circle-ir 3.126.0 → 3.129.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/passes/language-sources-pass.d.ts +72 -0
- package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +674 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/browser/circle-ir.js +405 -0
- package/package.json +1 -1
|
@@ -125,4 +125,76 @@ export declare function findPythonPatternFindings(code: string, file: string): S
|
|
|
125
125
|
* benign and is ignored.
|
|
126
126
|
*/
|
|
127
127
|
export declare function findRustPatternFindings(code: string, file: string): SastFinding[];
|
|
128
|
+
/**
|
|
129
|
+
* Rust `hardcoded-credential` (CWE-798). Pattern:
|
|
130
|
+
* `(pub|const|static) <NAME>: &str = "literal";` where NAME matches
|
|
131
|
+
* /api[_]?key|secret|token|password|passwd|pwd|auth/i and the literal is
|
|
132
|
+
* non-trivial (length > 8 and not a placeholder).
|
|
133
|
+
*/
|
|
134
|
+
export declare function findRustHardcodedCredentialFindings(code: string, file: string): SastFinding[];
|
|
135
|
+
/**
|
|
136
|
+
* Rust `insecure-cookie` (CWE-1004 / CWE-614). Pattern:
|
|
137
|
+
* `Cookie::build(...)` chain that explicitly calls `.secure(false)` or
|
|
138
|
+
* `.http_only(false)` (or both). The dedicated `insecure-cookie-pass.ts`
|
|
139
|
+
* handles the `format!("Set-Cookie: ...")` shape but not the actix-web
|
|
140
|
+
* builder chain.
|
|
141
|
+
*/
|
|
142
|
+
export declare function findRustInsecureCookieFindings(code: string, file: string): SastFinding[];
|
|
143
|
+
/**
|
|
144
|
+
* Rust `jwt-verify-disabled` (CWE-347). Pattern:
|
|
145
|
+
* `.insecure_disable_signature_validation()` method call on a
|
|
146
|
+
* jsonwebtoken `Validation` value. Any presence of this method
|
|
147
|
+
* disables the signature check.
|
|
148
|
+
*/
|
|
149
|
+
export declare function findRustJwtVerifyDisabledFindings(code: string, file: string): SastFinding[];
|
|
150
|
+
/**
|
|
151
|
+
* Rust `weak-crypto` (CWE-327). Pattern (raw ECB via `aes` crate):
|
|
152
|
+
* any line that calls `.encrypt_block(` or `.decrypt_block(` on a
|
|
153
|
+
* block-cipher receiver constructed via `Aes128::new` / `Aes192::new` /
|
|
154
|
+
* `Aes256::new` / `Aes128Ecb` / `Aes256Ecb`. We collect the cipher
|
|
155
|
+
* constructor lines in a first pass (variable name → seen) and emit
|
|
156
|
+
* on every `.encrypt_block(` / `.decrypt_block(` line in the same file.
|
|
157
|
+
*
|
|
158
|
+
* The wrapped CBC/GCM/CTR forms go through `Cbc::<Aes128, ...>::new`
|
|
159
|
+
* or `Aes128Gcm::new` — those do NOT call `.encrypt_block` directly
|
|
160
|
+
* and so are not matched.
|
|
161
|
+
*/
|
|
162
|
+
export declare function findRustWeakCryptoEcbFindings(code: string, file: string): SastFinding[];
|
|
163
|
+
/**
|
|
164
|
+
* Java pattern findings — Sprint 78 (#190):
|
|
165
|
+
* - `jwt-verify-disabled` (CWE-347): bare `JWT.decode(<token>)` on the
|
|
166
|
+
* auth0 `com.auth0.jwt.JWT` class. `decode` is documented as
|
|
167
|
+
* "decode the token without performing any verification"; only
|
|
168
|
+
* `JWT.require(...).build().verify(token)` enforces the signature.
|
|
169
|
+
* - `tls-verify-disabled` (CWE-295): anonymous `X509TrustManager`
|
|
170
|
+
* implementation whose `checkServerTrusted` body is empty
|
|
171
|
+
* (returns void without raising). This trust-nothing implementation
|
|
172
|
+
* accepts every certificate.
|
|
173
|
+
*/
|
|
174
|
+
export declare function findJavaPatternFindings(code: string, file: string): SastFinding[];
|
|
175
|
+
/**
|
|
176
|
+
* Go pattern findings — Sprint 78 (#190):
|
|
177
|
+
* - `weak-crypto` (CWE-327): raw ECB usage via `aes.NewCipher(...)`
|
|
178
|
+
* followed by a direct `<cipher>.Encrypt(` / `.Decrypt(` call on the
|
|
179
|
+
* constructed value (no `cipher.NewCBCEncrypter` / `NewGCM` / `NewCTR`
|
|
180
|
+
* wrapper). The Go stdlib `aes.Cipher` exposes `Encrypt` / `Decrypt`
|
|
181
|
+
* that operate on a single 16-byte block — calling these directly is
|
|
182
|
+
* ECB mode.
|
|
183
|
+
*
|
|
184
|
+
* Algorithm:
|
|
185
|
+
* 1. Collect every `<v>, _ := aes.NewCipher(...)` cipher variable.
|
|
186
|
+
* 2. If the file contains a `cipher.NewGCM(<v>)` / `cipher.NewCBC*(<v>)`
|
|
187
|
+
* / `cipher.NewCTR(<v>)` wrapping line for that variable, skip it
|
|
188
|
+
* (wrapped mode is not ECB).
|
|
189
|
+
* 3. Otherwise emit on every `<v>.Encrypt(` / `<v>.Decrypt(` line.
|
|
190
|
+
*/
|
|
191
|
+
export declare function findGoPatternFindings(code: string, file: string): SastFinding[];
|
|
192
|
+
/**
|
|
193
|
+
* JS pattern findings — Sprint 78 (#190):
|
|
194
|
+
* - `xml-entity-expansion` (CWE-611 / CWE-776): libxmljs `parseXml`
|
|
195
|
+
* (and `parseXmlString`) called with `{ noent: true }` resolves
|
|
196
|
+
* external entities, enabling XXE / billion-laughs. The default is
|
|
197
|
+
* `noent: false`; only the explicit-true form is unsafe.
|
|
198
|
+
*/
|
|
199
|
+
export declare function findJsPatternFindings(code: string, file: string): SastFinding[];
|
|
128
200
|
//# sourceMappingURL=language-sources-pass.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AAiCF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;
|
|
1
|
+
{"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AAiCF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;CAmP7C;AAgkBD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAkG9E;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAwC5G;AAED,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,KAAK,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjD;AAyKD,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBpG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCrB;AA+MD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CAsKvF;AAiyDD,wBAAgB,sCAAsC,CACpD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,WAAW,EAAE,CAcf;AAoLD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA+HnF;AAMD;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA2BjF;AAOD;;;;;GAKG;AACH,wBAAgB,mCAAmC,CACjD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAgCf;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,CAC5C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA2Bf;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,CAC/C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA0Bf;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,6BAA6B,CAC3C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAoCf;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAwEf;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAgDf;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA6Bf"}
|