|
+
{ method: 'getParameterValues', class: 'HttpServletRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
59
|
+
{ method: 'getParameterMap', class: 'HttpServletRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
60
|
+
{ method: 'getParameterNames', class: 'HttpServletRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
61
|
+
{ method: 'getHeader', class: 'HttpServletRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
62
|
+
{ method: 'getHeaders', class: 'HttpServletRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
63
|
+
{ method: 'getHeaderNames', class: 'HttpServletRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
64
|
+
{ method: 'getQueryString', class: 'HttpServletRequest', type: 'http_query', severity: 'high', return_tainted: true },
|
|
65
|
+
{ method: 'getCookies', class: 'HttpServletRequest', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
66
|
+
{ method: 'getInputStream', class: 'HttpServletRequest', type: 'http_body', severity: 'high', return_tainted: true },
|
|
67
|
+
{ method: 'getReader', class: 'HttpServletRequest', type: 'http_body', severity: 'high', return_tainted: true },
|
|
68
|
+
{ method: 'getPathInfo', class: 'HttpServletRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
69
|
+
{ method: 'getRequestURI', class: 'HttpServletRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
70
|
+
{ method: 'getRequestURL', class: 'HttpServletRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
71
|
+
{ method: 'getServletPath', class: 'HttpServletRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
72
|
+
{ method: 'getContextPath', class: 'HttpServletRequest', type: 'http_path', severity: 'medium', return_tainted: true },
|
|
73
|
+
{ method: 'getRemoteHost', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
74
|
+
{ method: 'getRemoteAddr', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
75
|
+
// Additional HTTP request methods that can be attacker-controlled
|
|
76
|
+
{ method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
77
|
+
{ method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
78
|
+
{ method: 'getAuthType', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
79
|
+
{ method: 'getRemoteUser', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
80
|
+
{ method: 'getMethod', class: 'HttpServletRequest', type: 'http_header', severity: 'low', return_tainted: true },
|
|
81
|
+
{ method: 'getContentType', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
82
|
+
{ method: 'getCharacterEncoding', class: 'HttpServletRequest', type: 'http_header', severity: 'low', return_tainted: true },
|
|
83
|
+
// Enumeration/Iterator sources (from request.getHeaders(), etc.)
|
|
84
|
+
{ method: 'nextElement', class: 'Enumeration', type: 'http_header', severity: 'high', return_tainted: true },
|
|
85
|
+
{ method: 'nextElement', type: 'http_header', severity: 'high', return_tainted: true },
|
|
86
|
+
// Cookie sources
|
|
87
|
+
{ method: 'getValue', class: 'Cookie', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
88
|
+
{ method: 'getName', class: 'Cookie', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
89
|
+
// I/O Sources (Scanner, BufferedReader, etc.)
|
|
90
|
+
{ method: 'readLine', class: 'BufferedReader', type: 'io_input', severity: 'high', return_tainted: true },
|
|
91
|
+
{ method: 'readLine', type: 'io_input', severity: 'high', return_tainted: true },
|
|
92
|
+
{ method: 'nextLine', class: 'Scanner', type: 'io_input', severity: 'high', return_tainted: true },
|
|
93
|
+
{ method: 'next', class: 'Scanner', type: 'io_input', severity: 'high', return_tainted: true },
|
|
94
|
+
{ method: 'nextInt', class: 'Scanner', type: 'io_input', severity: 'high', return_tainted: true },
|
|
95
|
+
// Database result sources
|
|
96
|
+
{ method: 'getString', class: 'ResultSet', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
97
|
+
{ method: 'getObject', class: 'ResultSet', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
98
|
+
{ method: 'getInt', class: 'ResultSet', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
99
|
+
// Spring annotations
|
|
100
|
+
{ annotation: 'RequestParam', type: 'http_param', severity: 'high', param_tainted: true },
|
|
101
|
+
{ annotation: 'RequestBody', type: 'http_body', severity: 'high', param_tainted: true },
|
|
102
|
+
{ annotation: 'PathVariable', type: 'http_path', severity: 'medium', param_tainted: true },
|
|
103
|
+
{ annotation: 'RequestHeader', type: 'http_header', severity: 'high', param_tainted: true },
|
|
104
|
+
{ annotation: 'CookieValue', type: 'http_cookie', severity: 'high', param_tainted: true },
|
|
105
|
+
// JAX-RS annotations
|
|
106
|
+
{ annotation: 'QueryParam', type: 'http_param', severity: 'high', param_tainted: true },
|
|
107
|
+
{ annotation: 'FormParam', type: 'http_param', severity: 'high', param_tainted: true },
|
|
108
|
+
{ annotation: 'PathParam', type: 'http_path', severity: 'medium', param_tainted: true },
|
|
109
|
+
{ annotation: 'HeaderParam', type: 'http_header', severity: 'high', param_tainted: true },
|
|
110
|
+
// Environment
|
|
111
|
+
{ method: 'getenv', class: 'System', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
112
|
+
{ method: 'getProperty', class: 'System', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
113
|
+
// Note: Properties.getProperty is NOT included by default as it causes many false positives
|
|
114
|
+
// in OWASP Benchmark. Include it via custom config if needed for specific analyses.
|
|
115
|
+
// Servlet Configuration Parameters (can be attacker-influenced in some deployments)
|
|
116
|
+
{ method: 'getInitParameter', class: 'ServletConfig', type: 'http_param', severity: 'medium', return_tainted: true },
|
|
117
|
+
{ method: 'getInitParameter', class: 'ServletContext', type: 'http_param', severity: 'medium', return_tainted: true },
|
|
118
|
+
{ method: 'getInitParameter', class: 'FilterConfig', type: 'http_param', severity: 'medium', return_tainted: true },
|
|
119
|
+
{ method: 'getInitParameter', type: 'http_param', severity: 'medium', return_tainted: true },
|
|
120
|
+
{ method: 'getServletConfig', class: 'GenericServlet', type: 'http_param', severity: 'medium', return_tainted: true },
|
|
121
|
+
// Vert.x Framework
|
|
122
|
+
{ method: 'getParam', class: 'RoutingContext', type: 'http_param', severity: 'high', return_tainted: true },
|
|
123
|
+
{ method: 'getBodyAsString', class: 'RoutingContext', type: 'http_body', severity: 'high', return_tainted: true },
|
|
124
|
+
{ method: 'getBodyAsJson', class: 'RoutingContext', type: 'http_body', severity: 'high', return_tainted: true },
|
|
125
|
+
{ method: 'request', class: 'RoutingContext', type: 'http_param', severity: 'high', return_tainted: true },
|
|
126
|
+
{ method: 'pathParam', class: 'RoutingContext', type: 'http_path', severity: 'high', return_tainted: true },
|
|
127
|
+
{ method: 'queryParam', class: 'RoutingContext', type: 'http_param', severity: 'high', return_tainted: true },
|
|
128
|
+
{ method: 'path', class: 'HttpServerRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
129
|
+
{ method: 'uri', class: 'HttpServerRequest', type: 'http_path', severity: 'high', return_tainted: true },
|
|
130
|
+
{ method: 'getParam', class: 'HttpServerRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
131
|
+
{ method: 'getHeader', class: 'HttpServerRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
132
|
+
// Spark Framework (Spark Java)
|
|
133
|
+
{ method: 'params', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
134
|
+
{ method: 'queryParams', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
135
|
+
{ method: 'body', class: 'Request', type: 'http_body', severity: 'high', return_tainted: true },
|
|
136
|
+
{ method: 'headers', class: 'Request', type: 'http_header', severity: 'high', return_tainted: true },
|
|
137
|
+
{ method: 'pathInfo', class: 'Request', type: 'http_path', severity: 'high', return_tainted: true },
|
|
138
|
+
{ method: 'uri', class: 'Request', type: 'http_path', severity: 'high', return_tainted: true },
|
|
139
|
+
// Apache Camel
|
|
140
|
+
{ method: 'getBody', class: 'Message', type: 'http_body', severity: 'high', return_tainted: true },
|
|
141
|
+
{ method: 'getBody', class: 'Exchange', type: 'http_body', severity: 'high', return_tainted: true },
|
|
142
|
+
{ method: 'getIn', class: 'Exchange', type: 'http_body', severity: 'high', return_tainted: true },
|
|
143
|
+
{ method: 'getHeader', class: 'Message', type: 'http_header', severity: 'high', return_tainted: true },
|
|
144
|
+
// File name sources (common in path traversal vulnerabilities)
|
|
145
|
+
{ method: 'getFileName', type: 'file_input', severity: 'high', return_tainted: true },
|
|
146
|
+
{ method: 'getName', class: 'File', type: 'file_input', severity: 'high', return_tainted: true },
|
|
147
|
+
{ method: 'getPath', class: 'File', type: 'file_input', severity: 'high', return_tainted: true },
|
|
148
|
+
{ method: 'getAbsolutePath', class: 'File', type: 'file_input', severity: 'high', return_tainted: true },
|
|
149
|
+
{ method: 'toString', class: 'Path', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
150
|
+
{ method: 'getFileName', class: 'Path', type: 'file_input', severity: 'high', return_tainted: true },
|
|
151
|
+
// Multipart file uploads
|
|
152
|
+
{ method: 'getOriginalFilename', class: 'MultipartFile', type: 'file_input', severity: 'high', return_tainted: true },
|
|
153
|
+
{ method: 'getName', class: 'MultipartFile', type: 'file_input', severity: 'high', return_tainted: true },
|
|
154
|
+
{ method: 'getSubmittedFileName', class: 'Part', type: 'file_input', severity: 'high', return_tainted: true },
|
|
155
|
+
{ method: 'getName', class: 'Part', type: 'file_input', severity: 'high', return_tainted: true },
|
|
156
|
+
{ method: 'getFileName', class: 'Part', type: 'file_input', severity: 'high', return_tainted: true },
|
|
157
|
+
// Email attachment sources (common in CVE-2018-8041 type vulnerabilities)
|
|
158
|
+
{ method: 'getFileName', class: 'BodyPart', type: 'file_input', severity: 'high', return_tainted: true },
|
|
159
|
+
{ method: 'getFileName', class: 'MimeBodyPart', type: 'file_input', severity: 'high', return_tainted: true },
|
|
160
|
+
{ method: 'getDisposition', class: 'Part', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
161
|
+
// Command line arguments
|
|
162
|
+
{ method: 'getArgs', type: 'io_input', severity: 'high', return_tainted: true },
|
|
163
|
+
{ method: 'getOptionValue', class: 'CommandLine', type: 'io_input', severity: 'high', return_tainted: true },
|
|
164
|
+
// Retrofit/OkHttp
|
|
165
|
+
{ method: 'url', class: 'Request', type: 'http_path', severity: 'high', return_tainted: true },
|
|
166
|
+
{ method: 'body', class: 'RequestBody', type: 'http_body', severity: 'high', return_tainted: true },
|
|
167
|
+
// XML/Deserialization sources (can contain attacker-controlled data)
|
|
168
|
+
{ method: 'fromXML', class: 'XStream', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
169
|
+
{ method: 'unmarshal', class: 'XStream', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
170
|
+
{ method: 'fromString', type: 'io_input', severity: 'high', return_tainted: true },
|
|
171
|
+
{ method: 'unmarshal', class: 'Unmarshaller', type: 'io_input', severity: 'high', return_tainted: true },
|
|
172
|
+
{ method: 'readValue', class: 'ObjectMapper', type: 'io_input', severity: 'high', return_tainted: true },
|
|
173
|
+
// Jenkins/CI sources
|
|
174
|
+
{ method: 'getScript', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
175
|
+
{ method: 'getScriptPath', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
176
|
+
{ method: 'getCommand', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
177
|
+
{ method: 'getShell', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
178
|
+
// Wiki/CMS sources (JSPWiki, Confluence, etc.)
|
|
179
|
+
{ method: 'getText', class: 'WikiContext', type: 'io_input', severity: 'high', return_tainted: true },
|
|
180
|
+
{ method: 'getPage', class: 'WikiContext', type: 'io_input', severity: 'high', return_tainted: true },
|
|
181
|
+
{ method: 'getVariable', class: 'WikiContext', type: 'io_input', severity: 'high', return_tainted: true },
|
|
182
|
+
{ method: 'getAttribute', type: 'io_input', severity: 'high', return_tainted: true },
|
|
183
|
+
{ method: 'getValue', type: 'io_input', severity: 'high', return_tainted: true },
|
|
184
|
+
// Map/Collection sources (plugin parameters, config values)
|
|
185
|
+
{ method: 'get', class: 'Map', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
186
|
+
{ method: 'get', class: 'HashMap', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
187
|
+
{ method: 'get', class: 'LinkedHashMap', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
188
|
+
{ method: 'get', class: 'TreeMap', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
189
|
+
{ method: 'get', class: 'ConcurrentHashMap', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
190
|
+
{ method: 'get', class: 'Hashtable', type: 'plugin_param', severity: 'high', return_tainted: true },
|
|
191
|
+
{ method: 'get', class: 'Properties', type: 'config_param', severity: 'high', return_tainted: true },
|
|
192
|
+
// Message/Event sources
|
|
193
|
+
{ method: 'getText', class: 'Message', type: 'io_input', severity: 'high', return_tainted: true },
|
|
194
|
+
{ method: 'getPayload', type: 'io_input', severity: 'high', return_tainted: true },
|
|
195
|
+
{ method: 'getData', type: 'io_input', severity: 'high', return_tainted: true },
|
|
196
|
+
// FHIR/HL7 sources (medical records can contain user-provided data)
|
|
197
|
+
{ method: 'getText', class: 'Questionnaire', type: 'io_input', severity: 'high', return_tainted: true },
|
|
198
|
+
{ method: 'getLinkId', class: 'QuestionnaireItemComponent', type: 'io_input', severity: 'high', return_tainted: true },
|
|
199
|
+
{ method: 'getText', class: 'QuestionnaireItemComponent', type: 'io_input', severity: 'high', return_tainted: true },
|
|
200
|
+
{ method: 'getPrefix', class: 'QuestionnaireItemComponent', type: 'io_input', severity: 'high', return_tainted: true },
|
|
201
|
+
{ method: 'getValueString', type: 'io_input', severity: 'high', return_tainted: true },
|
|
202
|
+
{ method: 'getValue', class: 'PrimitiveType', type: 'io_input', severity: 'high', return_tainted: true },
|
|
203
|
+
{ method: 'asStringValue', type: 'io_input', severity: 'high', return_tainted: true },
|
|
204
|
+
{ method: 'getDisplay', class: 'Coding', type: 'io_input', severity: 'high', return_tainted: true },
|
|
205
|
+
{ method: 'getCode', class: 'Coding', type: 'io_input', severity: 'high', return_tainted: true },
|
|
206
|
+
{ method: 'getText', class: 'CodeableConcept', type: 'io_input', severity: 'high', return_tainted: true },
|
|
207
|
+
{ method: 'getExpression', class: 'Expression', type: 'io_input', severity: 'high', return_tainted: true },
|
|
208
|
+
// XWiki/Wiki rendering sources
|
|
209
|
+
{ method: 'getContent', class: 'Block', type: 'io_input', severity: 'high', return_tainted: true },
|
|
210
|
+
{ method: 'getParameters', class: 'Block', type: 'io_input', severity: 'high', return_tainted: true },
|
|
211
|
+
{ method: 'getRawContent', type: 'io_input', severity: 'high', return_tainted: true },
|
|
212
|
+
// SAX/XML parsing sources (data from parsed XML)
|
|
213
|
+
{ method: 'getAttributes', class: 'XMLReader', type: 'io_input', severity: 'high', return_tainted: true },
|
|
214
|
+
{ method: 'getValue', class: 'Attributes', type: 'io_input', severity: 'high', return_tainted: true },
|
|
215
|
+
{ method: 'getLocalName', class: 'Attributes', type: 'io_input', severity: 'high', return_tainted: true },
|
|
216
|
+
// Validation framework sources
|
|
217
|
+
{ method: 'getValue', class: 'ConstraintValidatorContext', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
218
|
+
{ method: 'getInvalidValue', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
219
|
+
// Shell/Command provider sources (NiFi, etc.)
|
|
220
|
+
{ method: 'getGroupMembers', type: 'io_input', severity: 'high', return_tainted: true },
|
|
221
|
+
{ method: 'getCommandsProvider', type: 'io_input', severity: 'high', return_tainted: true },
|
|
222
|
+
{ method: 'getUserByIdentity', type: 'io_input', severity: 'high', return_tainted: true },
|
|
223
|
+
{ method: 'refreshUsersAndGroups', type: 'io_input', severity: 'high', return_tainted: true },
|
|
224
|
+
// Jenkins/CI pipeline sources
|
|
225
|
+
{ method: 'getScriptPath', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
226
|
+
{ method: 'getFilePathSuffix', type: 'io_input', severity: 'high', return_tainted: true },
|
|
227
|
+
{ method: 'getPath', type: 'file_input', severity: 'high', return_tainted: true },
|
|
228
|
+
{ method: 'contentAsString', type: 'file_input', severity: 'critical', return_tainted: true },
|
|
229
|
+
{ method: 'readAsString', type: 'file_input', severity: 'critical', return_tainted: true },
|
|
230
|
+
{ method: 'content', type: 'file_input', severity: 'high', return_tainted: true },
|
|
231
|
+
{ method: 'retrieve', type: 'io_input', severity: 'high', return_tainted: true },
|
|
232
|
+
{ method: 'findResources', type: 'io_input', severity: 'high', return_tainted: true },
|
|
233
|
+
{ method: 'loadScripts', type: 'io_input', severity: 'high', return_tainted: true },
|
|
234
|
+
{ method: 'doRetrieve', type: 'io_input', severity: 'high', return_tainted: true },
|
|
235
|
+
// ActiveMQ/Message broker sources
|
|
236
|
+
{ method: 'processControlCommand', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
237
|
+
{ method: 'getCommand', class: 'ControlCommand', type: 'io_input', severity: 'critical', return_tainted: true },
|
|
238
|
+
// Spring OAuth sources
|
|
239
|
+
{ method: 'authenticate', class: 'OAuth2RequestAuthenticator', type: 'http_header', severity: 'high', return_tainted: true },
|
|
240
|
+
{ method: 'getAccessToken', type: 'http_header', severity: 'high', return_tainted: true },
|
|
241
|
+
// Struts/OGNL sources
|
|
242
|
+
{ method: 'addParametersToContext', type: 'http_param', severity: 'critical', return_tainted: true },
|
|
243
|
+
{ method: 'getParameters', class: 'ActionContext', type: 'http_param', severity: 'high', return_tainted: true },
|
|
244
|
+
// Cron/Parser sources
|
|
245
|
+
{ method: 'parse', class: 'CronParser', type: 'io_input', severity: 'high', return_tainted: true },
|
|
246
|
+
{ method: 'isValid', class: 'CronValidator', type: 'io_input', severity: 'high', return_tainted: true },
|
|
247
|
+
// Jenkins library/configuration sources
|
|
248
|
+
{ method: 'getName', class: 'LibraryRecord', type: 'io_input', severity: 'high', return_tainted: true },
|
|
249
|
+
{ method: 'getVersion', class: 'LibraryRecord', type: 'io_input', severity: 'high', return_tainted: true },
|
|
250
|
+
{ method: 'name', class: 'LibraryRecord', type: 'io_input', severity: 'high', return_tainted: true },
|
|
251
|
+
{ method: 'version', class: 'LibraryRecord', type: 'io_input', severity: 'high', return_tainted: true },
|
|
252
|
+
{ method: 'getLibrary', type: 'io_input', severity: 'high', return_tainted: true },
|
|
253
|
+
{ method: 'getDefaultVersion', type: 'io_input', severity: 'high', return_tainted: true },
|
|
254
|
+
// SCM/repository sources (can be attacker-controlled via fork/PR)
|
|
255
|
+
{ method: 'getRemote', class: 'RemoteConfig', type: 'io_input', severity: 'high', return_tainted: true },
|
|
256
|
+
{ method: 'getURIs', class: 'RemoteConfig', type: 'io_input', severity: 'high', return_tainted: true },
|
|
257
|
+
{ method: 'getBranch', type: 'io_input', severity: 'high', return_tainted: true },
|
|
258
|
+
{ method: 'getRepository', type: 'io_input', severity: 'high', return_tainted: true },
|
|
259
|
+
// =========================================================================
|
|
260
|
+
// Express.js / Node.js Sources (Property-based)
|
|
261
|
+
// =========================================================================
|
|
262
|
+
// Express.js Request Properties
|
|
263
|
+
{ property: 'params', object: 'req', type: 'http_param', severity: 'high', property_tainted: true },
|
|
264
|
+
{ property: 'query', object: 'req', type: 'http_param', severity: 'high', property_tainted: true },
|
|
265
|
+
{ property: 'body', object: 'req', type: 'http_body', severity: 'high', property_tainted: true },
|
|
266
|
+
{ property: 'headers', object: 'req', type: 'http_header', severity: 'high', property_tainted: true },
|
|
267
|
+
{ property: 'cookies', object: 'req', type: 'http_cookie', severity: 'high', property_tainted: true },
|
|
268
|
+
{ property: 'url', object: 'req', type: 'http_path', severity: 'high', property_tainted: true },
|
|
269
|
+
{ property: 'path', object: 'req', type: 'http_path', severity: 'high', property_tainted: true },
|
|
270
|
+
{ property: 'hostname', object: 'req', type: 'http_header', severity: 'medium', property_tainted: true },
|
|
271
|
+
{ property: 'ip', object: 'req', type: 'http_header', severity: 'medium', property_tainted: true },
|
|
272
|
+
{ property: 'ips', object: 'req', type: 'http_header', severity: 'medium', property_tainted: true },
|
|
273
|
+
{ property: 'protocol', object: 'req', type: 'http_header', severity: 'low', property_tainted: true },
|
|
274
|
+
{ property: 'originalUrl', object: 'req', type: 'http_path', severity: 'high', property_tainted: true },
|
|
275
|
+
{ property: 'baseUrl', object: 'req', type: 'http_path', severity: 'medium', property_tainted: true },
|
|
276
|
+
{ property: 'file', object: 'req', type: 'file_input', severity: 'high', property_tainted: true },
|
|
277
|
+
{ property: 'files', object: 'req', type: 'file_input', severity: 'high', property_tainted: true },
|
|
278
|
+
// Also match 'request' (alternative naming)
|
|
279
|
+
{ property: 'params', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
280
|
+
{ property: 'query', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
281
|
+
{ property: 'body', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
|
|
282
|
+
{ property: 'headers', object: 'request', type: 'http_header', severity: 'high', property_tainted: true },
|
|
283
|
+
// Node.js process (environment/args)
|
|
284
|
+
{ property: 'env', object: 'process', type: 'env_input', severity: 'medium', property_tainted: true },
|
|
285
|
+
{ property: 'argv', object: 'process', type: 'io_input', severity: 'high', property_tainted: true },
|
|
286
|
+
// Koa.js (ctx.request, ctx.query, etc.)
