circle-ir 3.111.0 → 3.113.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +54 -0
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/insecure-cookie-pass.d.ts +2 -0
- package/dist/analysis/passes/insecure-cookie-pass.d.ts.map +1 -1
- package/dist/analysis/passes/insecure-cookie-pass.js +107 -5
- package/dist/analysis/passes/insecure-cookie-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +21 -6
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/browser/circle-ir.js +128 -4
- package/dist/core/circle-ir-core.cjs +60 -1
- package/dist/core/circle-ir-core.js +60 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAokDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -1345,8 +1345,27 @@ export const DEFAULT_SINKS = [
|
|
|
1345
1345
|
// SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
|
|
1346
1346
|
// Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
|
|
1347
1347
|
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1348
|
+
// sqlite3 (npm) — Database/Statement methods. The JS plugin resolves
|
|
1349
|
+
// `const db = new sqlite3.Database(...); db.all(sql)` to the resolution
|
|
1350
|
+
// target `Connection.all`, so class-scoped patterns matching `Connection`
|
|
1351
|
+
// hit (see #186 Sprint 55 matcher extension consulting call.resolution.target).
|
|
1352
|
+
// `exec`/`run`/`all`/`get`/`each` follow the same shape.
|
|
1353
|
+
{ method: 'all', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
|
|
1354
|
+
{ method: 'run', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
|
|
1355
|
+
{ method: 'each', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
|
|
1356
|
+
{ method: 'get', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
|
|
1357
|
+
{ method: 'exec', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
|
|
1348
1358
|
// Browser DOM XSS sinks
|
|
1349
1359
|
{ method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
1360
|
+
// Angular DomSanitizer.bypassSecurityTrust* — CWE-79 (#184 Sprint 55).
|
|
1361
|
+
// These methods explicitly bypass Angular's built-in sanitizer; passing
|
|
1362
|
+
// tainted strings re-introduces DOM-injection risk. Distinctive method
|
|
1363
|
+
// names — classless + language-scoped is safe.
|
|
1364
|
+
{ method: 'bypassSecurityTrustHtml', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1365
|
+
{ method: 'bypassSecurityTrustScript', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1366
|
+
{ method: 'bypassSecurityTrustStyle', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1367
|
+
{ method: 'bypassSecurityTrustUrl', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1368
|
+
{ method: 'bypassSecurityTrustResourceUrl', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1350
1369
|
// Express.js XSS (response methods)
|
|
1351
1370
|
{ method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1352
1371
|
{ method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
@@ -1359,6 +1378,19 @@ export const DEFAULT_SINKS = [
|
|
|
1359
1378
|
{ method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1360
1379
|
{ method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1361
1380
|
{ method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1381
|
+
// `new vm.Script(taint)` — Node core `vm` module compiles strings. The
|
|
1382
|
+
// JS plugin emits method_name = 'vm.Script' for the constructor call;
|
|
1383
|
+
// the matcher's dotted-simple-name fallback (taint-matcher.ts:1664) lets
|
|
1384
|
+
// pattern.method = 'Script' hit on method_name = 'vm.Script'. The
|
|
1385
|
+
// `class: 'constructor'` short-circuit accepts the no-receiver shape.
|
|
1386
|
+
// (#188 Sprint 55)
|
|
1387
|
+
{ method: 'Script', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1388
|
+
// `setImmediate(taintedString)` — like setTimeout/setInterval, Node will
|
|
1389
|
+
// evaluate the first argument when it is a string. The callback-shape
|
|
1390
|
+
// suppression in taint-matcher.ts:1342 already covers setTimeout/
|
|
1391
|
+
// setInterval; the Sprint 55 fix extends that gate to setImmediate too.
|
|
1392
|
+
// (#188 Sprint 55)
|
|
1393
|
+
{ method: 'setImmediate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1362
1394
|
// protobufjs Root.parse(schemaText) compiles a textual schema into JS at runtime;
|
|
1363
1395
|
// tainted schema → code execution (CVE-2026-41242). Issue #94.
|
|
1364
1396
|
{ method: 'parse', class: 'protobuf', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
@@ -1421,6 +1453,14 @@ export const DEFAULT_SINKS = [
|
|
|
1421
1453
|
// got library
|
|
1422
1454
|
{ method: 'get', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1423
1455
|
{ method: 'post', class: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1456
|
+
// got/request npm packages default-export a callable function:
|
|
1457
|
+
// const got = require('got'); got(req.query.url)
|
|
1458
|
+
// const request = require('request'); request(req.query.url, cb)
|
|
1459
|
+
// The classless method names are distinctive enough (`got`, `request`) that
|
|
1460
|
+
// the FP risk is acceptable; both are scoped to JS/TS so they don't leak
|
|
1461
|
+
// into other plugins. (#185 Sprint 55)
|
|
1462
|
+
{ method: 'got', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1463
|
+
{ method: 'request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1424
1464
|
// superagent
|
|
1425
1465
|
{ method: 'get', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1426
1466
|
{ method: 'post', class: 'superagent', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
@@ -1497,6 +1537,11 @@ export const DEFAULT_SINKS = [
|
|
|
1497
1537
|
{ method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1498
1538
|
{ method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1499
1539
|
{ method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1540
|
+
// Python dynamic import — `importlib.import_module(taint)` parallels Java's
|
|
1541
|
+
// `Class.forName`. The bare `__import__` entry above also matches the
|
|
1542
|
+
// `importlib.__import__` form because the sink-matcher is class-agnostic
|
|
1543
|
+
// when a classless entry exists. Sprint 56 #183.
|
|
1544
|
+
{ method: 'import_module', class: 'importlib', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1500
1545
|
// Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
|
|
1501
1546
|
// module names don't collide with Java locals named `yaml` (SnakeYAML usage).
|
|
1502
1547
|
{ method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
@@ -1754,6 +1799,15 @@ export const DEFAULT_SINKS = [
|
|
|
1754
1799
|
// Standard library logging
|
|
1755
1800
|
{ method: 'println!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1756
1801
|
{ method: 'eprintln!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1802
|
+
// log:: namespaced forms — the Rust macro extractor preserves the full
|
|
1803
|
+
// path prefix in `method_name` (`log::info!`), so the bare entries above
|
|
1804
|
+
// only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
|
|
1805
|
+
{ method: 'log::info!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1806
|
+
{ method: 'log::warn!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1807
|
+
{ method: 'log::error!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1808
|
+
{ method: 'log::debug!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1809
|
+
{ method: 'log::trace!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1810
|
+
{ method: 'log::log!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2], languages: ['rust'] },
|
|
1757
1811
|
// Rust sqlx SQL Injection
|
|
1758
1812
|
{ method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1759
1813
|
{ method: 'query_as', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|