circle-ir 3.128.0 → 3.131.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -125,4 +125,137 @@ export declare function findPythonPatternFindings(code: string, file: string): S
125
125
  * benign and is ignored.
126
126
  */
127
127
  export declare function findRustPatternFindings(code: string, file: string): SastFinding[];
128
+ /**
129
+ * Rust `hardcoded-credential` (CWE-798). Pattern:
130
+ * `(pub|const|static) <NAME>: &str = "literal";` where NAME matches
131
+ * /api[_]?key|secret|token|password|passwd|pwd|auth/i and the literal is
132
+ * non-trivial (length > 8 and not a placeholder).
133
+ */
134
+ export declare function findRustHardcodedCredentialFindings(code: string, file: string): SastFinding[];
135
+ /**
136
+ * Rust `insecure-cookie` (CWE-1004 / CWE-614). Pattern:
137
+ * `Cookie::build(...)` chain that explicitly calls `.secure(false)` or
138
+ * `.http_only(false)` (or both). The dedicated `insecure-cookie-pass.ts`
139
+ * handles the `format!("Set-Cookie: ...")` shape but not the actix-web
140
+ * builder chain.
141
+ */
142
+ export declare function findRustInsecureCookieFindings(code: string, file: string): SastFinding[];
143
+ /**
144
+ * Rust `jwt-verify-disabled` (CWE-347). Pattern:
145
+ * `.insecure_disable_signature_validation()` method call on a
146
+ * jsonwebtoken `Validation` value. Any presence of this method
147
+ * disables the signature check.
148
+ */
149
+ export declare function findRustJwtVerifyDisabledFindings(code: string, file: string): SastFinding[];
150
+ /**
151
+ * Rust `weak-crypto` (CWE-327). Pattern (raw ECB via `aes` crate):
152
+ * any line that calls `.encrypt_block(` or `.decrypt_block(` on a
153
+ * block-cipher receiver constructed via `Aes128::new` / `Aes192::new` /
154
+ * `Aes256::new` / `Aes128Ecb` / `Aes256Ecb`. We collect the cipher
155
+ * constructor lines in a first pass (variable name → seen) and emit
156
+ * on every `.encrypt_block(` / `.decrypt_block(` line in the same file.
157
+ *
158
+ * The wrapped CBC/GCM/CTR forms go through `Cbc::<Aes128, ...>::new`
159
+ * or `Aes128Gcm::new` — those do NOT call `.encrypt_block` directly
160
+ * and so are not matched.
161
+ */
162
+ export declare function findRustWeakCryptoEcbFindings(code: string, file: string): SastFinding[];
163
+ /**
164
+ * Java pattern findings — Sprint 78 (#190):
165
+ * - `jwt-verify-disabled` (CWE-347): bare `JWT.decode(<token>)` on the
166
+ * auth0 `com.auth0.jwt.JWT` class. `decode` is documented as
167
+ * "decode the token without performing any verification"; only
168
+ * `JWT.require(...).build().verify(token)` enforces the signature.
169
+ * - `tls-verify-disabled` (CWE-295): anonymous `X509TrustManager`
170
+ * implementation whose `checkServerTrusted` body is empty
171
+ * (returns void without raising). This trust-nothing implementation
172
+ * accepts every certificate.
173
+ */
174
+ export declare function findJavaPatternFindings(code: string, file: string): SastFinding[];
175
+ /**
176
+ * Go pattern findings — Sprint 78 (#190):
177
+ * - `weak-crypto` (CWE-327): raw ECB usage via `aes.NewCipher(...)`
178
+ * followed by a direct `<cipher>.Encrypt(` / `.Decrypt(` call on the
179
+ * constructed value (no `cipher.NewCBCEncrypter` / `NewGCM` / `NewCTR`
180
+ * wrapper). The Go stdlib `aes.Cipher` exposes `Encrypt` / `Decrypt`
181
+ * that operate on a single 16-byte block — calling these directly is
182
+ * ECB mode.
183
+ *
184
+ * Algorithm:
185
+ * 1. Collect every `<v>, _ := aes.NewCipher(...)` cipher variable.
186
+ * 2. If the file contains a `cipher.NewGCM(<v>)` / `cipher.NewCBC*(<v>)`
187
+ * / `cipher.NewCTR(<v>)` wrapping line for that variable, skip it
188
+ * (wrapped mode is not ECB).
189
+ * 3. Otherwise emit on every `<v>.Encrypt(` / `<v>.Decrypt(` line.
190
+ */
191
+ export declare function findGoPatternFindings(code: string, file: string): SastFinding[];
192
+ /**
193
+ * JS pattern findings — Sprint 78 (#190):
194
+ * - `xml-entity-expansion` (CWE-611 / CWE-776): libxmljs `parseXml`
195
+ * (and `parseXmlString`) called with `{ noent: true }` resolves
196
+ * external entities, enabling XXE / billion-laughs. The default is
197
+ * `noent: false`; only the explicit-true form is unsafe.