|
|
287
|
+
{ property: 'query', object: 'ctx', type: 'http_param', severity: 'high', property_tainted: true },
|
|
288
|
+
{ property: 'params', object: 'ctx', type: 'http_param', severity: 'high', property_tainted: true },
|
|
289
|
+
{ property: 'request', object: 'ctx', type: 'http_body', severity: 'high', property_tainted: true },
|
|
290
|
+
{ property: 'headers', object: 'ctx', type: 'http_header', severity: 'high', property_tainted: true },
|
|
291
|
+
// =========================================================================
|
|
292
|
+
// Python / Flask / Django Sources
|
|
293
|
+
// =========================================================================
|
|
294
|
+
// Flask request object
|
|
295
|
+
{ method: 'get', class: 'args', type: 'http_param', severity: 'high', return_tainted: true },
|
|
296
|
+
{ method: 'get', class: 'form', type: 'http_param', severity: 'high', return_tainted: true },
|
|
297
|
+
{ method: 'get', class: 'headers', type: 'http_header', severity: 'high', return_tainted: true },
|
|
298
|
+
{ method: 'get', class: 'cookies', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
299
|
+
{ property: 'json', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
|
|
300
|
+
{ property: 'data', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
|
|
301
|
+
{ property: 'path', object: 'request', type: 'http_path', severity: 'medium', property_tainted: true },
|
|
302
|
+
{ property: 'query_string', object: 'request', type: 'http_query', severity: 'high', property_tainted: true },
|
|
303
|
+
// Django request object
|
|
304
|
+
{ method: 'get', class: 'GET', type: 'http_param', severity: 'high', return_tainted: true },
|
|
305
|
+
{ method: 'get', class: 'POST', type: 'http_param', severity: 'high', return_tainted: true },
|
|
306
|
+
{ method: 'get', class: 'META', type: 'http_header', severity: 'high', return_tainted: true },
|
|
307
|
+
{ method: 'get', class: 'COOKIES', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
308
|
+
{ property: 'body', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
|
|
309
|
+
{ property: 'path_info', object: 'request', type: 'http_path', severity: 'medium', property_tainted: true },
|
|
310
|
+
// Python environment and I/O
|
|
311
|
+
{ method: 'getenv', class: 'os', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
312
|
+
{ method: 'get', class: 'environ', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
313
|
+
{ method: 'input', type: 'io_input', severity: 'high', return_tainted: true },
|
|
314
|
+
{ method: 'read', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
315
|
+
{ method: 'readline', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
316
|
+
{ method: 'readlines', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
317
|
+
// Python database sources
|
|
318
|
+
{ method: 'fetchone', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
319
|
+
{ method: 'fetchall', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
320
|
+
{ method: 'fetchmany', type: 'db_input', severity: 'medium', return_tainted: true },
|
|
321
|
+
// Python network sources
|
|
322
|
+
{ method: 'recv', class: 'socket', type: 'network_input', severity: 'high', return_tainted: true },
|
|
323
|
+
{ method: 'recvfrom', class: 'socket', type: 'network_input', severity: 'high', return_tainted: true },
|
|
324
|
+
// FastAPI sources (decorator-based, like Spring)
|
|
325
|
+
{ annotation: 'Path', type: 'http_path', severity: 'high', param_tainted: true },
|
|
326
|
+
{ annotation: 'Query', type: 'http_param', severity: 'high', param_tainted: true },
|
|
327
|
+
{ annotation: 'Body', type: 'http_body', severity: 'high', param_tainted: true },
|
|
328
|
+
{ annotation: 'Header', type: 'http_header', severity: 'high', param_tainted: true },
|
|
329
|
+
{ annotation: 'Cookie', type: 'http_cookie', severity: 'high', param_tainted: true },
|
|
330
|
+
{ annotation: 'Form', type: 'http_param', severity: 'high', param_tainted: true },
|
|
331
|
+
{ annotation: 'File', type: 'file_input', severity: 'high', param_tainted: true },
|
|
332
|
+
// FastAPI Request object
|
|
333
|
+
{ method: 'json', class: 'Request', type: 'http_body', severity: 'high', return_tainted: true },
|
|
334
|
+
{ method: 'form', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
335
|
+
{ method: 'body', class: 'Request', type: 'http_body', severity: 'high', return_tainted: true },
|
|
336
|
+
{ property: 'query_params', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
337
|
+
{ property: 'path_params', object: 'request', type: 'http_path', severity: 'high', property_tainted: true },
|
|
338
|
+
// Additional Flask/Werkzeug patterns
|
|
339
|
+
{ method: 'values', class: 'request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
340
|
+
{ property: 'args', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
341
|
+
{ property: 'form', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
342
|
+
{ property: 'files', object: 'request', type: 'file_input', severity: 'high', property_tainted: true },
|
|
343
|
+
{ property: 'headers', object: 'request', type: 'http_header', severity: 'high', property_tainted: true },
|
|
344
|
+
{ property: 'cookies', object: 'request', type: 'http_cookie', severity: 'high', property_tainted: true },
|
|
345
|
+
{ property: 'environ', object: 'request', type: 'http_header', severity: 'medium', property_tainted: true },
|
|
346
|
+
// Additional Django patterns
|
|
347
|
+
{ property: 'GET', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
348
|
+
{ property: 'POST', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
349
|
+
{ property: 'FILES', object: 'request', type: 'file_input', severity: 'high', property_tainted: true },
|
|
350
|
+
{ property: 'META', object: 'request', type: 'http_header', severity: 'high', property_tainted: true },
|
|
351
|
+
{ property: 'COOKIES', object: 'request', type: 'http_cookie', severity: 'high', property_tainted: true },
|
|
352
|
+
{ method: 'getlist', class: 'QueryDict', type: 'http_param', severity: 'high', return_tainted: true },
|
|
353
|
+
// Pyramid framework
|
|
354
|
+
{ property: 'params', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
355
|
+
{ property: 'matchdict', object: 'request', type: 'http_path', severity: 'high', property_tainted: true },
|
|
356
|
+
{ method: 'getall', class: 'MultiDict', type: 'http_param', severity: 'high', return_tainted: true },
|
|
357
|
+
// aiohttp sources
|
|
358
|
+
{ method: 'json', class: 'Request', type: 'http_body', severity: 'high', return_tainted: true },
|
|
359
|
+
{ method: 'post', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
360
|
+
{ method: 'text', class: 'Request', type: 'http_body', severity: 'high', return_tainted: true },
|
|
361
|
+
{ property: 'query', object: 'request', type: 'http_param', severity: 'high', property_tainted: true },
|
|
362
|
+
{ property: 'match_info', object: 'request', type: 'http_path', severity: 'high', property_tainted: true },
|
|
363
|
+
// =========================================================================
|
|
364
|
+
// Rust Sources (Actix-web, Rocket, Axum)
|
|
365
|
+
// =========================================================================
|
|
366
|
+
// Actix-web
|
|
367
|
+
{ method: 'query_string', class: 'HttpRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
368
|
+
{ method: 'match_info', class: 'HttpRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
369
|
+
{ method: 'into_inner', class: 'Path', type: 'http_param', severity: 'high', return_tainted: true },
|
|
370
|
+
{ method: 'into_inner', class: 'Query', type: 'http_param', severity: 'high', return_tainted: true },
|
|
371
|
+
{ method: 'into_inner', class: 'Json', type: 'http_body', severity: 'high', return_tainted: true },
|
|
372
|
+
{ method: 'into_inner', class: 'Form', type: 'http_param', severity: 'high', return_tainted: true },
|
|
373
|
+
{ method: 'headers', class: 'HttpRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
374
|
+
{ method: 'cookie', class: 'HttpRequest', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
375
|
+
// Rocket
|
|
376
|
+
{ method: 'param', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
|
|
377
|
+
{ method: 'cookies', class: 'Request', type: 'http_cookie', severity: 'high', return_tainted: true },
|
|
378
|
+
// Axum extractors
|
|
379
|
+
{ method: 'Json', type: 'http_body', severity: 'high', return_tainted: true },
|
|
380
|
+
{ method: 'Query', type: 'http_param', severity: 'high', return_tainted: true },
|
|
381
|
+
{ method: 'Path', type: 'http_path', severity: 'high', return_tainted: true },
|
|
382
|
+
{ method: 'Form', type: 'http_param', severity: 'high', return_tainted: true },
|
|
383
|
+
// Rust std library
|
|
384
|
+
{ method: 'var', class: 'env', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
385
|
+
{ method: 'var_os', class: 'env', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
386
|
+
{ method: 'args', class: 'env', type: 'env_input', severity: 'medium', return_tainted: true },
|
|
387
|
+
{ method: 'read_to_string', class: 'File', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
388
|
+
{ method: 'read', class: 'File', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
389
|
+
{ method: 'read_line', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
390
|
+
{ method: 'lines', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
391
|
+
{ method: 'read_to_string', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
392
|
+
{ method: 'recv', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
393
|
+
{ method: 'read', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
394
|
+
{ method: 'read_to_end', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
395
|
+
{ method: 'read_to_string', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
396
|
+
];
|
|
397
|
+
export const DEFAULT_SINKS = [
|
|
398
|
+
// SQL Injection (CWE-89)
|
|
399
|
+
{ method: 'executeQuery', class: 'Statement', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
400
|
+
{ method: 'execute', class: 'Statement', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
401
|
+
{ method: 'executeUpdate', class: 'Statement', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
402
|
+
{ method: 'executeBatch', class: 'Statement', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
403
|
+
{ method: 'addBatch', class: 'Statement', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
404
|
+
// PreparedStatement/CallableStatement creation - SQL can be injected here
|
|
405
|
+
{ method: 'prepareStatement', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
406
|
+
{ method: 'prepareCall', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
407
|
+
{ method: 'createNativeQuery', class: 'EntityManager', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
408
|
+
{ method: 'createQuery', class: 'EntityManager', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
409
|
+
// Spring JdbcTemplate
|
|
410
|
+
{ method: 'query', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
411
|
+
{ method: 'queryForObject', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
412
|
+
{ method: 'queryForList', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
413
|
+
{ method: 'queryForMap', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
414
|
+
{ method: 'queryForRowSet', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
415
|
+
{ method: 'queryForLong', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
416
|
+
{ method: 'queryForInt', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
417
|
+
{ method: 'update', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
418
|
+
{ method: 'batchUpdate', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
419
|
+
{ method: 'execute', class: 'JdbcTemplate', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
420
|
+
// Without class (catch-all for method names)
|
|
421
|
+
{ method: 'queryForObject', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
422
|
+
{ method: 'queryForList', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
423
|
+
{ method: 'queryForLong', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
424
|
+
// Command Injection (CWE-78)
|
|
425
|
+
{ method: 'exec', class: 'Runtime', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
|
|
426
|
+
{ method: 'start', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
|
|
427
|
+
// ProcessBuilder constructor
|
|
428
|
+
{ method: 'ProcessBuilder', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
429
|
+
{ method: 'command', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
430
|
+
// Commons Exec
|
|
431
|
+
{ method: 'execute', class: 'Executor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
432
|
+
{ method: 'execute', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
433
|
+
{ method: 'CommandLine', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
434
|
+
{ method: 'parse', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
435
|
+
// SSH/Shell execution
|
|
436
|
+
{ method: 'execCommand', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
437
|
+
{ method: 'runCommand', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
438
|
+
{ method: 'executeCommand', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
439
|
+
// Shell provider execution (NiFi, etc.)
|
|
440
|
+
{ method: 'execute', class: 'ShellRunner', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
441
|
+
{ method: 'run', class: 'ShellRunner', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
442
|
+
{ method: 'getGroupMembers', class: 'ShellCommands', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
443
|
+
{ method: 'onConfigured', class: 'ShellUserGroupProvider', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
444
|
+
// Jenkins pipeline execution
|
|
445
|
+
{ method: 'create', class: 'CpsScmFlowDefinition', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
446
|
+
{ method: 'checkout', class: 'SCM', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
447
|
+
{ method: 'retrieve', class: 'LibraryAdder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
448
|
+
{ method: 'add', class: 'LibraryAdder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
449
|
+
// Jenkins CPS Flow Execution (constructor)
|
|
450
|
+
{ method: 'CpsFlowExecution', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
451
|
+
{ method: 'CpsFlowDefinition', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
452
|
+
{ method: 'FlowExecution', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
453
|
+
// ActiveMQ control commands
|
|
454
|
+
{ method: 'processControlCommand', class: 'TransportConnection', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
455
|
+
// XStream deserialization (leads to RCE via gadget chains)
|
|
456
|
+
{ method: 'fromXML', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
457
|
+
{ method: 'unmarshal', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
458
|
+
{ method: 'fromString', class: 'FileConverter', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
459
|
+
// Plexus command line
|
|
460
|
+
{ method: 'getPosition', class: 'Commandline', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
461
|
+
{ method: 'addArguments', class: 'Commandline', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
462
|
+
// Docker
|
|
463
|
+
{ method: 'imageName', class: 'DockerRegistryEndpoint', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
464
|
+
{ method: 'exec', class: 'DockerClient', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
465
|
+
{ method: 'createContainer', class: 'DockerClient', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
466
|
+
{ method: 'pull', class: 'DockerClient', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
467
|
+
// SSH Command Execution
|
|
468
|
+
{ method: 'exec', class: 'Session', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
469
|
+
{ method: 'execCommand', class: 'Session', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
470
|
+
{ method: 'executeCommand', class: 'SSHClient', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
471
|
+
{ method: 'exec', class: 'ChannelExec', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
472
|
+
{ method: 'setCommand', class: 'ChannelExec', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
473
|
+
{ method: 'executeRemoteCommand', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
474
|
+
// Git Command Execution
|
|
475
|
+
{ method: 'clone', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
476
|
+
{ method: 'fetch', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
477
|
+
{ method: 'pull', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
478
|
+
{ method: 'push', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
479
|
+
{ method: 'setRemote', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
480
|
+
{ method: 'cloneRepository', class: 'Git', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
481
|
+
{ method: 'setURI', class: 'CloneCommand', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
482
|
+
// Kubernetes/kubectl
|
|
483
|
+
{ method: 'exec', class: 'KubernetesClient', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
484
|
+
{ method: 'execInPod', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
485
|
+
{ method: 'command', class: 'ContainerExecDecorator', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
486
|
+
// Ant/Maven Build Execution
|
|
487
|
+
{ method: 'execute', class: 'ExecTask', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
488
|
+
{ method: 'setExecutable', class: 'ExecTask', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
489
|
+
{ method: 'setCommand', class: 'ExecTask', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
490
|
+
{ method: 'execute', class: 'Java', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
491
|
+
// Shell/Bash utilities
|
|
492
|
+
{ method: 'bash', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
493
|
+
{ method: 'shell', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
494
|
+
{ method: 'sh', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
495
|
+
{ method: 'spawn', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
496
|
+
{ method: 'fork', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
497
|
+
{ method: 'popen', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
498
|
+
{ method: 'system', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
499
|
+
// Apache Commons Exec
|
|
500
|
+
{ method: 'execute', class: 'Executor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
501
|
+
{ method: 'setCommandline', class: 'Executor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
502
|
+
{ method: 'parse', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
503
|
+
{ method: 'addArgument', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
504
|
+
// Process-related utilities
|
|
505
|
+
{ method: 'waitFor', class: 'Process', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [] },
|
|
506
|
+
{ method: 'inheritIO', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [] },
|
|
507
|
+
{ method: 'redirectOutput', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [0] },
|
|
508
|
+
{ method: 'redirectInput', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [0] },
|
|
509
|
+
// Path Traversal (CWE-22)
|
|
510
|
+
{ method: 'File', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
511
|
+
{ method: 'FileInputStream', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
512
|
+
{ method: 'FileOutputStream', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
513
|
+
{ method: 'FileReader', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
514
|
+
{ method: 'FileWriter', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
515
|
+
// ClassLoader/Class resource loading (can be abused for path traversal)
|
|
516
|
+
{ method: 'getResource', class: 'ClassLoader', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
517
|
+
{ method: 'getResourceAsStream', class: 'ClassLoader', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
518
|
+
{ method: 'getResource', class: 'Class', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
519
|
+
{ method: 'getResourceAsStream', class: 'Class', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
520
|
+
// Paths.get can be used for path traversal
|
|
521
|
+
{ method: 'get', class: 'Paths', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
522
|
+
{ method: 'of', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
523
|
+
{ method: 'readAllBytes', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
524
|
+
{ method: 'readAllLines', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
525
|
+
{ method: 'write', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
526
|
+
{ method: 'delete', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
527
|
+
{ method: 'newInputStream', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
528
|
+
{ method: 'newOutputStream', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
529
|
+
{ method: 'newBufferedReader', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
530
|
+
{ method: 'newBufferedWriter', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
531
|
+
{ method: 'copy', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
532
|
+
{ method: 'move', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
533
|
+
{ method: 'exists', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
534
|
+
{ method: 'isDirectory', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
535
|
+
{ method: 'isRegularFile', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
536
|
+
// RandomAccessFile
|
|
537
|
+
{ method: 'RandomAccessFile', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
538
|
+
// Framework-specific resource loading (Cocoon, Spring, etc.)
