circle-ir 3.111.0 → 3.112.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4gDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAsjDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -1345,8 +1345,27 @@ export const DEFAULT_SINKS = [
1345
1345
  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
1346
1346
  // Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
1347
1347
  { method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1348
+ // sqlite3 (npm) — Database/Statement methods. The JS plugin resolves
1349
+ // `const db = new sqlite3.Database(...); db.all(sql)` to the resolution
1350
+ // target `Connection.all`, so class-scoped patterns matching `Connection`
1351
+ // hit (see #186 Sprint 55 matcher extension consulting call.resolution.target).
1352
+ // `exec`/`run`/`all`/`get`/`each` follow the same shape.
1353
+ { method: 'all', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1354
+ { method: 'run', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1355
+ { method: 'each', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1356
+ { method: 'get', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1357
+ { method: 'exec', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1348
1358
  // Browser DOM XSS sinks
1349
1359
  { method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
1360
+ // Angular DomSanitizer.bypassSecurityTrust* — CWE-79 (#184 Sprint 55).
1361
+ // These methods explicitly bypass Angular's built-in sanitizer; passing
1362
+ // tainted strings re-introduces DOM-injection risk. Distinctive method
1363
+ // names — classless + language-scoped is safe.
1364
+ { method: 'bypassSecurityTrustHtml', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1365
+ { method: 'bypassSecurityTrustScript', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1366
+ { method: 'bypassSecurityTrustStyle', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1367
+ { method: 'bypassSecurityTrustUrl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1368
+ { method: 'bypassSecurityTrustResourceUrl', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1350
1369
  // Express.js XSS (response methods)
1351
1370
  { method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
1352
1371
  { method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
@@ -1359,6 +1378,19 @@ export const DEFAULT_SINKS = [
1359
1378
  { method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1360
1379
  { method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1361
1380
  { method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1381
+ // `new vm.Script(taint)` — Node core `vm` module compiles strings. The
1382
+ // JS plugin emits method_name = 'vm.Script' for the constructor call;
1383
+ // the matcher's dotted-simple-name fallback (taint-matcher.ts:1664) lets
1384
+ // pattern.method = 'Script' hit on method_name = 'vm.Script'. The
1385
+ // `class: 'constructor'` short-circuit accepts the no-receiver shape.
1386
+ // (#188 Sprint 55)
1387
+ { method: 'Script', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1388
+ // `setImmediate(taintedString)` — like setTimeout/setInterval, Node will
1389
+ // evaluate the first argument when it is a string. The callback-shape
1390
+ // suppression in taint-matcher.ts:1342 already covers setTimeout/
1391
+ // setInterval; the Sprint 55 fix extends that gate to setImmediate too.
1392
+ // (#188 Sprint 55)
1393
+ { method: 'setImmediate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1362
1394
  // protobufjs Root.parse(schemaText) compiles a textual schema into JS at runtime;
1363
1395
  // tainted schema → code execution (CVE-2026-41242). Issue #94.
1364
1396
  { method: 'parse', class: 'protobuf', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
@@ -1421,6 +1453,14 @@ export const DEFAULT_SINKS = [
1421
1453
  // got library
1422
1454
  { method: 'get', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1423
1455
  { method: 'post', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1456
+ // got/request npm packages default-export a callable function:
1457
+ // const got = require('got'); got(req.query.url)
1458
+ // const request = require('request'); request(req.query.url, cb)
1459
+ // The classless method names are distinctive enough (`got`, `request`) that
1460
+ // the FP risk is acceptable; both are scoped to JS/TS so they don't leak
1461
+ // into other plugins. (#185 Sprint 55)
1462
+ { method: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1463
+ { method: 'request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1424
1464
  // superagent
1425
1465
  { method: 'get', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1426
1466
  { method: 'post', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },