circle-ir 3.112.0 → 3.114.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -12140,6 +12140,11 @@ var DEFAULT_SINKS = [
12140
12140
  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
12141
12141
  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
12142
12142
  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
12143
+ // Python dynamic import — `importlib.import_module(taint)` parallels Java's
12144
+ // `Class.forName`. The bare `__import__` entry above also matches the
12145
+ // `importlib.__import__` form because the sink-matcher is class-agnostic
12146
+ // when a classless entry exists. Sprint 56 #183.
12147
+ { method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
12143
12148
  // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
12144
12149
  // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
12145
12150
  { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
@@ -12397,6 +12402,15 @@ var DEFAULT_SINKS = [
12397
12402
  // Standard library logging
12398
12403
  { method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
12399
12404
  { method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
12405
+ // log:: namespaced forms — the Rust macro extractor preserves the full
12406
+ // path prefix in `method_name` (`log::info!`), so the bare entries above
12407
+ // only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
12408
+ { method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12409
+ { method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12410
+ { method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12411
+ { method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12412
+ { method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12413
+ { method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
12400
12414
  // Rust sqlx SQL Injection
12401
12415
  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
12402
12416
  { method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -14549,7 +14563,12 @@ function canSourceReachSink(sourceType, sinkType) {
14549
14563
  http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
14550
14564
  http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
14551
14565
  http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
14552
- io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
14566
+ // ssrf added Sprint 57 #200: bash CGI/webhook handlers and scripts that
14567
+ // take a URL on stdin or as a positional CLI arg (`curl "$1"`,
14568
+ // `wget "$(read line)"`) and curl/wget it server-side are textbook SSRF
14569
+ // (CVE-2022-41040 ProxyShell-class). Cross-language: `socket.urlopen(input())`
14570
+ // (Python), `axios.get(readline())` (JS) etc. also benefit.
14571
+ io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss", "ssrf"],
14553
14572
  env_input: ["command_injection", "path_traversal"],
14554
14573
  db_input: ["xss", "sql_injection"],
14555
14574
  // Second-order injection
@@ -21742,20 +21761,24 @@ var BashPlugin = class extends BaseLanguagePlugin {
21742
21761
  severity: "medium",
21743
21762
  argPositions: [1]
21744
21763
  },
21745
- // SSRF — curl/wget with externally-controlled URL
21764
+ // SSRF — curl/wget with externally-controlled URL.
21765
+ // argPositions: [] (scan all args) — curl/wget invocations commonly
21766
+ // interleave flags (`-s`, `-fsSL`, `-o file`) before the URL, so the
21767
+ // URL position is unpredictable. Sprint 57 #200; mirrors Sprint 23
21768
+ // exec.Command widening pattern.
21746
21769
  {
21747
21770
  method: "curl",
21748
21771
  type: "ssrf",
21749
21772
  cwe: "CWE-918",
21750
21773
  severity: "high",
21751
- argPositions: [0]
21774
+ argPositions: []
21752
21775
  },
21753
21776
  {
21754
21777
  method: "wget",
21755
21778
  type: "ssrf",
21756
21779
  cwe: "CWE-918",
21757
21780
  severity: "high",
21758
- argPositions: [0]
21781
+ argPositions: []
21759
21782
  },
21760
21783
  // File inclusion — `source` and POSIX `.` execute arbitrary shell code
21761
21784
  // from the file at the supplied path. With user-controlled input this is
@@ -24004,7 +24027,18 @@ var BASH_UNTRUSTED_ENV_PATTERNS = [
24004
24027
  /^CONTENT_LENGTH$/i,
24005
24028
  /^PATH_INFO$/i,
24006
24029
  /^SCRIPT_NAME$/i,
24007
- /^SERVER_NAME$/i
24030
+ /^SERVER_NAME$/i,
24031
+ // Sprint 57 #198: RPC/CMD/EXEC/EVAL/SHELL-class env vars seen in recent
24032
+ // CVE intake (CVE-2025-67038 HTTP RPC pattern and similar). These names
24033
+ // are conventionally used to pass attacker-controlled payloads into
24034
+ // shell handlers via HTTP-to-CGI bridges.