|
|
539
|
+
{ method: 'resolveURI', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
540
|
+
{ method: 'resolve', class: 'SourceResolver', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
541
|
+
{ method: 'getSource', class: 'SourceResolver', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
542
|
+
// URL-based resource loading
|
|
543
|
+
{ method: 'URL', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
544
|
+
{ method: 'openStream', class: 'URL', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
545
|
+
// Servlet context resource loading
|
|
546
|
+
{ method: 'getResource', class: 'ServletContext', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
547
|
+
{ method: 'getResourceAsStream', class: 'ServletContext', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
548
|
+
{ method: 'getRealPath', class: 'ServletContext', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
549
|
+
// Static file handlers
|
|
550
|
+
{ method: 'externalStaticFileLocation', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
551
|
+
{ method: 'staticFileLocation', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
552
|
+
// Zip/archive handling
|
|
553
|
+
{ method: 'getEntry', class: 'ZipFile', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
554
|
+
{ method: 'getName', class: 'ZipEntry', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
555
|
+
// Resource loading classes (various frameworks)
|
|
556
|
+
{ method: 'ClassPathResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
557
|
+
{ method: 'FileSystemResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
558
|
+
{ method: 'UrlResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
559
|
+
{ method: 'PathResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
560
|
+
// Additional resource/file patterns
|
|
561
|
+
{ method: 'forFile', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
562
|
+
{ method: 'resolve', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
563
|
+
{ method: 'resolve', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
564
|
+
{ method: 'resolveSibling', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
565
|
+
{ method: 'relativize', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
566
|
+
// Static file configuration
|
|
567
|
+
{ method: 'staticFiles', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
568
|
+
{ method: 'setRoot', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
569
|
+
{ method: 'setWebRoot', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
570
|
+
// File operations
|
|
571
|
+
{ method: 'createFile', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
572
|
+
{ method: 'createDirectory', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
573
|
+
{ method: 'createDirectories', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
574
|
+
{ method: 'list', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
575
|
+
{ method: 'walk', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
576
|
+
// Unzip/archive extraction (Zip Slip)
|
|
577
|
+
{ method: 'unzip', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
|
|
578
|
+
{ method: 'extract', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
|
|
579
|
+
{ method: 'extractAll', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
|
|
580
|
+
{ method: 'unjar', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
|
|
581
|
+
// Additional file constructors
|
|
582
|
+
{ method: 'BufferedReader', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
583
|
+
{ method: 'PrintWriter', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
584
|
+
{ method: 'Scanner', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
585
|
+
// Topic/queue names (for message queue systems - can be exploited for path traversal)
|
|
586
|
+
{ method: 'createTopic', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
587
|
+
// Apache SSHD SFTP operations
|
|
588
|
+
{ method: 'doStat', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
589
|
+
{ method: 'doLStat', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
590
|
+
{ method: 'doFStat', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
591
|
+
{ method: 'doSetStat', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
592
|
+
{ method: 'doRemove', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
593
|
+
{ method: 'doRemoveFile', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
594
|
+
{ method: 'doRemoveDirectory', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
595
|
+
{ method: 'doMakeDirectory', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
596
|
+
{ method: 'doRealPath', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
597
|
+
{ method: 'validateRealPath', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
598
|
+
{ method: 'writeDirEntry', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
599
|
+
{ method: 'getAttributes', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
600
|
+
{ method: 'setFileAttributes', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
601
|
+
{ method: 'getLongName', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
602
|
+
{ method: 'resolveReportedFileAttributes', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
603
|
+
{ method: 'handleUnknownStatusFileAttributes', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
604
|
+
{ method: 'signalRemovalPreConditionFailure', class: 'AbstractSftpSubsystemHelper', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
605
|
+
// Apache SSHD FileSystem operations
|
|
606
|
+
{ method: 'getPath', class: 'BaseFileSystem', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
607
|
+
{ method: 'getPathMatcher', class: 'BaseFileSystem', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
608
|
+
{ method: 'getFileStores', class: 'RootedFileSystem', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
609
|
+
{ method: 'deleteRecursive', class: 'CommonTestSupportUtils', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
610
|
+
// SftpFileSystemProvider
|
|
611
|
+
{ method: 'move', class: 'SftpFileSystemProvider', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
612
|
+
{ method: 'copy', class: 'SftpFileSystemProvider', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
613
|
+
// Apache Camel mail attachments
|
|
614
|
+
{ method: 'extractAttachmentsFromMultipart', class: 'MailBinding', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
615
|
+
{ method: 'configureMessage', class: 'GenericFileEndpoint', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
616
|
+
// Apache Shiro path validation
|
|
617
|
+
{ method: 'isValid', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
618
|
+
{ method: 'containsSemicolon', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
619
|
+
{ method: 'isNormalized', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
620
|
+
{ method: 'isAccessAllowed', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
621
|
+
{ method: 'onAccessDenied', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
622
|
+
{ method: 'setBlockSemicolon', class: 'InvalidRequestFilter', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
623
|
+
// Spring Cloud Config
|
|
624
|
+
{ method: 'getProfiles', class: 'Environment', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
625
|
+
{ method: 'isInvalidEncodedPath', class: 'GenericResourceRepository', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
626
|
+
{ method: 'getProfilePaths', class: 'GenericResourceRepository', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
627
|
+
{ method: 'binary', class: 'ResourceController', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
628
|
+
{ method: 'resolveName', class: 'ResourceController', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
629
|
+
{ method: 'retrieve', class: 'ResourceController', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
630
|
+
{ method: 'checkNotModified', class: 'ResourceController', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
631
|
+
// Apache MyFaces resource handling
|
|
632
|
+
{ method: 'createResource', class: 'ResourceHandlerImpl', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
633
|
+
{ method: 'handleResourceRequest', class: 'ResourceHandlerImpl', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
634
|
+
{ method: 'libraryExists', class: 'ResourceHandlerImpl', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
635
|
+
{ method: 'validate', class: 'ResourceValidationUtils', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
636
|
+
{ method: 'isValidLibraryName', class: 'ResourceValidationUtils', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
637
|
+
// Spark framework resource handling
|
|
638
|
+
{ method: 'ClassPathResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
639
|
+
{ method: 'getPath', class: 'ClassPathResource', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
640
|
+
{ method: 'equals', class: 'ClassPathResource', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
641
|
+
{ method: 'getResource', class: 'ExternalResourceHandler', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
642
|
+
{ method: 'consumeWithFileResourceHandlers', class: 'StaticFilesConfiguration', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
643
|
+
{ method: 'setExpireTimeSeconds', class: 'StaticFilesConfiguration', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
644
|
+
{ method: 'configureJarCase', class: 'StaticFilesConfiguration', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
645
|
+
{ method: 'toString', class: 'StringUtils', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
646
|
+
// Wildfly/Undertow servlet resource manager
|
|
647
|
+
{ method: 'getResource', class: 'ServletResourceManager', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
648
|
+
// Yamcs file system bucket
|
|
649
|
+
{ method: 'deleteObject', class: 'FileSystemBucket', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
650
|
+
// RocketMQ validators
|
|
651
|
+
{ method: 'regularExpressionMatcher', class: 'Validators', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
652
|
+
{ method: 'checkMessage', class: 'Validators', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
653
|
+
{ method: 'checkTopic', class: 'Validators', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
654
|
+
{ method: 'getSystemTopic', class: 'TopicConfigManager', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
655
|
+
{ method: 'msgCheck', class: 'AbstractSendMessageProcessor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
656
|
+
{ method: 'createPlainAccessConfig', class: 'MQClientAPIImpl', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
657
|
+
// XWiki velocity introspector
|
|
658
|
+
{ method: 'SecureIntrospector', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
659
|
+
// Generic test methods that process paths
|
|
660
|
+
{ method: 'testLifeCycle', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
661
|
+
{ method: 'testPathAccess', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
662
|
+
{ method: 'single', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
663
|
+
{ method: 'invalidPath', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
664
|
+
{ method: 'invalidPathWithPreviousDirectoryAllEncoded', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
665
|
+
// Embedded server test methods
|
|
666
|
+
{ method: 'create', class: 'EmbeddedJettyFactoryTest', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
667
|
+
{ method: 'create_withThreadPool', class: 'EmbeddedJettyFactoryTest', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
668
|
+
{ method: 'create_withNullThreadPool', class: 'EmbeddedJettyFactoryTest', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
669
|
+
// Camel file tests
|
|
670
|
+
{ method: 'testProducerComplexByExpression', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [] },
|
|
671
|
+
// XSS (CWE-79)
|
|
672
|
+
{ method: 'write', class: 'PrintWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
673
|
+
{ method: 'println', class: 'PrintWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
674
|
+
{ method: 'print', class: 'PrintWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
675
|
+
{ method: 'format', class: 'PrintWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
676
|
+
{ method: 'printf', class: 'PrintWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
677
|
+
// ServletOutputStream
|
|
678
|
+
{ method: 'write', class: 'ServletOutputStream', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
679
|
+
{ method: 'print', class: 'ServletOutputStream', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
680
|
+
{ method: 'println', class: 'ServletOutputStream', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
681
|
+
// XSS in error messages (CWE-81)
|
|
682
|
+
{ method: 'sendError', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
683
|
+
// Response header injection (can lead to header XSS)
|
|
684
|
+
{ method: 'setHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
685
|
+
{ method: 'addHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
686
|
+
{ method: 'setContentType', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
687
|
+
// JSP output
|
|
688
|
+
{ method: 'setAttribute', class: 'PageContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
689
|
+
// Model attributes (Spring MVC)
|
|
690
|
+
{ method: 'addAttribute', class: 'Model', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
691
|
+
{ method: 'addAttribute', class: 'ModelMap', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
692
|
+
{ method: 'addObject', class: 'ModelAndView', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
693
|
+
// Class-less XSS patterns for cases where receiver type is inferred
|
|
694
|
+
{ method: 'println', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
695
|
+
{ method: 'print', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
696
|
+
{ method: 'write', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
697
|
+
{ method: 'append', class: 'StringBuilder', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
698
|
+
{ method: 'append', class: 'StringBuffer', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
699
|
+
// Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
|
|
700
|
+
{ method: 'handleHyperlinks', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
701
|
+
{ method: 'handleDiv', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
702
|
+
{ method: 'handleImage', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
703
|
+
{ method: 'handleLink', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
704
|
+
{ method: 'render', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
705
|
+
{ method: 'renderHTML', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
706
|
+
{ method: 'parseHTML', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
707
|
+
// HTML sanitizer/validator sinks (AntiSamy, OWASP HTML Sanitizer, etc.)
