circle-ir 3.111.0 → 3.113.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4gDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAokDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -1345,8 +1345,27 @@ export const DEFAULT_SINKS = [
1345
1345
  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
1346
1346
  // Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
1347
1347
  { method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1348
+ // sqlite3 (npm) — Database/Statement methods. The JS plugin resolves
1349
+ // `const db = new sqlite3.Database(...); db.all(sql)` to the resolution
1350
+ // target `Connection.all`, so class-scoped patterns matching `Connection`
1351
+ // hit (see #186 Sprint 55 matcher extension consulting call.resolution.target).
1352
+ // `exec`/`run`/`all`/`get`/`each` follow the same shape.
1353
+ { method: 'all', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1354
+ { method: 'run', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1355
+ { method: 'each', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1356
+ { method: 'get', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1357
+ { method: 'exec', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1348
1358
  // Browser DOM XSS sinks
1349
1359
  { method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
1360
+ // Angular DomSanitizer.bypassSecurityTrust* — CWE-79 (#184 Sprint 55).
1361
+ // These methods explicitly bypass Angular's built-in sanitizer; passing
1362
+ // tainted strings re-introduces DOM-injection risk. Distinctive method
1363
+ // names — classless + language-scoped is safe.
1364
+ { method: 'bypassSecurityTrustHtml', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1365
+ { method: 'bypassSecurityTrustScript', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1366
+ { method: 'bypassSecurityTrustStyle', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1367
+ { method: 'bypassSecurityTrustUrl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1368
+ { method: 'bypassSecurityTrustResourceUrl', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1350
1369
  // Express.js XSS (response methods)
1351
1370
  { method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
1352
1371
  { method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
@@ -1359,6 +1378,19 @@ export const DEFAULT_SINKS = [
1359
1378
  { method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1360
1379
  { method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1361
1380
  { method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1381
+ // `new vm.Script(taint)` — Node core `vm` module compiles strings. The
1382
+ // JS plugin emits method_name = 'vm.Script' for the constructor call;
1383
+ // the matcher's dotted-simple-name fallback (taint-matcher.ts:1664) lets
1384
+ // pattern.method = 'Script' hit on method_name = 'vm.Script'. The
1385
+ // `class: 'constructor'` short-circuit accepts the no-receiver shape.
1386
+ // (#188 Sprint 55)
1387
+ { method: 'Script', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1388
+ // `setImmediate(taintedString)` — like setTimeout/setInterval, Node will
1389
+ // evaluate the first argument when it is a string. The callback-shape
1390
+ // suppression in taint-matcher.ts:1342 already covers setTimeout/
1391
+ // setInterval; the Sprint 55 fix extends that gate to setImmediate too.
1392
+ // (#188 Sprint 55)
1393
+ { method: 'setImmediate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1362
1394
  // protobufjs Root.parse(schemaText) compiles a textual schema into JS at runtime;
1363
1395
  // tainted schema → code execution (CVE-2026-41242). Issue #94.
1364
1396
  { method: 'parse', class: 'protobuf', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
@@ -1421,6 +1453,14 @@ export const DEFAULT_SINKS = [
1421
1453
  // got library
1422
1454
  { method: 'get', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1423
1455
  { method: 'post', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1456
+ // got/request npm packages default-export a callable function:
1457
+ // const got = require('got'); got(req.query.url)
1458
+ // const request = require('request'); request(req.query.url, cb)
1459
+ // The classless method names are distinctive enough (`got`, `request`) that
1460
+ // the FP risk is acceptable; both are scoped to JS/TS so they don't leak
1461
+ // into other plugins. (#185 Sprint 55)
1462
+ { method: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1463
+ { method: 'request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
1424
1464
  // superagent
1425
1465
  { method: 'get', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
1426
1466
  { method: 'post', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
@@ -1497,6 +1537,11 @@ export const DEFAULT_SINKS = [
1497
1537
  { method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
1498
1538
  { method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1499
1539
  { method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1540
+ // Python dynamic import — `importlib.import_module(taint)` parallels Java's
1541
+ // `Class.forName`. The bare `__import__` entry above also matches the
1542
+ // `importlib.__import__` form because the sink-matcher is class-agnostic
1543
+ // when a classless entry exists. Sprint 56 #183.
1544
+ { method: 'import_module', class: 'importlib', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1500
1545
  // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
1501
1546
  // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
1502
1547
  { method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
@@ -1754,6 +1799,15 @@ export const DEFAULT_SINKS = [
1754
1799
  // Standard library logging
1755
1800
  { method: 'println!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
1756
1801
  { method: 'eprintln!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
1802
+ // log:: namespaced forms — the Rust macro extractor preserves the full
1803
+ // path prefix in `method_name` (`log::info!`), so the bare entries above
1804
+ // only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
1805
+ { method: 'log::info!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1806
+ { method: 'log::warn!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1807
+ { method: 'log::error!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1808
+ { method: 'log::debug!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1809
+ { method: 'log::trace!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1810
+ { method: 'log::log!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
1757
1811
  // Rust sqlx SQL Injection
1758
1812
  { method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
1759
1813
  { method: 'query_as', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },