circle-ir 3.1.0

package/dist/languages/plugins/javascript.d.ts

@@ -0,0 +1,48 @@
+/**
+ * JavaScript/TypeScript Language Plugin
+ *
+ * Provides JS/TS-specific AST handling, taint patterns, and framework detection.
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+import type { TypeInfo, CallInfo, ImportInfo } from '../../types/index.js';
+import type { LanguageNodeTypes, ExtractionContext, FrameworkInfo, TaintSourcePattern, TaintSinkPattern } from '../types.js';
+import { BaseLanguagePlugin } from './base.js';
+/**
+ * JavaScript/TypeScript language plugin implementation.
+ * Handles both JavaScript and TypeScript since they share the same tree-sitter grammar.
+ */
+export declare class JavaScriptPlugin extends BaseLanguagePlugin {
+    readonly id: "javascript";
+    readonly name = "JavaScript/TypeScript";
+    readonly extensions: string[];
+    readonly wasmPath = "tree-sitter-typescript.wasm";
+    readonly nodeTypes: LanguageNodeTypes;
+    /**
+     * Detect JavaScript frameworks from imports.
+     */
+    detectFramework(context: ExtractionContext): FrameworkInfo | undefined;
+    /**
+     * JavaScript/TypeScript taint source patterns.
+     */
+    getBuiltinSources(): TaintSourcePattern[];
+    /**
+     * JavaScript/TypeScript taint sink patterns.
+     */
+    getBuiltinSinks(): TaintSinkPattern[];
+    /**
+     * Get receiver type from a call expression.
+     */
+    getReceiverType(node: SyntaxNode, context: ExtractionContext): string | undefined;
+    /**
+     * Check if node is a JavaScript string literal.
+     */
+    isStringLiteral(node: SyntaxNode): boolean;
+    /**
+     * Get string value from JavaScript string literal.
+     */
+    getStringValue(node: SyntaxNode): string | undefined;
+    extractTypes(context: ExtractionContext): TypeInfo[];
+    extractCalls(context: ExtractionContext): CallInfo[];
+    extractImports(context: ExtractionContext): ImportInfo[];
+    extractPackage(context: ExtractionContext): string | undefined;
+}

package/dist/languages/plugins/javascript.js

@@ -0,0 +1,445 @@
+/**
+ * JavaScript/TypeScript Language Plugin
+ *
+ * Provides JS/TS-specific AST handling, taint patterns, and framework detection.
+ */
+import { BaseLanguagePlugin } from './base.js';
+/**
+ * JavaScript/TypeScript language plugin implementation.
+ * Handles both JavaScript and TypeScript since they share the same tree-sitter grammar.
+ */
+export class JavaScriptPlugin extends BaseLanguagePlugin {
+    id = 'javascript';
+    name = 'JavaScript/TypeScript';
+    extensions = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+    wasmPath = 'tree-sitter-typescript.wasm';
+    nodeTypes = {
+        // Type declarations
+        classDeclaration: ['class_declaration', 'class'],
+        interfaceDeclaration: ['interface_declaration'],
+        enumDeclaration: ['enum_declaration'],
+        functionDeclaration: ['function_declaration', 'function', 'arrow_function'],
+        methodDeclaration: ['method_definition'],
+        // Expressions
+        methodCall: ['call_expression'],
+        functionCall: ['call_expression'],
+        assignment: ['assignment_expression'],
+        variableDeclaration: ['lexical_declaration', 'variable_declaration'],
+        // Parameters and arguments
+        parameter: ['formal_parameters', 'required_parameter', 'optional_parameter'],
+        argument: ['arguments'],
+        // Annotations/decorators
+        annotation: [],
+        decorator: ['decorator'],
+        // Imports
+        importStatement: ['import_statement'],
+        // Control flow
+        ifStatement: ['if_statement'],
+        forStatement: ['for_statement', 'for_in_statement', 'for_of_statement'],
+        whileStatement: ['while_statement'],
+        tryStatement: ['try_statement'],
+        returnStatement: ['return_statement'],
+    };
+    /**
+     * Detect JavaScript frameworks from imports.
+     */
+    detectFramework(context) {
+        const indicators = [];
+        let framework;
+        let confidence = 0;
+        for (const imp of context.imports) {
+            const path = imp.from_package || imp.imported_name;
+            // Express.js
+            if (path === 'express' || path.startsWith('express/')) {
+                framework = 'express';
+                confidence = Math.max(confidence, 0.95);
+                indicators.push(`import: ${path}`);
+            }
+            // Fastify
+            if (path === 'fastify' || path.startsWith('fastify/')) {
+                framework = 'fastify';
+                confidence = Math.max(confidence, 0.95);
+                indicators.push(`import: ${path}`);
+            }
+            // Koa
+            if (path === 'koa' || path.startsWith('koa/')) {
+                framework = 'koa';
+                confidence = Math.max(confidence, 0.95);
+                indicators.push(`import: ${path}`);
+            }
+            // Hapi
+            if (path === '@hapi/hapi' || path.startsWith('@hapi/')) {
+                framework = 'hapi';
+                confidence = Math.max(confidence, 0.95);
+                indicators.push(`import: ${path}`);
+            }
+            // NestJS
+            if (path.startsWith('@nestjs/')) {
+                framework = 'nestjs';
+                confidence = Math.max(confidence, 0.95);
+                indicators.push(`import: ${path}`);
+            }
+            // React
+            if (path === 'react' || path.startsWith('react/')) {
+                framework = framework || 'react';
+                confidence = Math.max(confidence, 0.8);
+                indicators.push(`import: ${path}`);
+            }
+            // Next.js
+            if (path === 'next' || path.startsWith('next/')) {
+                framework = 'nextjs';
+                confidence = Math.max(confidence, 0.9);
+                indicators.push(`import: ${path}`);
+            }
+        }
+        if (framework) {
+            return { name: framework, confidence, indicators };
+        }
+        return undefined;
+    }
+    /**
+     * JavaScript/TypeScript taint source patterns.
+     */
+    getBuiltinSources() {
+        return [
+            // Express.js request object
+            {
+                method: 'query',
+                type: 'http_param',
+                severity: 'high',
+                confidence: 0.95,
+                returnTainted: true,
+            },
+            {
+                method: 'body',
+                type: 'http_body',
+                severity: 'high',
+                confidence: 0.95,
+                returnTainted: true,
+            },
+            {
+                method: 'params',
+                type: 'http_path',
+                severity: 'high',
+                confidence: 0.95,
+                returnTainted: true,
+            },
+            {
+                method: 'headers',
+                type: 'http_header',
+                severity: 'high',
+                confidence: 0.9,
+                returnTainted: true,
+            },
+            {
+                method: 'cookies',
+                type: 'http_cookie',
+                severity: 'high',
+                confidence: 0.9,
+                returnTainted: true,
+            },
+            // URL/URLSearchParams
+            {
+                method: 'get',
+                class: 'URLSearchParams',
+                type: 'http_param',
+                severity: 'high',
+                confidence: 0.85,
+                returnTainted: true,
+            },
+            // DOM sources (for browser code)
+            {
+                method: 'location',
+                type: 'url_param',
+                severity: 'high',
+                confidence: 0.9,
+                returnTainted: true,
+            },
+            {
+                method: 'document.URL',
+                type: 'url_param',
+                severity: 'high',
+                confidence: 0.9,
+                returnTainted: true,
+            },
+            {
+                method: 'document.referrer',
+                type: 'url_param',
+                severity: 'medium',
+                confidence: 0.85,
+                returnTainted: true,
+            },
+            // Node.js process
+            {
+                method: 'argv',
+                class: 'process',
+                type: 'cli_arg',
+                severity: 'medium',
+                confidence: 0.9,
+                returnTainted: true,
+            },
+            {
+                method: 'env',
+                class: 'process',
+                type: 'env_var',
+                severity: 'medium',
+                confidence: 0.85,
+                returnTainted: true,
+            },
+            // File system
+            {
+                method: 'readFileSync',
+                class: 'fs',
+                type: 'file_input',
+                severity: 'medium',
+                confidence: 0.8,
+                returnTainted: true,
+            },
+            {
+                method: 'readFile',
+                class: 'fs',
+                type: 'file_input',
+                severity: 'medium',
+                confidence: 0.8,
+                returnTainted: true,
+            },
+        ];
+    }
+    /**
+     * JavaScript/TypeScript taint sink patterns.