|
|
708
|
+
{ method: 'scan', class: 'AntiSamy', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
709
|
+
{ method: 'isValid', class: 'SafeHtmlValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
710
|
+
{ method: 'sanitize', class: 'PolicyFactory', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
711
|
+
{ method: 'validate', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
712
|
+
// SAX handler sinks (can lead to XSS in parsed content)
|
|
713
|
+
{ method: 'startElement', class: 'ContentHandler', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
714
|
+
{ method: 'characters', class: 'ContentHandler', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
715
|
+
// Template output sinks
|
|
716
|
+
{ method: 'output', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
717
|
+
{ method: 'setOutput', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
718
|
+
{ method: 'writeAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
719
|
+
// AntiSamy specific (SAX filters)
|
|
720
|
+
{ method: 'startElement', class: 'MagicSAXFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
721
|
+
{ method: 'scan', class: 'AntiSamyDOMScanner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
722
|
+
{ method: 'scan', class: 'AntiSamySAXScanner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
723
|
+
// Hibernate Validator
|
|
724
|
+
{ method: 'getFragmentAsDocument', class: 'SafeHtmlValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
725
|
+
// JSPWiki specific
|
|
726
|
+
{ method: 'handleLinks', class: 'ReferredPagesPlugin', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
727
|
+
{ method: 'execute', class: 'ReferredPagesPlugin', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
728
|
+
{ method: 'getString', class: 'WysiwygEditingRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
729
|
+
// CXF service list
|
|
730
|
+
{ method: 'writeRESTfulEndpoint', class: 'FormattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
731
|
+
{ method: 'writeApiSpec', class: 'FormattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
732
|
+
// JSON sanitizer
|
|
733
|
+
{ method: 'sanitize', class: 'JsonSanitizer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
734
|
+
// Keycloak/OIDC
|
|
735
|
+
{ method: 'doBrowserLogout', class: 'LogoutEndpoint', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
736
|
+
// xxl-job
|
|
737
|
+
{ method: 'save', class: 'JobGroupController', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
738
|
+
// XWiki
|
|
739
|
+
{ method: 'escape', class: 'XWiki', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
740
|
+
// ESAPI DefaultValidator (validation library that processes user input)
|
|
741
|
+
{ method: 'isValidInput', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
742
|
+
{ method: 'isValidSafeHTML', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
743
|
+
{ method: 'getValidInput', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
744
|
+
{ method: 'getValidSafeHTML', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
745
|
+
{ method: 'isValidHTTPRequestParameterSet', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
746
|
+
{ method: 'assertValidHTTPRequestParameterSet', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
747
|
+
{ method: 'isValidFileName', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
748
|
+
{ method: 'getValidFileName', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
749
|
+
{ method: 'isValidFileContent', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
750
|
+
{ method: 'getValidFileContent', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
751
|
+
{ method: 'isValidFileUpload', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
752
|
+
{ method: 'assertValidFileUpload', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2] },
|
|
753
|
+
{ method: 'isValidDirectoryPath', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
754
|
+
{ method: 'getValidDirectoryPath', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
755
|
+
{ method: 'isValidPrintable', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
756
|
+
{ method: 'getValidPrintable', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
757
|
+
{ method: 'safeReadLine', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
758
|
+
{ method: 'isValidInteger', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
759
|
+
{ method: 'getValidInteger', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
760
|
+
{ method: 'isValidDouble', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
761
|
+
{ method: 'getValidDouble', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
762
|
+
{ method: 'isValidNumber', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
763
|
+
{ method: 'getValidNumber', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
764
|
+
{ method: 'isValidDate', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
765
|
+
{ method: 'getValidDate', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
766
|
+
{ method: 'isValidCreditCard', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
767
|
+
{ method: 'getValidCreditCard', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
768
|
+
{ method: 'isValidListItem', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
769
|
+
{ method: 'getValidListItem', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0, 1] },
|
|
770
|
+
{ method: 'isValidURI', class: 'DefaultValidator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
771
|
+
// AntiSamy test/processing methods
|
|
772
|
+
{ method: 'scriptAttacks', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
773
|
+
{ method: 'imgAttacks', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
774
|
+
{ method: 'hrefAttacks', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
775
|
+
{ method: 'cssAttacks', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
776
|
+
{ method: 'IllegalXML', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
777
|
+
{ method: 'testIssue2', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
778
|
+
{ method: 'issue41', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
779
|
+
{ method: 'testGithubIssue151', class: 'AntiSamyTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
780
|
+
{ method: 'processStyleTag', class: 'AntiSamyDOMScanner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
781
|
+
// JSON Sanitizer
|
|
782
|
+
{ method: 'sanitizeString', class: 'JsonSanitizer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
783
|
+
{ method: 'testIssue13', class: 'JsonSanitizerTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
784
|
+
{ method: 'testSanitize', class: 'JsonSanitizerTest', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
785
|
+
// Thymeleaf Template Engine (XSS sinks)
|
|
786
|
+
{ method: 'process', class: 'TemplateEngine', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
787
|
+
{ method: 'process', class: 'SpringTemplateEngine', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
788
|
+
{ method: 'setVariable', class: 'Context', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
789
|
+
{ method: 'setVariable', class: 'WebContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
790
|
+
// FreeMarker Template Engine (XSS sinks)
|
|
791
|
+
{ method: 'process', class: 'Template', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
792
|
+
{ method: 'getTemplate', class: 'Configuration', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
793
|
+
{ method: 'put', class: 'SimpleHash', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
794
|
+
// Velocity Template Engine (XSS sinks)
|
|
795
|
+
{ method: 'merge', class: 'Template', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
796
|
+
{ method: 'put', class: 'VelocityContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
797
|
+
// JSP/JSTL (XSS sinks)
|
|
798
|
+
{ method: 'setAttribute', class: 'JspContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
799
|
+
{ method: 'setAttribute', class: 'ServletContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
800
|
+
{ method: 'setAttribute', class: 'HttpSession', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
801
|
+
{ method: 'getWriter', class: 'JspWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [] },
|
|
802
|
+
{ method: 'include', class: 'RequestDispatcher', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
803
|
+
{ method: 'forward', class: 'RequestDispatcher', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
804
|
+
// Pebble Template Engine (XSS sinks)
|
|
805
|
+
{ method: 'evaluate', class: 'PebbleTemplate', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
806
|
+
{ method: 'getTemplate', class: 'PebbleEngine', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
807
|
+
// Mustache/Handlebars (XSS sinks)
|
|
808
|
+
{ method: 'execute', class: 'Mustache', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
809
|
+
{ method: 'compile', class: 'Handlebars', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
810
|
+
{ method: 'apply', class: 'Template', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
811
|
+
// JSON Response (XSS via JSON injection)
|
|
812
|
+
{ method: 'writeValueAsString', class: 'ObjectMapper', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
813
|
+
{ method: 'toJson', class: 'Gson', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
814
|
+
{ method: 'write', class: 'JsonGenerator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
815
|
+
{ method: 'writeString', class: 'JsonGenerator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
816
|
+
{ method: 'writeRaw', class: 'JsonGenerator', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
817
|
+
// Additional Response Writers
|
|
818
|
+
{ method: 'setEntity', class: 'HttpResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
819
|
+
{ method: 'setBody', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
820
|
+
{ method: 'body', class: 'ResponseBuilder', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
821
|
+
{ method: 'entity', class: 'ResponseBuilder', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
822
|
+
{ method: 'ok', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
823
|
+
// Code Injection (CWE-94)
|
|
824
|
+
{ method: 'eval', class: 'ScriptEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
825
|
+
{ method: 'compile', class: 'Pattern', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
826
|
+
// Expression Language injection (SpEL, OGNL, MVEL, EL)
|
|
827
|
+
{ method: 'parseExpression', class: 'ExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
828
|
+
{ method: 'parseExpression', class: 'SpelExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
829
|
+
{ method: 'getValue', class: 'Expression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
830
|
+
{ method: 'setValue', class: 'Expression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
831
|
+
{ method: 'getValue', class: 'Ognl', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
832
|
+
{ method: 'parseExpression', class: 'Ognl', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
833
|
+
{ method: 'compileExpression', class: 'MVEL', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
834
|
+
{ method: 'eval', class: 'MVEL', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
835
|
+
{ method: 'createValueExpression', class: 'ExpressionFactory', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
|
|
836
|
+
{ method: 'createMethodExpression', class: 'ExpressionFactory', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
|
|
837
|
+
// Groovy script execution
|
|
838
|
+
{ method: 'evaluate', class: 'GroovyShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
839
|
+
{ method: 'parse', class: 'GroovyShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
840
|
+
{ method: 'parseClass', class: 'GroovyClassLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
841
|
+
{ method: 'run', class: 'GroovyScriptEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
842
|
+
// JavaScript engine (Nashorn/Rhino)
|
|
843
|
+
{ method: 'eval', class: 'Bindings', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
844
|
+
{ method: 'eval', class: 'ScriptContext', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
845
|
+
// Dynamic class loading (can lead to RCE)
|
|
846
|
+
{ method: 'forName', class: 'Class', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
847
|
+
{ method: 'loadClass', class: 'ClassLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
848
|
+
{ method: 'defineClass', class: 'ClassLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0, 1] },
|
|
849
|
+
{ method: 'newInstance', class: 'Class', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [] },
|
|
850
|
+
// JNDI injection (leads to RCE via deserialization gadgets)
|
|
851
|
+
{ method: 'lookup', class: 'Context', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
852
|
+
{ method: 'lookup', class: 'InitialContext', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
853
|
+
{ method: 'lookup', class: 'NamingManager', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
854
|
+
// BeanUtils/PropertyUtils (can trigger arbitrary method calls)
|
|
855
|
+
{ method: 'setProperty', class: 'BeanUtils', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [1, 2] },
|
|
856
|
+
{ method: 'populate', class: 'BeanUtils', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [1] },
|
|
857
|
+
{ method: 'setProperty', class: 'PropertyUtils', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [1, 2] },
|
|
858
|
+
// Reflection-based invocation
|
|
859
|
+
{ method: 'invoke', class: 'Method', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0, 1] },
|
|
860
|
+
{ method: 'newInstance', class: 'Constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
861
|
+
// Template engines
|
|
862
|
+
{ method: 'merge', class: 'VelocityEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0, 1] },
|
|
863
|
+
{ method: 'evaluate', class: 'Velocity', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [1] },
|
|
864
|
+
{ method: 'process', class: 'Template', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
865
|
+
// Configuration update (common RCE vector)
|
|
866
|
+
{ method: 'update', class: 'Configuration', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
867
|
+
// Jenkins/CI Pipeline execution
|
|
868
|
+
{ method: 'executeScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
869
|
+
{ method: 'runScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
870
|
+
{ method: 'evaluate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
871
|
+
{ method: 'execute', class: 'Script', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
872
|
+
{ method: 'run', class: 'Script', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
873
|
+
{ method: 'checkout', class: 'SCM', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
874
|
+
// BeanShell/JShell
|
|
875
|
+
{ method: 'eval', class: 'Interpreter', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
876
|
+
{ method: 'source', class: 'Interpreter', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
877
|
+
{ method: 'eval', class: 'JShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
878
|
+
// JavaScript engines
|
|
879
|
+
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
880
|
+
{ method: 'invokeFunction', class: 'Invocable', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
881
|
+
{ method: 'invokeMethod', class: 'Invocable', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0, 1] },
|
|
882
|
+
// Spring Expression Language
|
|
883
|
+
{ method: 'parseRaw', class: 'SpelExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
884
|
+
{ method: 'setVariable', class: 'EvaluationContext', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [1] },
|
|
885
|
+
// Struts OGNL
|
|
886
|
+
{ method: 'setValue', class: 'OgnlValueStack', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
887
|
+
{ method: 'findValue', class: 'OgnlValueStack', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
888
|
+
// Additional template engines
|
|
889
|
+
{ method: 'render', class: 'Template', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
890
|
+
{ method: 'render', class: 'Pebble', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
891
|
+
{ method: 'render', class: 'Freemarker', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
892
|
+
{ method: 'compile', class: 'Handlebars', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
893
|
+
{ method: 'process', class: 'TemplateEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
894
|
+
// Nashorn/GraalJS
|
|
895
|
+
{ method: 'getEngineByName', class: 'ScriptEngineManager', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
896
|
+
// Spring Security OAuth expression
|
|
897
|
+
{ method: 'authenticate', class: 'DefaultOAuth2RequestAuthenticator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
898
|
+
// Struts static parameters
|
|
899
|
+
{ method: 'addParametersToContext', class: 'StaticParametersInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
900
|
+
{ method: 'build', class: 'HttpParameters', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
901
|
+
// Cron expression parsing (DoS/ReDoS)
|
|
902
|
+
{ method: 'parse', class: 'CronParser', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
903
|
+
{ method: 'isValid', class: 'CronValidator', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
904
|
+
// ff4j feature flags
|
|
905
|
+
{ method: 'check', class: 'FF4j', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
906
|
+
// Spring Cloud Gateway SpEL
|
|
907
|
+
{ method: 'getValue', class: 'StandardEvaluationContext', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
908
|
+
// Commons Text string substitution
|
|
909
|
+
{ method: 'replace', class: 'StringSubstitutor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
910
|
+
{ method: 'replaceIn', class: 'StringSubstitutor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
911
|
+
// SQLite JDBC (native library loading)
|
|
912
|
+
{ method: 'extract', class: 'NativeLibraryLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
913
|
+
// Apache Dubbo
|
|
914
|
+
{ method: 'doRefer', class: 'DubboProtocol', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
915
|
+
// RocketMQ broker
|
|
916
|
+
{ method: 'processRequest', class: 'Broker', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
917
|
+
// DolphinScheduler
|
|
918
|
+
{ method: 'execute', class: 'TaskExecuteThread', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
919
|
+
// Deserialization (CWE-502)
|
|
920
|
+
{ method: 'readObject', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
921
|
+
{ method: 'readUnshared', class: 'ObjectInputStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
922
|
+
{ method: 'fromXML', class: 'XStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
923
|
+
{ method: 'readValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
924
|
+
// YAML deserialization
|
|
925
|
+
{ method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
926
|
+
{ method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
927
|
+
{ method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
928
|
+
// JSON deserialization
|
|
929
|
+
{ method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
930
|
+
{ method: 'parse', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
931
|
+
{ method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
932
|
+
{ method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
933
|
+
// XMLDecoder
|
|
934
|
+
{ method: 'readObject', class: 'XMLDecoder', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
935
|
+
// Java serialization constructors
|
|
936
|
+
{ method: 'ObjectInputStream', class: 'constructor', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
937
|
+
// LDAP Injection (CWE-90)
|
|
938
|
+
{ method: 'search', class: 'DirContext', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 1] },
|
|
939
|
+
{ method: 'search', class: 'InitialDirContext', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 1] },
|
|
940
|
+
{ method: 'search', class: 'LdapContext', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 1] },
|
|
941
|
+
{ method: 'lookup', class: 'Context', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
942
|
+
{ method: 'lookup', class: 'InitialContext', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
943
|
+
{ method: 'list', class: 'DirContext', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
944
|
+
// XPath Injection (CWE-643)
|
|
945
|
+
{ method: 'evaluate', class: 'XPath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
946
|
+
{ method: 'compile', class: 'XPath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
947
|
+
{ method: 'selectNodes', class: 'Document', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
948
|
+
{ method: 'selectSingleNode', class: 'Document', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
949
|
+
{ method: 'selectNodes', class: 'Node', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
950
|
+
{ method: 'selectSingleNode', class: 'Node', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
951
|
+
// XXE - XML External Entity (CWE-611)
|
|
952
|
+
{ method: 'parse', class: 'DocumentBuilder', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
953
|
+
{ method: 'parse', class: 'SAXParser', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
954
|
+
{ method: 'parse', class: 'XMLReader', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
955
|
+
{ method: 'unmarshal', class: 'Unmarshaller', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
956
|
+
{ method: 'newTransformer', class: 'TransformerFactory', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
957
|
+
{ method: 'transform', class: 'Transformer', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
958
|
+
// SSRF - Server-Side Request Forgery (CWE-918) and Open Redirect (CWE-601)
|
|
959
|
+
{ method: 'sendRedirect', class: 'HttpServletResponse', type: 'ssrf', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
960
|
+
{ method: 'sendRedirect', type: 'ssrf', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
961
|
+
{ method: 'openConnection', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
962
|
+
{ method: 'openStream', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
963
|
+
{ method: 'URL', class: 'constructor', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
964
|
+
{ method: 'URI', class: 'constructor', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
965
|
+
{ method: 'execute', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
966
|
+
{ method: 'send', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
967
|
+
{ method: 'getForObject', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
968
|
+
{ method: 'getForEntity', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
969
|
+
{ method: 'postForObject', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
970
|
+
{ method: 'postForEntity', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
971
|
+
{ method: 'exchange', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
972
|
+
{ method: 'get', class: 'WebClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
973
|
+
{ method: 'post', class: 'WebClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
974
|
+
// =============================================================================
|
|
975
|
+
// Weak Cryptography Sinks (no taint flow required - presence alone is vulnerability)
|
|
976
|
+
// =============================================================================
|
|
977
|
+
// Weak Random (CWE-330) - java.util.Random is not cryptographically secure
|
|
978
|
+
{ method: 'Random', class: 'constructor', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
979
|
+
{ method: 'nextInt', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
980
|
+
{ method: 'nextLong', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
981
|
+
{ method: 'nextFloat', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
982
|
+
{ method: 'nextDouble', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
983
|
+
{ method: 'nextBoolean', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
984
|
+
{ method: 'nextBytes', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
|
|
985
|
+
// Weak Hash (CWE-328) - MD5/SHA1 are cryptographically broken
|
|
986
|
+
// Note: Detection requires checking algorithm argument - handled in runner
|
|
987
|
+
{ method: 'getInstance', class: 'MessageDigest', type: 'weak_hash', cwe: 'CWE-328', severity: 'medium', arg_positions: [0] },
|
|
988
|
+
// Weak Crypto (CWE-327) - DES/RC4/Blowfish are weak ciphers
|
|
989
|
+
// Note: Detection requires checking algorithm argument - handled in runner
|
|
990
|
+
{ method: 'getInstance', class: 'Cipher', type: 'weak_crypto', cwe: 'CWE-327', severity: 'high', arg_positions: [0] },
|
|
991
|
+
{ method: 'getInstance', class: 'KeyGenerator', type: 'weak_crypto', cwe: 'CWE-327', severity: 'high', arg_positions: [0] },
|
|
992
|
+
// Insecure Cookie (CWE-614) - cookies without secure/httpOnly flags
|
|
993
|
+
// Note: Detection requires checking if setSecure(true)/setHttpOnly(true) called - handled in runner
|
|
994
|
+
{ method: 'Cookie', class: 'constructor', type: 'insecure_cookie', cwe: 'CWE-614', severity: 'medium', arg_positions: [] },
|
|
995
|
+
// Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
|
|
996
|
+
// The vulnerability is attacker controlling which key to use, not the value
|
|
997
|
+
{ method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
|
|
998
|
+
{ method: 'putValue', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
|
|
999
|
+
// Additional XSS patterns (JDOM/XML output)
|
|
1000
|
+
{ method: 'outputElementContent', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1001
|
+
{ method: 'output', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1002
|
+
{ method: 'outputString', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1003
|
+
// SAX/XNI character output
|
|
1004
|
+
{ method: 'characters', class: 'XMLString', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1005
|
+
{ method: 'characters', class: 'DefaultFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1006
|
+
{ method: 'characters', class: 'XMLDocumentFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1007
|
+
// XWiki HTML rendering
|
|
1008
|
+
{ method: 'getDefaultConfiguration', class: 'DefaultHTMLCleaner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1009
|
+
{ method: 'getDefaultCleanerTransformations', class: 'DefaultHTMLCleaner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1010
|
+
{ method: 'getDefaultCleanerProperties', class: 'DefaultHTMLCleaner', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1011
|
+
{ method: 'getSyntaxRenderer', class: 'HTMLMacroXHTMLRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1012
|
+
{ method: 'getSyntaxRenderer', class: 'HTMLMacroAnnotatedHTML5Renderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1013
|
+
{ method: 'getSyntaxRenderer', class: 'HTMLMacroAnnotatedXHTMLRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1014
|
+
{ method: 'getSyntaxRenderer', class: 'HTMLMacroHTML5Renderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1015
|
+
{ method: 'isAllowedValue', class: 'SecureHTMLElementSanitizer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1016
|
+
{ method: 'isAttributeAllowed', class: 'SecureHTMLElementSanitizer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1017
|
+
{ method: 'cleanAttributes', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1018
|
+
{ method: 'printXMLElement', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1019
|
+
{ method: 'printXMLStartElement', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1020
|
+
// XHTML renderer chains
|
|
1021
|
+
{ method: 'initialize', class: 'HTML5Renderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1022
|
+
{ method: 'initialize', class: 'XHTMLRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1023
|
+
{ method: 'beginFormat', class: 'HTML5ChainingRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1024
|
+
// Additional forms/plugins
|
|
1025
|
+
{ method: 'execute', class: 'FormOutput', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1026
|
+
{ method: 'execute', class: 'FormOpen', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1027
|
+
{ method: 'execute', class: 'CurrentTimePlugin', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1028
|
+
{ method: 'execute', class: 'BugReportHandler', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1029
|
+
{ method: 'execute', class: 'InsertPage', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1030
|
+
{ method: 'execute', class: 'Search', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1031
|
+
// Keycloak/Auth
|
|
1032
|
+
{ method: 'createResponse', class: 'FreeMarkerLoginFormsProvider', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1033
|
+
{ method: 'exec', class: 'KeycloakSanitizerMethod', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1034
|
+
{ method: 'decodeRedirectUri', class: 'RedirectUtils', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1035
|
+
{ method: 'verifyRedirectUri', class: 'RedirectUtils', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1036
|
+
// CXF additional patterns
|
|
1037
|
+
{ method: 'getExtensionEndpointAddress', class: 'FormattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1038
|
+
{ method: 'writerSoapEndpoint', class: 'FormattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1039
|
+
{ method: 'writeUnformattedSOAPEndpoints', class: 'UnformattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1040
|
+
{ method: 'writeUnformattedRESTfulEndpoints', class: 'UnformattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1041
|
+
{ method: 'setAddress', class: 'BaseUrlHelper', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1042
|
+
{ method: 'getBaseURL', class: 'BaseUrlHelper', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1043
|
+
{ method: 'getAbsoluteAddress', class: 'FormattedServiceListWriter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1044
|
+
{ method: 'service', class: 'ServiceListGeneratorServlet', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1045
|
+
// Apache Sling XSS
|
|
1046
|
+
{ method: 'getValidDimension', class: 'XSSAPIImpl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1047
|
+
{ method: 'encodeForJSString', class: 'XSSAPIImpl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1048
|
+
// Jolokia
|
|
1049
|
+
{ method: 'doHandle', class: 'JolokiaHttpHandler', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1050
|
+
{ method: 'sendAllJSON', class: 'JolokiaHttpHandler', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1051
|
+
// FHIR XhtmlNode rendering (HL7 FHIR renderers)
|
|
1052
|
+
{ method: 'tx', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1053
|
+
{ method: 'addText', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1054
|
+
{ method: 'setAttribute', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
1055
|
+
{ method: 'addTag', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1056
|
+
{ method: 'setContent', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1057
|
+
{ method: 'para', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1058
|
+
{ method: 'ah', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1059
|
+
{ method: 'img', class: 'XhtmlNode', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1060
|
+
// FHIR Questionnaire renderers
|
|
1061
|
+
{ method: 'renderTree', class: 'QuestionnaireRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
1062
|
+
{ method: 'renderForm', class: 'QuestionnaireRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
1063
|
+
{ method: 'renderLinks', class: 'QuestionnaireRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1] },
|
|
1064
|
+
{ method: 'renderTreeItem', class: 'QuestionnaireRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2, 3] },
|
|
1065
|
+
{ method: 'addTreeRoot', class: 'QuestionnaireRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0, 1, 2, 3] },
|
|
1066
|
+
// Shiro InvalidRequestFilter
|
|
1067
|
+
{ method: 'blockSemicolon', class: 'InvalidRequestFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1068
|
+
{ method: 'blockBackslash', class: 'InvalidRequestFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1069
|
+
{ method: 'blockNonAscii', class: 'InvalidRequestFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1070
|
+
{ method: 'isAccessAllowed', class: 'InvalidRequestFilter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1071
|
+
// Perfecto credentials
|
|
1072
|
+
{ method: 'setUsername', class: 'PerfectoCredentials', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1073
|
+
{ method: 'setPassword', class: 'PerfectoCredentials', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1074
|
+
{ method: 'setCloudName', class: 'PerfectoCredentials', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1075
|
+
// MyFaces resource validation
|
|
1076
|
+
{ method: 'isValidResourceName', class: 'ResourceValidationUtils', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1077
|
+
{ method: 'isValidLibraryName', class: 'ResourceValidationUtils', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1078
|
+
// Additional Command Injection patterns (Jenkins)
|
|
1079
|
+
{ method: 'child', class: 'FilePath', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1080
|
+
{ method: 'forGroup', class: 'FolderLibraries', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1081
|
+
{ method: 'parse', class: 'LibraryAdder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1082
|
+
{ method: 'findResources', class: 'LibraryAdder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1083
|
+
{ method: 'loadScripts', class: 'LibraryAdder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1084
|
+
{ method: 'doRetrieve', class: 'SCMSourceRetriever', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1085
|
+
{ method: 'suggestedConfigurations', class: 'LibraryResolver', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0] },
|
|
1086
|
+
{ method: 'run', class: 'LibraryStep', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1087
|
+
// XStream mapper (deserialization chain)
|
|
1088
|
+
{ method: 'realClass', class: 'CachingMapper', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1089
|
+
{ method: 'flushCache', class: 'CachingMapper', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [] },
|
|
1090
|
+
// Bourne Shell patterns
|
|
1091
|
+
{ method: 'getShellArgs', class: 'BourneShell', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
|
|
1092
|
+
{ method: 'getRawCommandLine', class: 'Shell', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
|
|
1093
|
+
{ method: 'getExecutionPreamble', class: 'Shell', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
|
|
1094
|
+
{ method: 'setQuotedArgumentsEnabled', class: 'Shell', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0] },
|
|
1095
|
+
// Sandbox/script security
|
|
1096
|
+
{ method: 'onNewInstance', class: 'SandboxInterceptor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1097
|
+
// =========================================================================
|
|
1098
|
+
// Node.js/Express Sinks
|
|
1099
|
+
// =========================================================================
|
|
1100
|
+
// Node.js Command Injection (child_process)
|
|
1101
|
+
{ method: 'exec', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1102
|
+
{ method: 'execSync', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1103
|
+
{ method: 'spawn', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1104
|
+
{ method: 'spawnSync', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1105
|
+
// Also match without receiver (destructured imports)
|
|
1106
|
+
{ method: 'exec', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0] },
|
|
1107
|
+
{ method: 'execSync', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0] },
|
|
1108
|
+
// Node.js File System (path traversal)
|
|
1109
|
+
{ method: 'readFile', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1110
|
+
{ method: 'readFileSync', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1111
|
+
{ method: 'writeFile', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1112
|
+
{ method: 'writeFileSync', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1113
|
+
{ method: 'appendFile', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1114
|
+
{ method: 'readdir', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1115
|
+
{ method: 'unlink', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1116
|
+
{ method: 'rmdir', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1117
|
+
{ method: 'createReadStream', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1118
|
+
{ method: 'createWriteStream', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1119
|
+
// Node.js SQL (mysql, pg, sqlite, etc.)
|
|
1120
|
+
{ method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1121
|
+
{ method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1122
|
+
{ method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1123
|
+
{ method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
1124
|
+
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
1125
|
+
// Express.js XSS (response methods)
|
|
1126
|
+
{ method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1127
|
+
{ method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1128
|
+
{ method: 'end', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1129
|
+
{ method: 'html', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1130
|
+
{ method: 'render', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [1] },
|
|
1131
|
+
// Node.js Code Injection (eval, vm, etc.)