198
+ */
199
+ export declare function findJsPatternFindings(code: string, file: string): SastFinding[];
200
+ /**
201
+ * Go xss — `fmt.Fprint(f|ln)?(w, ...)` writing tainted data directly to an
202
+ * `http.ResponseWriter`. Two-pass:
203
+ *
204
+ * 1. Discover ResponseWriter parameter names by scanning function
205
+ * signatures `(<name> http.ResponseWriter, ...)`.
206
+ * 2. For every `fmt.Fprint(f|ln)?(<name>, <format>, <args...>)` whose
207
+ * first argument matches a discovered name, emit xss UNLESS one of
208
+ * the args is wrapped in a recognized HTML escaper
209
+ * (`html.EscapeString` / `template.HTMLEscapeString` /
210
+ * `template.HTMLEscaper`).
211
+ */
212
+ export declare function findGoXssFindings(code: string, file: string): SastFinding[];
213
+ /**
214
+ * Java xss — `<recv>.getWriter().{print,println,write,printf,format,append}
215
+ * (<arg>)` chained call where `<recv>` is typed `HttpServletResponse`.
216
+ * The receiver-chain form bypasses the configured `PrintWriter.print`
217
+ * sink because the engine doesn't yet trace `HttpServletResponse
218
+ * .getWriter()` → `PrintWriter` type resolution.
219
+ *
220
+ * Conservative: only fires when the receiver token matches a parameter
221
+ * named with the `HttpServletResponse` type AND no recognized HTML
222
+ * encoder wraps the argument.
223
+ */
224
+ export declare function findJavaResponseWriterXssFindings(code: string, file: string): SastFinding[];
225
+ /**
226
+ * Vue xss — `template: '<...v-html="<var>"...>'` directive binding to a
227
+ * variable that is sourced from a tainted location (URLSearchParams,
228
+ * location.search/hash, route.query/params, fetch, etc.).
229
+ *
230
+ * Conservative: when the bound variable is a literal initializer
231
+ * (`<var>: 'static'`) or sourced from a non-recognized location, no
232
+ * finding is emitted.
233
+ */
234
+ export declare function findJsVueVHtmlXssFindings(code: string, file: string): SastFinding[];
235
+ /**
236
+ * Angular xss — `<recv>.bypassSecurityTrust(Html|Script|Url|ResourceUrl|
237
+ * Style)(<arg>)` where `<recv>` is typed `DomSanitizer`. Skip when
238
+ * `<arg>` is a string literal (intentional safe-by-author escape hatch).
239
+ */
240
+ export declare function findTsAngularBypassXssFindings(code: string, file: string): SastFinding[];
241
+ /**
242
+ * Python Flask xss — route function returning HTML built from a
243
+ * `request.<args|form|values|files>.get(...)` value via string concat,
244
+ * f-string, %, or .format(). Bypasses the engine's flow construction
245
+ * gap for these string ops.
246
+ *
247
+ * Conservative: requires a Flask-style route decorator (`@<x>.route(`)
248
+ * above the function; skip when the variable is escape()-wrapped.
249
+ */
250
+ export declare function findPythonFlaskStringConcatXssFindings(code: string, file: string): SastFinding[];
251
+ /**
252
+ * Python Jinja2 Markup-bypass xss — `Markup(<var>)` where `<var>` is
253
+ * request-sourced, then passed into a `<X>.render(...)` call. The
254
+ * `Markup` wrap deliberately disables Jinja autoescape for the value.
255
+ *
256
+ * Namespace-scoped alias tracking (Sprint 74 lesson): only treats
257
+ * `Markup` as dangerous when imported from `markupsafe` or `flask`,
258
+ * and only when no user-defined `class Markup` shadows the import.
259
+ */
260
+ export declare function findPythonJinjaMarkupXssFindings(code: string, file: string): SastFinding[];
128
261
  //# sourceMappingURL=language-sources-pass.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AAiCF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;CAqN7C;AAgkBD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAkG9E;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAwC5G;AAED,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,KAAK,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjD;AAyKD,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBpG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCrB;AA+MD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CAsKvF;AAiyDD,wBAAgB,sCAAsC,CACpD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,WAAW,EAAE,CAcf;AAoLD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA+HnF;AAMD;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA2BjF"}
1
+ {"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AAiCF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;CAiR7C;AAgkBD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAkG9E;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAwC5G;AAED,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,KAAK,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjD;AAyKD,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBpG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCrB;AA+MD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CAsKvF;AAg6DD,wBAAgB,sCAAsC,CACpD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,WAAW,EAAE,CAcf;AAoLD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA+HnF;AAMD;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA2BjF;AAOD;;;;;GAKG;AACH,wBAAgB,mCAAmC,CACjD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAgCf;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,CAC5C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA2Bf;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,CAC/C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA0Bf;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,6BAA6B,CAC3C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAoCf;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAwEf;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAgDf;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA6Bf;AASD;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA+C3E;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iCAAiC,CAC/C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAsDf;AAED;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CA0Gf;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAoDf;AAED;;;;;;;;GAQG;AACH,wBAAgB,sCAAsC,CACpD,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAiGf;AAED;;;;;;;;GAQG;AACH,wBAAgB,gCAAgC,CAC9C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,WAAW,EAAE,CAqDf"}