24035
+ /^RPC_/i,
24036
+ /^XMLRPC/i,
24037
+ /^JSONRPC/i,
24038
+ /^CMD_/i,
24039
+ /^EXEC_/i,
24040
+ /^EVAL_/i,
24041
+ /^SHELL_/i
24008
24042
  ];
24009
24043
  var BASH_NETWORK_COMMANDS = /* @__PURE__ */ new Set(["curl", "wget", "nc", "ncat"]);
24010
24044
  var BASH_FILE_COMMANDS = /* @__PURE__ */ new Set(["cat", "head", "tail", "less", "more", "awk", "sed", "cut", "grep"]);
@@ -31325,6 +31359,9 @@ var PY_SECURE_TRUE_RE = /\bsecure\s*=\s*True\b/;
31325
31359
  var PY_HTTPONLY_TRUE_RE = /\bhttponly\s*=\s*True\b/i;
31326
31360
  var JAVA_SET_SECURE_TRUE_RE = /\.setSecure\s*\(\s*true\s*\)/;
31327
31361
  var JAVA_SET_HTTPONLY_TRUE_RE = /\.setHttpOnly\s*\(\s*true\s*\)/;
31362
+ var GO_SECURE_TRUE_RE = /\bSecure\s*:\s*true\b/;
31363
+ var GO_HTTPONLY_TRUE_RE = /\bHttpOnly\s*:\s*true\b/;
31364
+ var RUST_SET_COOKIE_MACRO_RE = /(format!|write!|writeln!)\s*\(([^()]*Set-Cookie[^()]*)\)/gis;
31328
31365
  var InsecureCookiePass = class {
31329
31366
  name = "insecure-cookie";
31330
31367
  category = "security";
@@ -31355,6 +31392,19 @@ var InsecureCookiePass = class {
31355
31392
  insecureCookies.push(det);
31356
31393
  this.emit(ctx, file, det, "java");
31357
31394
  }
31395
+ } else if (language === "go") {
31396
+ for (const call of graph.ir.calls) {
31397
+ const det = this.detectGo(call);
31398
+ if (!det) continue;
31399
+ insecureCookies.push(det);
31400
+ this.emit(ctx, file, det, "go");
31401
+ }
31402
+ } else if (language === "rust") {
31403
+ const dets = this.detectRustSetCookieFormat(code);
31404
+ for (const det of dets) {
31405
+ insecureCookies.push(det);
31406
+ this.emit(ctx, file, det, "rust");
31407
+ }
31358
31408
  }
31359
31409
  return { insecureCookies };
31360
31410
  }
@@ -31414,11 +31464,60 @@ var InsecureCookiePass = class {
31414
31464
  optionsPresent: false
31415
31465
  };
31416
31466
  }
31467
+ // ---------------- Go ----------------
31468
+ detectGo(call) {
31469
+ if (call.method_name !== "SetCookie") return null;
31470
+ if ((call.receiver ?? "") !== "http") return null;
31471
+ if (call.arguments.length < 2) return null;
31472
+ const cookieArg = call.arguments.find((a) => a.position === 1);
31473
+ const cookieExpr = (cookieArg?.expression ?? "").trim();
31474
+ if (!cookieExpr.includes("{") || !cookieExpr.includes("}")) return null;
31475
+ const missingSecure = !GO_SECURE_TRUE_RE.test(cookieExpr);
31476
+ const missingHttpOnly = !GO_HTTPONLY_TRUE_RE.test(cookieExpr);
31477
+ if (!missingSecure && !missingHttpOnly) return null;
31478
+ return {
31479
+ line: call.location.line,
31480
+ receiver: "http.SetCookie",
31481
+ missingSecure,
31482
+ missingHttpOnly,
31483
+ optionsPresent: true
31484
+ };
31485
+ }
31486
+ // ---------------- Rust ----------------
31487
+ detectRustSetCookieFormat(code) {
31488
+ const out2 = [];
31489
+ const re = new RegExp(RUST_SET_COOKIE_MACRO_RE.source, RUST_SET_COOKIE_MACRO_RE.flags);
31490
+ let m;
31491
+ while ((m = re.exec(code)) !== null) {
31492
+ const macro = m[1] ?? "";
31493
+ const body2 = m[2] ?? "";
31494
+ const missingSecure = !/\bSecure\b/.test(body2);
31495
+ const missingHttpOnly = !/\bHttpOnly\b/.test(body2);
31496
+ if (!missingSecure && !missingHttpOnly) continue;
31497
+ const line = code.slice(0, m.index).split("\n").length;
31498
+ out2.push({
31499
+ line,
31500
+ receiver: macro,
31501
+ missingSecure,
31502
+ missingHttpOnly,
31503
+ optionsPresent: true
31504
+ });
31505
+ }
31506
+ return out2;
31507
+ }
31417
31508
  emit(ctx, file, det, flavor) {
31418
31509
  const missing = [];
31419
- if (det.missingSecure) missing.push(flavor === "js" ? "`secure: true`" : flavor === "python" ? "`secure=True`" : "`setSecure(true)`");
31420
- if (det.missingHttpOnly) missing.push(flavor === "js" ? "`httpOnly: true`" : flavor === "python" ? "`httponly=True`" : "`setHttpOnly(true)`");
31421
- const fix = flavor === "js" ? 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.' : flavor === "python" ? 'Pass `secure=True, httponly=True, samesite="Lax"` to `response.set_cookie(...)`.' : "After constructing the cookie, call `cookie.setSecure(true)` and `cookie.setHttpOnly(true)` before adding it to the response.";
31510
+ if (det.missingSecure) {
31511
+ missing.push(
31512
+ flavor === "js" ? "`secure: true`" : flavor === "python" ? "`secure=True`" : flavor === "java" ? "`setSecure(true)`" : flavor === "go" ? "`Secure: true`" : "`Secure` attribute"
31513
+ );
31514
+ }
31515
+ if (det.missingHttpOnly) {
31516
+ missing.push(
31517
+ flavor === "js" ? "`httpOnly: true`" : flavor === "python" ? "`httponly=True`" : flavor === "java" ? "`setHttpOnly(true)`" : flavor === "go" ? "`HttpOnly: true`" : "`HttpOnly` attribute"
31518
+ );
31519
+ }
31520
+ const fix = flavor === "js" ? 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.' : flavor === "python" ? 'Pass `secure=True, httponly=True, samesite="Lax"` to `response.set_cookie(...)`.' : flavor === "java" ? "After constructing the cookie, call `cookie.setSecure(true)` and `cookie.setHttpOnly(true)` before adding it to the response." : flavor === "go" ? "Set `Secure: true` and `HttpOnly: true` on the `http.Cookie` struct literal passed to `http.SetCookie`." : "Append `; Secure; HttpOnly` to the `Set-Cookie` header string.";
31422
31521
  ctx.addFinding({
31423
31522
  id: `${this.name}-${file}-${det.line}`,
31424
31523
  pass: this.name,
@@ -11522,6 +11522,11 @@ var DEFAULT_SINKS = [
11522
11522
  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
11523
11523
  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11524
11524
  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11525
+ // Python dynamic import — `importlib.import_module(taint)` parallels Java's
11526
+ // `Class.forName`. The bare `__import__` entry above also matches the
11527
+ // `importlib.__import__` form because the sink-matcher is class-agnostic
11528
+ // when a classless entry exists. Sprint 56 #183.
11529
+ { method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11525
11530
  // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
11526
11531
  // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
11527
11532
  { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
@@ -11779,6 +11784,15 @@ var DEFAULT_SINKS = [
11779
11784
  // Standard library logging
11780
11785
  { method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
11781
11786
  { method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
11787
+ // log:: namespaced forms — the Rust macro extractor preserves the full
11788
+ // path prefix in `method_name` (`log::info!`), so the bare entries above
11789
+ // only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
11790
+ { method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11791
+ { method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11792
+ { method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11793
+ { method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11794
+ { method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11795
+ { method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11782
11796
  // Rust sqlx SQL Injection
11783
11797
  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
11784
11798
  { method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -11456,6 +11456,11 @@ var DEFAULT_SINKS = [
11456
11456
  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
11457
11457
  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11458
11458
  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11459
+ // Python dynamic import — `importlib.import_module(taint)` parallels Java's
11460
+ // `Class.forName`. The bare `__import__` entry above also matches the
11461
+ // `importlib.__import__` form because the sink-matcher is class-agnostic
11462
+ // when a classless entry exists. Sprint 56 #183.
11463
+ { method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
11459
11464
  // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
11460
11465
  // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
11461
11466
  { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
@@ -11713,6 +11718,15 @@ var DEFAULT_SINKS = [
11713
11718
  // Standard library logging
11714
11719
  { method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
11715
11720
  { method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
11721
+ // log:: namespaced forms — the Rust macro extractor preserves the full
11722
+ // path prefix in `method_name` (`log::info!`), so the bare entries above
11723
+ // only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
11724
+ { method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11725
+ { method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11726
+ { method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11727
+ { method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11728
+ { method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11729
+ { method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
11716
11730
  // Rust sqlx SQL Injection
11717
11731
  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
11718
11732
  { method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -1 +1 @@
1
- {"version":3,"file":"bash.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,UAAW,SAAQ,kBAAkB;IAChD,QAAQ,CAAC,EAAE,EAAG,MAAM,CAAU;IAC9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,UAAU,WAAoC;IACvD,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAIvE;;;;OAIG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IA6BzC;;;;OAIG;IACH,eAAe,IAAI,gBAAgB,EAAE;IAgJrC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;IAInF;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQ1C;;OAEG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS;IAqBpD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,UAAU,EAAE;IAIzD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;CAGhE"}
1
+ {"version":3,"file":"bash.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,UAAW,SAAQ,kBAAkB;IAChD,QAAQ,CAAC,EAAE,EAAG,MAAM,CAAU;IAC9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,UAAU,WAAoC;IACvD,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAIvE;;;;OAIG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IA6BzC;;;;OAIG;IACH,eAAe,IAAI,gBAAgB,EAAE;IAoJrC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;IAInF;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQ1C;;OAEG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS;IAqBpD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,UAAU,EAAE;IAIzD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;CAGhE"}
@@ -187,20 +187,24 @@ export class BashPlugin extends BaseLanguagePlugin {
187
187
  severity: 'medium',
188
188
  argPositions: [1],
189
189
  },
190
- // SSRF — curl/wget with externally-controlled URL
190
+ // SSRF — curl/wget with externally-controlled URL.
191
+ // argPositions: [] (scan all args) — curl/wget invocations commonly
192
+ // interleave flags (`-s`, `-fsSL`, `-o file`) before the URL, so the
193
+ // URL position is unpredictable. Sprint 57 #200; mirrors Sprint 23
194
+ // exec.Command widening pattern.
191
195
  {
192
196
  method: 'curl',
193
197
  type: 'ssrf',
194
198
  cwe: 'CWE-918',
195
199
  severity: 'high',
196
- argPositions: [0],
200
+ argPositions: [],
197
201
  },
198
202
  {
199
203
  method: 'wget',
200
204
  type: 'ssrf',
201
205
  cwe: 'CWE-918',
202
206
  severity: 'high',
203
- argPositions: [0],
207
+ argPositions: [],
204
208
  },
205
209
  // File inclusion — `source` and POSIX `.` execute arbitrary shell code
206
210
  // from the file at the supplied path. With user-controlled input this is
@@ -1 +1 @@
1
- {"version":3,"file":"bash.js","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,kBAAkB;IACvC,EAAE,GAAG,MAAe,CAAC;IACrB,IAAI,GAAG,YAAY,CAAC;IACpB,UAAU,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,QAAQ,GAAG,uBAAuB,CAAC;IAEnC,SAAS,GAAsB;QACtC,6CAA6C;QAC7C,gBAAgB,EAAE,EAAE;QACpB,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,CAAC,qBAAqB,CAAC;QAC5C,iBAAiB,EAAE,CAAC,qBAAqB,CAAC;QAE1C,8CAA8C;QAC9C,UAAU,EAAE,CAAC,SAAS,CAAC;QACvB,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,UAAU,EAAE,CAAC,qBAAqB,CAAC;QACnC,mBAAmB,EAAE,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;QAEnE,6DAA6D;QAC7D,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QAEZ,yCAAyC;QACzC,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,EAAE;QAEb,kEAAkE;QAClE,eAAe,EAAE,EAAE;QAEnB,eAAe;QACf,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,CAAC,eAAe,EAAE,uBAAuB,CAAC;QACxD,cAAc,EAAE,CAAC,iBAAiB,CAAC;QACnC,YAAY,EAAE,EAAE;QAChB,eAAe,EAAE,EAAE;KACpB,CAAC;IAEF;;OAEG;IACH,eAAe,CAAC,QAA2B;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,iBAAiB;QACf,OAAO;YACL,6CAA6C;YAC7C;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD,qEAAqE;YACrE,yDAAyD;YACzD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO;YACL,oCAAoC;YACpC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,uDAAuD;YACvD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mEAAmE;YACnE;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,yDAAyD;YACzD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,kDAAkD;YAClD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,uEAAuE;YACvE,yEAAyE;YACzE,mEAAmE;YACnE;gBACE,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,KAAiB,EAAE,QAA2B;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAgB;QAC9B,OAAO,CACL,IAAI,CAAC,IAAI,KAAK,QAAQ;YACtB,IAAI,CAAC,IAAI,KAAK,YAAY;YAC1B,IAAI,CAAC,IAAI,KAAK,eAAe,CAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAElD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACvB,8CAA8C;QAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,6CAA6C;QAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,0CAA0C;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAE3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IAEtE,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}
1
+ {"version":3,"file":"bash.js","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,kBAAkB;IACvC,EAAE,GAAG,MAAe,CAAC;IACrB,IAAI,GAAG,YAAY,CAAC;IACpB,UAAU,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,QAAQ,GAAG,uBAAuB,CAAC;IAEnC,SAAS,GAAsB;QACtC,6CAA6C;QAC7C,gBAAgB,EAAE,EAAE;QACpB,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,CAAC,qBAAqB,CAAC;QAC5C,iBAAiB,EAAE,CAAC,qBAAqB,CAAC;QAE1C,8CAA8C;QAC9C,UAAU,EAAE,CAAC,SAAS,CAAC;QACvB,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,UAAU,EAAE,CAAC,qBAAqB,CAAC;QACnC,mBAAmB,EAAE,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;QAEnE,6DAA6D;QAC7D,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QAEZ,yCAAyC;QACzC,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,EAAE;QAEb,kEAAkE;QAClE,eAAe,EAAE,EAAE;QAEnB,eAAe;QACf,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,CAAC,eAAe,EAAE,uBAAuB,CAAC;QACxD,cAAc,EAAE,CAAC,iBAAiB,CAAC;QACnC,YAAY,EAAE,EAAE;QAChB,eAAe,EAAE,EAAE;KACpB,CAAC;IAEF;;OAEG;IACH,eAAe,CAAC,QAA2B;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,iBAAiB;QACf,OAAO;YACL,6CAA6C;YAC7C;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD,qEAAqE;YACrE,yDAAyD;YACzD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO;YACL,oCAAoC;YACpC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,uDAAuD;YACvD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mEAAmE;YACnE;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,yDAAyD;YACzD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mDAAmD;YACnD,oEAAoE;YACpE,qEAAqE;YACrE,mEAAmE;YACnE,iCAAiC;YACjC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,EAAE;aACjB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,EAAE;aACjB;YAED,uEAAuE;YACvE,yEAAyE;YACzE,mEAAmE;YACnE;gBACE,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,KAAiB,EAAE,QAA2B;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAgB;QAC9B,OAAO,CACL,IAAI,CAAC,IAAI,KAAK,QAAQ;YACtB,IAAI,CAAC,IAAI,KAAK,YAAY;YAC1B,IAAI,CAAC,IAAI,KAAK,eAAe,CAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAElD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACvB,8CAA8C;QAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,6CAA6C;QAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,0CAA0C;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAE3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IAEtE,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir",
3
- "version": "3.112.0",
3
+ "version": "3.114.0",
4
4
  "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",