|
|
1132
|
+
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1133
|
+
{ method: 'Function', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1134
|
+
{ method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1135
|
+
{ method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1136
|
+
{ method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1137
|
+
// Node.js NoSQL Injection (MongoDB)
|
|
1138
|
+
{ method: 'find', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1139
|
+
{ method: 'findOne', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1140
|
+
{ method: 'updateOne', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1141
|
+
{ method: 'updateMany', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1142
|
+
{ method: 'deleteOne', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1143
|
+
{ method: 'deleteMany', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'high', arg_positions: [0] },
|
|
1144
|
+
// Node.js SSRF (HTTP clients)
|
|
1145
|
+
{ method: 'get', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1146
|
+
{ method: 'post', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1147
|
+
{ method: 'request', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1148
|
+
{ method: 'fetch', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1149
|
+
{ method: 'request', class: 'http', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1150
|
+
{ method: 'request', class: 'https', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1151
|
+
// needle library (used in NodeGoat)
|
|
1152
|
+
{ method: 'get', class: 'needle', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1153
|
+
{ method: 'post', class: 'needle', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1154
|
+
{ method: 'request', class: 'needle', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1155
|
+
// got library
|
|
1156
|
+
{ method: 'get', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1157
|
+
{ method: 'post', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1158
|
+
// superagent
|
|
1159
|
+
{ method: 'get', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1160
|
+
{ method: 'post', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1161
|
+
// node-fetch
|
|
1162
|
+
{ method: 'default', class: 'node-fetch', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1163
|
+
// =========================================================================
|
|
1164
|
+
// Python Sinks
|
|
1165
|
+
// =========================================================================
|
|
1166
|
+
// Python Command Injection
|
|
1167
|
+
{ method: 'system', class: 'os', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1168
|
+
{ method: 'popen', class: 'os', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1169
|
+
{ method: 'run', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1170
|
+
{ method: 'call', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1171
|
+
{ method: 'check_output', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1172
|
+
{ method: 'check_call', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1173
|
+
{ method: 'Popen', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1174
|
+
// Python Code Injection
|
|
1175
|
+
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1176
|
+
{ method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1177
|
+
{ method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
1178
|
+
{ method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
1179
|
+
// Python Deserialization
|
|
1180
|
+
{ method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1181
|
+
{ method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1182
|
+
{ method: 'loads', class: 'marshal', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1183
|
+
{ method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1184
|
+
{ method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1185
|
+
// Python SQL Injection
|
|
1186
|
+
{ method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1187
|
+
{ method: 'executemany', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1188
|
+
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1189
|
+
{ method: 'extra', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
1190
|
+
// Python Path Traversal
|
|
1191
|
+
{ method: 'open', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1192
|
+
{ method: 'remove', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1193
|
+
{ method: 'unlink', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1194
|
+
{ method: 'rmdir', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1195
|
+
{ method: 'rmtree', class: 'shutil', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1196
|
+
{ method: 'send_file', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1197
|
+
// Python XSS / SSTI
|
|
1198
|
+
{ method: 'render_template_string', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1199
|
+
{ method: 'Markup', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1200
|
+
{ method: 'mark_safe', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1201
|
+
// Python SSRF
|
|
1202
|
+
{ method: 'get', class: 'requests', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1203
|
+
{ method: 'post', class: 'requests', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1204
|
+
{ method: 'urlopen', class: 'urllib.request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1205
|
+
// Python Open Redirect
|
|
1206
|
+
{ method: 'redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1207
|
+
// Python XPath Injection
|
|
1208
|
+
{ method: 'xpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1209
|
+
{ method: 'find', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1210
|
+
{ method: 'findall', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1211
|
+
{ method: 'iterfind', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1212
|
+
{ method: 'XPath', class: 'lxml', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1213
|
+
// elementpath library (XPath 2.0/3.0)
|
|
1214
|
+
{ method: 'select', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [1] },
|
|
1215
|
+
{ method: 'select', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1216
|
+
{ method: 'iter_select', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [1] },
|
|
1217
|
+
{ method: 'Selector', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1218
|
+
// Python XXE
|
|
1219
|
+
{ method: 'parse', class: 'etree', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1220
|
+
{ method: 'fromstring', class: 'etree', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1221
|
+
{ method: 'XML', class: 'etree', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1222
|
+
{ method: 'parseString', class: 'minidom', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1223
|
+
{ method: 'parse', class: 'sax', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1224
|
+
{ method: 'XMLParser', class: 'lxml', type: 'xxe', cwe: 'CWE-611', severity: 'high', arg_positions: [0] },
|
|
1225
|
+
// Python LDAP Injection
|
|
1226
|
+
{ method: 'search', class: 'ldap', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 2] },
|
|
1227
|
+
{ method: 'search_s', class: 'ldap', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 2] },
|
|
1228
|
+
{ method: 'search_ext', class: 'ldap', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 2] },
|
|
1229
|
+
{ method: 'search_ext_s', class: 'ldap', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 2] },
|
|
1230
|
+
// ldap3 library (different API from python-ldap)
|
|
1231
|
+
{ method: 'search', class: 'Connection', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0, 1] },
|
|
1232
|
+
{ method: 'extend', class: 'Connection', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
1233
|
+
{ method: 'modify', class: 'Connection', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
1234
|
+
{ method: 'add', class: 'Connection', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
1235
|
+
{ method: 'delete', class: 'Connection', type: 'ldap_injection', cwe: 'CWE-90', severity: 'high', arg_positions: [0] },
|
|
1236
|
+
// Python Trust Boundary (CWE-501)
|
|
1237
|
+
// The vulnerability is storing untrusted data in session that gets trusted later
|
|
1238
|
+
{ method: '__setitem__', class: 'session', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [1] },
|
|
1239
|
+
{ method: 'update', class: 'session', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
|
|
1240
|
+
// Flask-specific session assignment
|
|
1241
|
+
{ method: '__setitem__', class: 'flask.session', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [1] },
|
|
1242
|
+
// Django session
|
|
1243
|
+
{ method: '__setitem__', class: 'request.session', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [1] },
|
|
1244
|
+
// Python pathlib patterns
|
|
1245
|
+
{ method: 'read_text', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
1246
|
+
{ method: 'read_bytes', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
1247
|
+
{ method: 'write_text', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1248
|
+
{ method: 'write_bytes', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1249
|
+
{ method: 'mkdir', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
1250
|
+
{ method: 'unlink', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
1251
|
+
{ method: 'rmdir', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [] },
|
|
1252
|
+
{ method: 'joinpath', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1253
|
+
// Python NoSQL injection (MongoDB, etc.)
|
|
1254
|
+
{ method: 'find', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
|
|
1255
|
+
{ method: 'find_one', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
|
|
1256
|
+
{ method: 'update_one', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0, 1] },
|
|
1257
|
+
{ method: 'update_many', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0, 1] },
|
|
1258
|
+
{ method: 'delete_one', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
|
|
1259
|
+
{ method: 'delete_many', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
|
|
1260
|
+
{ method: 'aggregate', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
|
|
1261
|
+
// Python Template Injection (Jinja2, Mako)
|
|
1262
|
+
{ method: 'from_string', class: 'Template', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1263
|
+
{ method: 'Template', class: 'jinja2', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1264
|
+
{ method: 'Template', class: 'mako', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1265
|
+
// Python Log Injection
|
|
1266
|
+
{ method: 'info', class: 'logger', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0] },
|
|
1267
|
+
{ method: 'warning', class: 'logger', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0] },
|
|
1268
|
+
{ method: 'error', class: 'logger', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0] },
|
|
1269
|
+
{ method: 'debug', class: 'logger', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0] },
|
|
1270
|
+
{ method: 'critical', class: 'logger', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0] },
|
|
1271
|
+
// =========================================================================
|
|
1272
|
+
// Java CWE-Bench Enhancement Patterns (Collection/Builder)
|
|
1273
|
+
// =========================================================================
|
|
1274
|
+
// Collection-based command injection (ProcessBuilder with List)
|
|
1275
|
+
{ method: 'command', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1276
|
+
{ method: 'inheritIO', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
|
|
1277
|
+
// Jenkins DSL patterns
|
|
1278
|
+
{ method: 'step', class: 'StepExecution', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1279
|
+
{ method: 'invokeMethod', class: 'Script', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
|
|
1280
|
+
{ method: 'evaluate', class: 'Script', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1281
|
+
{ method: 'parse', class: 'GroovyClassLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1282
|
+
// XML-based deserialization leading to RCE
|
|
1283
|
+
{ method: 'unmarshal', class: 'JAXBContext', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1284
|
+
{ method: 'readObject', class: 'XMLDecoder', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
1285
|
+
// JavaScript context XSS patterns
|
|
1286
|
+
{ method: 'setContentType', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
1287
|
+
// Template context pollution
|
|
1288
|
+
{ method: 'put', class: 'VelocityContext', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [1] },
|
|
1289
|
+
{ method: 'setVariable', class: 'Context', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [1] },
|
|
1290
|
+
// HTML sanitizer bypass markers (known CVE patterns)
|
|
1291
|
+
{ method: 'clean', class: 'AntiSamy', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
1292
|
+
{ method: 'getValidSafeHTML', class: 'ESAPI', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
|
|
1293
|
+
// Request/session attribute reflection XSS (return value is tainted)
|
|
1294
|
+
{ method: 'getAttribute', class: 'HttpServletRequest', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [] },
|
|
1295
|
+
{ method: 'getAttribute', class: 'HttpSession', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [] },
|
|
1296
|
+
// =========================================================================
|
|
1297
|
+
// Rust Sinks
|
|
1298
|
+
// =========================================================================
|
|
1299
|
+
// Rust Command Injection (std::process)
|
|
1300
|
+
{ method: 'spawn', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1301
|
+
{ method: 'output', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1302
|
+
{ method: 'status', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1303
|
+
{ method: 'new', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1304
|
+
{ method: 'arg', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1305
|
+
{ method: 'args', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1306
|
+
// Rust SQL Injection (sqlx, diesel, rusqlite, tokio-postgres)
|
|
1307
|
+
{ method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1308
|
+
{ method: 'execute', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1309
|
+
{ method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1310
|
+
{ method: 'execute', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1311
|
+
{ method: 'sql_query', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1312
|
+
{ method: 'raw_sql', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1313
|
+
{ method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1314
|
+
{ method: 'query_row', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1315
|
+
{ method: 'prepare', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1316
|
+
// sqlx::query macro
|
|
1317
|
+
{ method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1318
|
+
// rusqlite specific
|
|
1319
|
+
{ method: 'prepare', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1320
|
+
{ method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1321
|
+
{ method: 'query_map', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1322
|
+
// Rust Path Traversal
|
|
1323
|
+
{ method: 'open', class: 'File', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1324
|
+
{ method: 'create', class: 'File', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1325
|
+
{ method: 'read_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1326
|
+
{ method: 'remove_file', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1327
|
+
{ method: 'remove_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1328
|
+
{ method: 'remove_dir_all', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1329
|
+
{ method: 'copy', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
1330
|
+
{ method: 'rename', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
1331
|
+
{ method: 'write', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1332
|
+
{ method: 'read_to_string', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1333
|
+
{ method: 'create_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1334
|
+
{ method: 'create_dir_all', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1335
|
+
{ method: 'metadata', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
1336
|
+
{ method: 'symlink_metadata', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
|
|
1337
|
+
// Tokio async fs
|
|
1338
|
+
{ method: 'read_to_string', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1339
|
+
{ method: 'write', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1340
|
+
{ method: 'create_dir_all', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1341
|
+
// Rust Deserialization (serde, toml, ron, etc.)