+     */
+    getBuiltinSinks() {
+        return [
+            // Command Injection
+            {
+                method: 'exec',
+                class: 'child_process',
+                type: 'command_injection',
+                cwe: 'CWE-78',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            {
+                method: 'execSync',
+                class: 'child_process',
+                type: 'command_injection',
+                cwe: 'CWE-78',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            {
+                method: 'spawn',
+                class: 'child_process',
+                type: 'command_injection',
+                cwe: 'CWE-78',
+                severity: 'critical',
+                argPositions: [0, 1],
+            },
+            // Code Injection
+            {
+                method: 'eval',
+                type: 'code_injection',
+                cwe: 'CWE-94',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            {
+                method: 'Function',
+                type: 'code_injection',
+                cwe: 'CWE-94',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            {
+                method: 'setTimeout',
+                type: 'code_injection',
+                cwe: 'CWE-94',
+                severity: 'high',
+                argPositions: [0], // When first arg is string
+            },
+            {
+                method: 'setInterval',
+                type: 'code_injection',
+                cwe: 'CWE-94',
+                severity: 'high',
+                argPositions: [0], // When first arg is string
+            },
+            // Path Traversal
+            {
+                method: 'readFileSync',
+                class: 'fs',
+                type: 'path_traversal',
+                cwe: 'CWE-22',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'writeFileSync',
+                class: 'fs',
+                type: 'path_traversal',
+                cwe: 'CWE-22',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'createReadStream',
+                class: 'fs',
+                type: 'path_traversal',
+                cwe: 'CWE-22',
+                severity: 'high',
+                argPositions: [0],
+            },
+            // XSS (DOM)
+            {
+                method: 'innerHTML',
+                type: 'xss',
+                cwe: 'CWE-79',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'outerHTML',
+                type: 'xss',
+                cwe: 'CWE-79',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'document.write',
+                type: 'xss',
+                cwe: 'CWE-79',
+                severity: 'high',
+                argPositions: [0],
+            },
+            // SQL Injection
+            {
+                method: 'query',
+                type: 'sql_injection',
+                cwe: 'CWE-89',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            {
+                method: 'raw',
+                type: 'sql_injection',
+                cwe: 'CWE-89',
+                severity: 'critical',
+                argPositions: [0],
+            },
+            // SSRF
+            {
+                method: 'fetch',
+                type: 'ssrf',
+                cwe: 'CWE-918',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'get',
+                class: 'axios',
+                type: 'ssrf',
+                cwe: 'CWE-918',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'request',
+                class: 'http',
+                type: 'ssrf',
+                cwe: 'CWE-918',
+                severity: 'high',
+                argPositions: [0],
+            },
+            // NoSQL Injection
+            {
+                method: 'find',
+                type: 'nosql_injection',
+                cwe: 'CWE-943',
+                severity: 'high',
+                argPositions: [0],
+            },
+            {
+                method: 'findOne',
+                type: 'nosql_injection',
+                cwe: 'CWE-943',
+                severity: 'high',
+                argPositions: [0],
+            },
+            // Prototype Pollution (JS-specific)
+            {
+                method: 'merge',
+                type: 'prototype_pollution',
+                cwe: 'CWE-1321',
+                severity: 'high',
+                argPositions: [0, 1],
+            },
+            {
+                method: 'extend',
+                type: 'prototype_pollution',
+                cwe: 'CWE-1321',
+                severity: 'high',
+                argPositions: [0, 1],
+            },
+        ];
+    }
+    /**
+     * Get receiver type from a call expression.
+     */
+    getReceiverType(node, context) {
+        if (node.type !== 'call_expression')
+            return undefined;
+        const callee = node.childForFieldName('function');
+        if (!callee)
+            return undefined;
+        // For member expressions like obj.method()
+        if (callee.type === 'member_expression') {
+            const object = callee.childForFieldName('object');
+            if (object) {
+                return object.text;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Check if node is a JavaScript string literal.
+     */
+    isStringLiteral(node) {
+        return node.type === 'string' ||
+            node.type === 'template_string' ||
+            node.type === 'string_fragment';
+    }
+    /**
+     * Get string value from JavaScript string literal.
