circle-ir 3.110.0 → 3.112.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -94,6 +94,24 @@
94
94
  "arg_positions": [0],
95
95
  "note": "Fork new Node.js process"
96
96
  },
97
+ {
98
+ "method": "command",
99
+ "class": "execa",
100
+ "type": "command_injection",
101
+ "cwe": "CWE-78",
102
+ "severity": "critical",
103
+ "arg_positions": [0],
104
+ "note": "execa.command(taintedString) — parses string into program+argv; tainted arg is shell-injectable. cognium-dev #187 Sprint 54."
105
+ },
106
+ {
107
+ "method": "commandSync",
108
+ "class": "execa",
109
+ "type": "command_injection",
110
+ "cwe": "CWE-78",
111
+ "severity": "critical",
112
+ "arg_positions": [0],
113
+ "note": "execa.commandSync(taintedString) — synchronous variant of execa.command."
114
+ },
97
115
  {
98
116
  "method": "query",
99
117
  "class": "mysql",
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA+/CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAsjDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -567,10 +567,20 @@ export const DEFAULT_SINKS = [
567
567
  { method: 'bash', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
568
568
  { method: 'shell', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
569
569
  { method: 'sh', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
570
- { method: 'spawn', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
570
+ // cognium-dev #187 Sprint 54: arg_positions [0, 1] so the JS shell-mode shape
571
+ // `spawn('sh', ['-c', tainted])` / `execFile('/bin/sh', ['-c', tainted])`
572
+ // surfaces taint at the argv-array position (arg[1]).
573
+ { method: 'spawn', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
574
+ { method: 'spawnSync', languages: ['javascript', 'typescript'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
575
+ { method: 'execFile', languages: ['javascript', 'typescript'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
576
+ { method: 'execFileSync', languages: ['javascript', 'typescript'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
571
577
  { method: 'fork', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
572
578
  { method: 'popen', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
573
579
  { method: 'system', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
580
+ // execa (npm) — parses tainted shell-style strings into program+argv;
581
+ // arg[0] is shell-injectable. cognium-dev #187 Sprint 54.
582
+ { method: 'command', class: 'execa', languages: ['javascript', 'typescript'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
583
+ { method: 'commandSync', class: 'execa', languages: ['javascript', 'typescript'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
574
584
  // Apache Commons Exec
575
585
  // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
576
586
  { method: 'setCommandline', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
@@ -1335,8 +1345,27 @@ export const DEFAULT_SINKS = [
1335
1345
  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
1336
1346
  // Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
1337
1347
  { method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1348
+ // sqlite3 (npm) — Database/Statement methods. The JS plugin resolves
1349
+ // `const db = new sqlite3.Database(...); db.all(sql)` to the resolution
1350
+ // target `Connection.all`, so class-scoped patterns matching `Connection`
1351
+ // hit (see #186 Sprint 55 matcher extension consulting call.resolution.target).
1352
+ // `exec`/`run`/`all`/`get`/`each` follow the same shape.
1353
+ { method: 'all', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1354
+ { method: 'run', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1355
+ { method: 'each', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1356
+ { method: 'get', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1357
+ { method: 'exec', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1338
1358
  // Browser DOM XSS sinks
1339
1359
  { method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
1360
+ // Angular DomSanitizer.bypassSecurityTrust* — CWE-79 (#184 Sprint 55).
1361
+ // These methods explicitly bypass Angular's built-in sanitizer; passing
1362
+ // tainted strings re-introduces DOM-injection risk. Distinctive method
1363
+ // names — classless + language-scoped is safe.
1364
+ { method: 'bypassSecurityTrustHtml', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1365
+ { method: 'bypassSecurityTrustScript', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1366
+ { method: 'bypassSecurityTrustStyle', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1367
+ { method: 'bypassSecurityTrustUrl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1368
+ { method: 'bypassSecurityTrustResourceUrl', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1340
1369
  // Express.js XSS (response methods)
1341
1370
  { method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
1342
1371
  { method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
@@ -1349,6 +1378,19 @@ export const DEFAULT_SINKS = [
1349
1378
  { method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1350
1379
  { method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1351
1380
  { method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1381
+ // `new vm.Script(taint)` — Node core `vm` module compiles strings. The
1382
+ // JS plugin emits method_name = 'vm.Script' for the constructor call;
1383
+ // the matcher's dotted-simple-name fallback (taint-matcher.ts:1664) lets
1384
+ // pattern.method = 'Script' hit on method_name = 'vm.Script'. The
1385
+ // `class: 'constructor'` short-circuit accepts the no-receiver shape.
1386
+ // (#188 Sprint 55)
1387
+ { method: 'Script', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1388
+ // `setImmediate(taintedString)` — like setTimeout/setInterval, Node will
1389
+ // evaluate the first argument when it is a string. The callback-shape
1390
+ // suppression in taint-matcher.ts:1342 already covers setTimeout/
1391
+ // setInterval; the Sprint 55 fix extends that gate to setImmediate too.
1392
+ // (#188 Sprint 55)
1393
+ { method: 'setImmediate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1352
1394
  // protobufjs Root.parse(schemaText) compiles a textual schema into JS at runtime;
1353
1395
  // tainted schema → code execution (CVE-2026-41242). Issue #94.
1354
1396
  { method: 'parse', class: 'protobuf', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
@@ -1411,6 +1453,14 @@ export const DEFAULT_SINKS = [
1411
1453
  // got library
1412
1454
  { method: 'get', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1413
1455
  { method: 'post', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1456
+ // got/request npm packages default-export a callable function:
1457
+ // const got = require('got'); got(req.query.url)
1458
+ // const request = require('request'); request(req.query.url, cb)
1459
+ // The classless method names are distinctive enough (`got`, `request`) that
1460
+ // the FP risk is acceptable; both are scoped to JS/TS so they don't leak
1461
+ // into other plugins. (#185 Sprint 55)
1462
+ { method: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1463
+ { method: 'request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1414
1464
  // superagent
1415
1465
  { method: 'get', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1416
1466
  { method: 'post', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
@@ -1580,7 +1630,9 @@ export const DEFAULT_SINKS = [
1580
1630
  { method: 'aggregate', class: 'Collection', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0] },
1581
1631
  // pymongo dynamic attribute-access pattern: `db.users.find({...})` — receiver
1582
1632
  // class isn't statically known. Method-only entries restricted to Python.
1583
- // cognium-dev#104 Sprint 22.
1633
+ // cognium-dev#104 Sprint 22, #194 Sprint 54 added `find`/`aggregate`.
1634
+ { method: 'find', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0], languages: ['python'] },
1635
+ { method: 'aggregate', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0], languages: ['python'] },
1584
1636
  { method: 'find_one', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0], languages: ['python'] },
1585
1637
  { method: 'update_one', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0, 1], languages: ['python'] },
1586
1638
  { method: 'update_many', type: 'nosql_injection', cwe: 'CWE-943', severity: 'critical', arg_positions: [0, 1], languages: ['python'] },