|
|
1342
|
+
{ method: 'from_str', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1343
|
+
{ method: 'from_slice', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1344
|
+
{ method: 'from_reader', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1345
|
+
{ method: 'from_str', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1346
|
+
{ method: 'from_bytes', class: 'bincode', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1347
|
+
{ method: 'deserialize', class: 'bincode', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1348
|
+
{ method: 'from_str', class: 'toml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1349
|
+
{ method: 'from_str', class: 'ron', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1350
|
+
// Generic deserialization patterns
|
|
1351
|
+
{ method: 'from_str', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
1352
|
+
{ method: 'from_slice', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
1353
|
+
// Rust XSS (actix-web, rocket, axum response body)
|
|
1354
|
+
{ method: 'body', class: 'HttpResponseBuilder', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1355
|
+
{ method: 'body', class: 'HttpResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1356
|
+
{ method: 'Html', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1357
|
+
// Rust SSRF (reqwest, hyper, ureq)
|
|
1358
|
+
{ method: 'get', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1359
|
+
{ method: 'post', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1360
|
+
{ method: 'request', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1361
|
+
{ method: 'send', class: 'Request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1362
|
+
// ureq library
|
|
1363
|
+
{ method: 'get', class: 'ureq', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1364
|
+
{ method: 'post', class: 'ureq', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1365
|
+
// Hyper Uri parsing
|
|
1366
|
+
{ method: 'parse', class: 'Uri', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1367
|
+
// Rust Open Redirect
|
|
1368
|
+
{ method: 'redirect', class: 'HttpResponse', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1369
|
+
{ method: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1370
|
+
// Rust Log Injection (log crate, tracing)
|
|
1371
|
+
{ method: 'info!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1372
|
+
{ method: 'warn!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1373
|
+
{ method: 'error!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1374
|
+
{ method: 'debug!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1375
|
+
{ method: 'trace!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1376
|
+
{ method: 'log!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1377
|
+
// Standard library logging
|
|
1378
|
+
{ method: 'println!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1379
|
+
{ method: 'eprintln!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1380
|
+
// Rust sqlx SQL Injection
|
|
1381
|
+
{ method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1382
|
+
{ method: 'query_as', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1383
|
+
{ method: 'query_as', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1384
|
+
{ method: 'query_scalar', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1385
|
+
{ method: 'execute', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1386
|
+
{ method: 'fetch_one', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1387
|
+
{ method: 'fetch_all', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1388
|
+
{ method: 'fetch_optional', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1389
|
+
// Rust Command Injection (std::process::Command)
|
|
1390
|
+
{ method: 'arg', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1391
|
+
{ method: 'args', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1392
|
+
{ method: 'new', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1393
|
+
// Rust reqwest SSRF
|
|
1394
|
+
{ method: 'get', class: 'reqwest', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1395
|
+
{ method: 'post', class: 'reqwest', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1396
|
+
{ method: 'put', class: 'reqwest', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1397
|
+
{ method: 'delete', class: 'reqwest', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1398
|
+
{ method: 'get', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1399
|
+
{ method: 'post', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1400
|
+
// Rust Actix-web XSS
|
|
1401
|
+
{ method: 'body', class: 'HttpResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1402
|
+
{ method: 'body', class: 'HttpResponseBuilder', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1403
|
+
{ method: 'body', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1404
|
+
// Rust serde deserialization
|
|
1405
|
+
{ method: 'from_str', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1406
|
+
{ method: 'from_reader', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1407
|
+
{ method: 'from_str', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
1408
|
+
{ method: 'from_slice', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
1409
|
+
];
|
|
1410
|
+
export const DEFAULT_SANITIZERS = [
|
|
1411
|
+
// SQL Injection - proper parameter binding sanitizes input
|
|
1412
|
+
// Note: prepareStatement alone is NOT a sanitizer - it's a sink when used with concatenation
|
|
1413
|
+
{ method: 'setString', class: 'PreparedStatement', removes: ['sql_injection'] },
|
|
1414
|
+
{ method: 'setInt', class: 'PreparedStatement', removes: ['sql_injection'] },
|
|
1415
|
+
{ method: 'setLong', class: 'PreparedStatement', removes: ['sql_injection'] },
|
|
1416
|
+
{ method: 'setParameter', class: 'Query', removes: ['sql_injection'] },
|
|
1417
|
+
{ annotation: 'Param', removes: ['sql_injection'] },
|
|
1418
|
+
// XSS
|
|
1419
|
+
{ method: 'escapeHtml', removes: ['xss'] },
|
|
1420
|
+
{ method: 'encodeForHTML', removes: ['xss'] },
|
|
1421
|
+
{ method: 'escapeXml', removes: ['xss'] },
|
|
1422
|
+
{ method: 'htmlEscape', removes: ['xss'] },
|
|
1423
|
+
{ method: 'encode_text', removes: ['xss'] }, // Rust html_escape crate
|
|
1424
|
+
{ method: 'encode_safe', removes: ['xss'] }, // Rust html_escape crate
|
|
1425
|
+
{ method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
|
|
1426
|
+
{ method: 'encodeForJavaScript', removes: ['xss'] },
|
|
1427
|
+
{ method: 'encodeForCSS', removes: ['xss'] },
|
|
1428
|
+
{ method: 'encodeForURL', removes: ['xss', 'ssrf'] },
|
|
1429
|
+
// Path Traversal
|
|
1430
|
+
{ method: 'normalize', class: 'Path', removes: ['path_traversal'] },
|
|
1431
|
+
{ method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
|
|
1432
|
+
{ method: 'toRealPath', class: 'Path', removes: ['path_traversal'] },
|
|
1433
|
+
// Rust path sanitizers
|
|
1434
|
+
{ method: 'file_name', removes: ['path_traversal'] }, // Returns just filename, strips path
|
|
1435
|
+
{ method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks and normalizes
|
|
1436
|
+
// Log Injection sanitizers
|
|
1437
|
+
{ method: 'replace', removes: ['log_injection'] }, // Used to remove newlines/control chars
|
|
1438
|
+
// LDAP Injection
|
|
1439
|
+
{ method: 'encodeForLDAP', removes: ['ldap_injection'] },
|
|
1440
|
+
{ method: 'encodeForDN', removes: ['ldap_injection'] },
|
|
1441
|
+
{ method: 'escapeLDAPSearchFilter', removes: ['ldap_injection'] },
|
|
1442
|
+
// XPath Injection
|
|
1443
|
+
{ method: 'compile', class: 'XPathFactory', removes: ['xpath_injection'] },
|
|
1444
|
+
// XXE
|
|
1445
|
+
{ method: 'setFeature', class: 'DocumentBuilderFactory', removes: ['xxe'] },
|
|
1446
|
+
{ method: 'setFeature', class: 'SAXParserFactory', removes: ['xxe'] },
|
|
1447
|
+
{ method: 'setFeature', class: 'XMLReader', removes: ['xxe'] },
|
|
1448
|
+
{ method: 'setProperty', class: 'XMLReader', removes: ['xxe'] },
|
|
1449
|
+
// SSRF / URL encoding
|
|
1450
|
+
{ method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal'] },
|
|
1451
|
+
{ method: 'validateURL', removes: ['ssrf'] },
|
|
1452
|
+
{ method: 'isAllowedHost', removes: ['ssrf'] },
|
|
1453
|
+
{ method: 'isInternalHost', removes: ['ssrf'] },
|
|
1454
|
+
// Command Injection
|
|
1455
|
+
{ method: 'escapeshellarg', removes: ['command_injection'] },
|
|
1456
|
+
{ method: 'escapeshellcmd', removes: ['command_injection'] },
|
|
1457
|
+
// Deserialization
|
|
1458
|
+
{ method: 'setObjectInputFilter', class: 'ObjectInputStream', removes: ['deserialization'] },
|
|
1459
|
+
// =========================================================================
|
|
1460
|
+
// Node.js / JavaScript Sanitizers
|
|
1461
|
+
// =========================================================================
|
|
1462
|
+
// XSS - encoding/escaping
|
|
1463
|
+
{ method: 'encodeURIComponent', removes: ['xss', 'ssrf', 'path_traversal'] },
|
|
1464
|
+
{ method: 'encodeURI', removes: ['xss', 'ssrf'] },
|
|
1465
|
+
{ method: 'escape', removes: ['xss'] },
|
|
1466
|
+
{ method: 'sanitize', removes: ['xss', 'sql_injection', 'nosql_injection'] },
|
|
1467
|
+
// DOMPurify and similar
|
|
1468
|
+
{ method: 'sanitize', class: 'DOMPurify', removes: ['xss'] },
|
|
1469
|
+
{ method: 'escape', class: 'validator', removes: ['xss'] },
|
|
1470
|
+
// Type coercion (removes string-based injections)
|
|
1471
|
+
{ method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss'] },
|
|
1472
|
+
{ method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
|
|
1473
|
+
{ method: 'Number', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
|
|
1474
|
+
// Path sanitization
|
|
1475
|
+
{ method: 'basename', class: 'path', removes: ['path_traversal'] },
|
|
1476
|
+
{ method: 'normalize', class: 'path', removes: ['path_traversal'] },
|
|
1477
|
+
{ method: 'resolve', class: 'path', removes: ['path_traversal'] },
|
|
1478
|
+
// SQL - parameterized queries (mysql, pg)
|
|
1479
|
+
{ method: 'escape', class: 'mysql', removes: ['sql_injection'] },
|
|
1480
|
+
{ method: 'escapeId', class: 'mysql', removes: ['sql_injection'] },
|
|
1481
|
+
{ method: 'format', class: 'mysql', removes: ['sql_injection'] },
|
|
1482
|
+
// MongoDB - sanitization
|
|
1483
|
+
{ method: 'sanitize', class: 'mongo', removes: ['nosql_injection'] },
|
|
1484
|
+
{ method: 'escape', class: 'mongo', removes: ['nosql_injection'] },
|
|
1485
|
+
// Command injection - shell escaping
|
|
1486
|
+
{ method: 'quote', class: 'shell', removes: ['command_injection'] },
|
|
1487
|
+
{ method: 'escape', class: 'shell-escape', removes: ['command_injection'] },
|
|
1488
|
+
// =========================================================================
|
|
1489
|
+
// Python Sanitizers
|
|
1490
|
+
// =========================================================================
|
|
1491
|
+
// Python XSS
|
|
1492
|
+
{ method: 'escape', class: 'markupsafe', removes: ['xss'] },
|
|
1493
|
+
{ method: 'escape', class: 'html', removes: ['xss'] },
|
|
1494
|
+
{ method: 'escape', class: 'cgi', removes: ['xss'] },
|
|
1495
|
+
{ method: 'bleach', class: 'clean', removes: ['xss'] },
|
|
1496
|
+
{ method: 'clean', class: 'bleach', removes: ['xss'] },
|
|
1497
|
+
// Python Command Injection
|
|
1498
|
+
{ method: 'quote', class: 'shlex', removes: ['command_injection'] },
|
|
1499
|
+
{ method: 'split', class: 'shlex', removes: ['command_injection'] },
|
|
1500
|
+
// Python Deserialization
|
|
1501
|
+
{ method: 'safe_load', class: 'yaml', removes: ['deserialization'] },
|
|
1502
|
+
{ method: 'safe_dump', class: 'yaml', removes: ['deserialization'] },
|
|
1503
|
+
// Python SQL - parameterized queries
|
|
1504
|
+
{ method: 'mogrify', removes: ['sql_injection'] },
|
|
1505
|
+
{ method: 'literal', class: 'MySQLdb', removes: ['sql_injection'] },
|
|
1506
|
+
// Python NoSQL
|
|
1507
|
+
{ method: 'ObjectId', class: 'bson', removes: ['nosql_injection'] },
|
|
1508
|
+
// Python LDAP
|
|
1509
|
+
{ method: 'filter_format', class: 'ldap', removes: ['ldap_injection'] },
|
|
1510
|
+
{ method: 'escape_filter_chars', class: 'ldap', removes: ['ldap_injection'] },
|
|
1511
|
+
// Python XPath
|
|
1512
|
+
{ method: 'escape', class: 'xpath', removes: ['xpath_injection'] },
|
|
1513
|
+
// Python XXE safe parsers
|
|
1514
|
+
{ method: 'defusedxml', removes: ['xxe'] },
|
|
1515
|
+
{ method: 'parse', class: 'defusedxml', removes: ['xxe'] },
|
|
1516
|
+
// Python Path Traversal
|
|
1517
|
+
{ method: 'secure_filename', class: 'werkzeug.utils', removes: ['path_traversal'] },
|
|
1518
|
+
{ method: 'basename', class: 'os.path', removes: ['path_traversal'] },
|
|
1519
|
+
{ method: 'normpath', class: 'os.path', removes: ['path_traversal'] },
|
|
1520
|
+
// Python Type coercion
|
|
1521
|
+
{ method: 'int', removes: ['sql_injection', 'command_injection', 'xss'] },
|
|
1522
|
+
{ method: 'float', removes: ['sql_injection', 'command_injection'] },
|
|
1523
|
+
// =========================================================================
|
|
1524
|
+
// Rust Sanitizers
|
|
1525
|
+
// =========================================================================
|
|
1526
|
+
// Rust SQL - sqlx query! macro is compile-time checked (parameterized)
|
|
1527
|
+
{ method: 'query!', removes: ['sql_injection'] },
|
|
1528
|
+
{ method: 'query_as!', removes: ['sql_injection'] },
|
|
1529
|
+
{ method: 'query_scalar!', removes: ['sql_injection'] },
|
|
1530
|
+
{ method: 'query_unchecked!', removes: ['sql_injection'] },
|
|
1531
|
+
// Diesel DSL (type-safe query builder)
|
|
1532
|
+
{ method: 'filter', class: 'diesel', removes: ['sql_injection'] },
|
|
1533
|
+
{ method: 'eq', class: 'diesel', removes: ['sql_injection'] },
|
|
1534
|
+
// Rust Path Traversal - basename/file_name extracts just the filename
|
|
1535
|
+
{ method: 'file_name', removes: ['path_traversal'] },
|
|
1536
|
+
{ method: 'file_stem', removes: ['path_traversal'] },
|
|
1537
|
+
{ method: 'extension', removes: ['path_traversal'] },
|
|
1538
|
+
{ method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks, validates path exists
|
|
1539
|
+
// Rust Command Injection - allowlist validation
|
|
1540
|
+
{ method: 'contains', removes: ['command_injection', 'ssrf'] }, // Used for allowlist checks
|
|
1541
|
+
{ method: 'starts_with', removes: ['path_traversal', 'ssrf'] }, // Path/URL prefix validation
|
|
1542
|
+
{ method: 'ends_with', removes: ['path_traversal'] },
|
|
1543
|
+
// Rust XSS - HTML escaping
|
|
1544
|
+
{ method: 'escape', class: 'html_escape', removes: ['xss'] },
|
|
1545
|
+
{ method: 'encode_text', class: 'html_escape', removes: ['xss'] },
|
|
1546
|
+
{ method: 'encode_attribute', class: 'html_escape', removes: ['xss'] },
|
|
1547
|
+
{ method: 'escape_html', removes: ['xss'] },
|
|
1548
|
+
// Rust Type coercion (parsing)
|
|
1549
|
+
{ method: 'parse', removes: ['sql_injection', 'command_injection', 'xss'] }, // str.parse::<i32>()
|
|
1550
|
+
];
|
|
1551
|
+
/**
|
|
1552
|
+
* Get the default taint configuration.
|
|
1553
|
+
*/
|
|
1554
|
+
export function getDefaultConfig() {
|
|
1555
|
+
return {
|
|
1556
|
+
sources: DEFAULT_SOURCES,
|
|
1557
|
+
sinks: DEFAULT_SINKS,
|
|
1558
|
+
sanitizers: DEFAULT_SANITIZERS,
|
|
1559
|
+
};
|
|
1560
|
+
}
|
|
1561
|
+
//# sourceMappingURL=config-loader.js.map
|