+     */
+    getStringValue(node) {
+        if (!this.isStringLiteral(node))
+            return undefined;
+        const text = node.text;
+        // Handle template strings
+        if (text.startsWith('`') && text.endsWith('`')) {
+            return text.slice(1, -1);
+        }
+        // Handle regular strings
+        if ((text.startsWith('"') && text.endsWith('"')) ||
+            (text.startsWith("'") && text.endsWith("'"))) {
+            return text.slice(1, -1);
+        }
+        return text;
+    }
+    // Extraction methods - delegate to existing extractors for now
+    extractTypes(context) {
+        return [];
+    }
+    extractCalls(context) {
+        return [];
+    }
+    extractImports(context) {
+        return [];
+    }
+    extractPackage(context) {
+        // JavaScript doesn't have package declarations
+        // Could look for package.json in parent directories
+        return undefined;
+    }
+}
+//# sourceMappingURL=javascript.js.map

package/dist/languages/plugins/javascript.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"javascript.js","sourceRoot":"","sources":["../../../src/languages/plugins/javascript.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;;GAGG;AACH,MAAM,OAAO,gBAAiB,SAAQ,kBAAkB;IAC7C,EAAE,GAAG,YAAqB,CAAC;IAC3B,IAAI,GAAG,uBAAuB,CAAC;IAC/B,UAAU,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5D,QAAQ,GAAG,6BAA6B,CAAC;IAEzC,SAAS,GAAsB;QACtC,oBAAoB;QACpB,gBAAgB,EAAE,CAAC,mBAAmB,EAAE,OAAO,CAAC;QAChD,oBAAoB,EAAE,CAAC,uBAAuB,CAAC;QAC/C,eAAe,EAAE,CAAC,kBAAkB,CAAC;QACrC,mBAAmB,EAAE,CAAC,sBAAsB,EAAE,UAAU,EAAE,gBAAgB,CAAC;QAC3E,iBAAiB,EAAE,CAAC,mBAAmB,CAAC;QAExC,cAAc;QACd,UAAU,EAAE,CAAC,iBAAiB,CAAC;QAC/B,YAAY,EAAE,CAAC,iBAAiB,CAAC;QACjC,UAAU,EAAE,CAAC,uBAAuB,CAAC;QACrC,mBAAmB,EAAE,CAAC,qBAAqB,EAAE,sBAAsB,CAAC;QAEpE,2BAA2B;QAC3B,SAAS,EAAE,CAAC,mBAAmB,EAAE,oBAAoB,EAAE,oBAAoB,CAAC;QAC5E,QAAQ,EAAE,CAAC,WAAW,CAAC;QAEvB,yBAAyB;QACzB,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,CAAC,WAAW,CAAC;QAExB,UAAU;QACV,eAAe,EAAE,CAAC,kBAAkB,CAAC;QAErC,eAAe;QACf,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,CAAC,eAAe,EAAE,kBAAkB,EAAE,kBAAkB,CAAC;QACvE,cAAc,EAAE,CAAC,iBAAiB,CAAC;QACnC,YAAY,EAAE,CAAC,eAAe,CAAC;QAC/B,eAAe,EAAE,CAAC,kBAAkB,CAAC;KACtC,CAAC;IAEF;;OAEG;IACH,eAAe,CAAC,OAA0B;QACxC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,SAA6B,CAAC;QAClC,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,aAAa,CAAC;YAEnD,aAAa;YACb,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,SAAS,GAAG,SAAS,CAAC;gBACtB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACxC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,UAAU;YACV,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,SAAS,GAAG,SAAS,CAAC;gBACtB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACxC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,MAAM;YACN,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9C,SAAS,GAAG,KAAK,CAAC;gBAClB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACxC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,OAAO;YACP,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACvD,SAAS,GAAG,MAAM,CAAC;gBACnB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACxC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,SAAS;YACT,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,SAAS,GAAG,QAAQ,CAAC;gBACrB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACxC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,QAAQ;YACR,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC;gBACjC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gBACvC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,UAAU;YACV,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChD,SAAS,GAAG,QAAQ,CAAC;gBACrB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gBACvC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO;YACL,4BAA4B;YAC5B;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YAED,sBAAsB;YACtB;gBACE,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,iBAAiB;gBACxB,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YAED,iCAAiC;YACjC;gBACE,MAAM,EAAE,UAAU;gBAClB,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,cAAc;gBACtB,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,mBAAmB;gBAC3B,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YAED,kBAAkB;YAClB;gBACE,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,SAAS;gBAChB,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,SAAS;gBAChB,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,IAAI;aACpB;YAED,cAAc;YACd;gBACE,MAAM,EAAE,cAAc;gBACtB,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO;YACL,oBAAoB;YACpB;gBACE,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;aACrB;YAED,iBAAiB;YACjB;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,UAAU;gBAClB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,YAAY;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC,EAAG,2BAA2B;aAChD;YACD;gBACE,MAAM,EAAE,aAAa;gBACrB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC,EAAG,2BAA2B;aAChD;YAED,iBAAiB;YACjB;gBACE,MAAM,EAAE,cAAc;gBACtB,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,eAAe;gBACvB,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,kBAAkB;gBAC1B,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,YAAY;YACZ;gBACE,MAAM,EAAE,WAAW;gBACnB,IAAI,EAAE,KAAK;gBACX,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,WAAW;gBACnB,IAAI,EAAE,KAAK;gBACX,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,gBAAgB;gBACxB,IAAI,EAAE,KAAK;gBACX,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,gBAAgB;YAChB;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,OAAO;YACP;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,kBAAkB;YAClB;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,iBAAiB;gBACvB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,iBAAiB;gBACvB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,oCAAoC;YACpC;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,qBAAqB;gBAC3B,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;aACrB;YACD;gBACE,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,qBAAqB;gBAC3B,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;aACrB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAgB,EAAE,OAA0B;QAC1D,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;YAAE,OAAO,SAAS,CAAC;QAEtD,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,2CAA2C;QAC3C,IAAI,MAAM,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAClD,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC,IAAI,CAAC;YACrB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAgB;QAC9B,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;YACtB,IAAI,CAAC,IAAI,KAAK,iBAAiB;YAC/B,IAAI,CAAC,IAAI,KAAK,iBAAiB,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAElD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAEvB,0BAA0B;QAC1B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,yBAAyB;QACzB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC5C,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+DAA+D;IAE/D,YAAY,CAAC,OAA0B;QACrC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,YAAY,CAAC,OAA0B;QACrC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,OAA0B;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,OAA0B;QACvC,+CAA+C;QAC/C,oDAAoD;QACpD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/languages/plugins/python.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Python Language Plugin
+ *
+ * Provides Python-specific AST handling, taint patterns, and framework detection.
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+import type { TypeInfo, CallInfo, ImportInfo } from '../../types/index.js';
+import type { LanguageNodeTypes, ExtractionContext, FrameworkInfo, TaintSourcePattern, TaintSinkPattern } from '../types.js';
+import { BaseLanguagePlugin } from './base.js';
+/**
+ * Python language plugin implementation.
+ */
+export declare class PythonPlugin extends BaseLanguagePlugin {
+    readonly id: "python";
+    readonly name = "Python";
+    readonly extensions: string[];
+    readonly wasmPath = "tree-sitter-python.wasm";
+    readonly nodeTypes: LanguageNodeTypes;
+    /**
+     * Detect Python frameworks from imports.
+     */
+    detectFramework(context: ExtractionContext): FrameworkInfo | undefined;
+    /**
+     * Python taint source patterns.
+     */
+    getBuiltinSources(): TaintSourcePattern[];
+    /**
+     * Python taint sink patterns.
+     */
+    getBuiltinSinks(): TaintSinkPattern[];
+    /**
+     * Get receiver type from a call expression.
+     */
+    getReceiverType(node: SyntaxNode, context: ExtractionContext): string | undefined;
+    /**
+     * Check if node is a Python string literal.
+     */
+    isStringLiteral(node: SyntaxNode): boolean;
+    /**
+     * Get string value from Python string literal.
+     */
+    getStringValue(node: SyntaxNode): string | undefined;
+    extractTypes(context: ExtractionContext): TypeInfo[];
+    extractCalls(context: ExtractionContext): CallInfo[];
+    extractImports(context: ExtractionContext): ImportInfo[];
+    extractPackage(context: ExtractionContext): string | undefined;
+}