circle-ir 3.136.0 → 3.138.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -23684,6 +23684,24 @@ var LanguageSourcesPass = class {
23684
23684
  )) {
23685
23685
  ctx.addFinding(finding);
23686
23686
  }
23687
+ for (const finding of findGoLdapInjectionFindings(
23688
+ code,
23689
+ graph.ir.meta.file
23690
+ )) {
23691
+ ctx.addFinding(finding);
23692
+ }
23693
+ for (const finding of findGoGobDeserializationFindings(
23694
+ code,
23695
+ graph.ir.meta.file
23696
+ )) {
23697
+ ctx.addFinding(finding);
23698
+ }
23699
+ for (const finding of findGoXmlDecoderXxeFindings(
23700
+ code,
23701
+ graph.ir.meta.file
23702
+ )) {
23703
+ ctx.addFinding(finding);
23704
+ }
23687
23705
  }
23688
23706
  if (language === "python") {
23689
23707
  additionalSanitizers.push(...findPythonNetlocAllowlistGuardSanitizers(code));
@@ -23732,6 +23750,12 @@ var LanguageSourcesPass = class {
23732
23750
  )) {
23733
23751
  ctx.addFinding(finding);
23734
23752
  }
23753
+ for (const finding of findPythonJinjaTemplateSstiFindings(
23754
+ code,
23755
+ graph.ir.meta.file
23756
+ )) {
23757
+ ctx.addFinding(finding);
23758
+ }
23735
23759
  }
23736
23760
  if (language === "rust") {
23737
23761
  additionalSanitizers.push(...findRustSetAllowlistGuardSanitizers(code));
@@ -23765,6 +23789,18 @@ var LanguageSourcesPass = class {
23765
23789
  )) {
23766
23790
  ctx.addFinding(finding);
23767
23791
  }
23792
+ for (const finding of findRustLdapInjectionFindings(
23793
+ code,
23794
+ graph.ir.meta.file
23795
+ )) {
23796
+ ctx.addFinding(finding);
23797
+ }
23798
+ for (const finding of findRustLogInjectionFindings(
23799
+ code,
23800
+ graph.ir.meta.file
23801
+ )) {
23802
+ ctx.addFinding(finding);
23803
+ }
23768
23804
  }
23769
23805
  if (language === "javascript" || language === "typescript" || language === "htmljs") {
23770
23806
  additionalSanitizers.push(...findJsSafeJsonParseSanitizers(code));
@@ -23801,6 +23837,30 @@ var LanguageSourcesPass = class {
23801
23837
  )) {
23802
23838
  ctx.addFinding(finding);
23803
23839
  }
23840
+ for (const finding of findJsLdapInjectionFindings(
23841
+ code,
23842
+ graph.ir.meta.file
23843
+ )) {
23844
+ ctx.addFinding(finding);
23845
+ }
23846
+ for (const finding of findJsJsonParseBodyFindings(
23847
+ code,
23848
+ graph.ir.meta.file
23849
+ )) {
23850
+ ctx.addFinding(finding);
23851
+ }
23852
+ for (const finding of findJsDomXpathInjectionFindings(
23853
+ code,
23854
+ graph.ir.meta.file
23855
+ )) {
23856
+ ctx.addFinding(finding);
23857
+ }
23858
+ for (const finding of findJsTemplateInjectionSstiFindings(
23859
+ code,
23860
+ graph.ir.meta.file
23861
+ )) {
23862
+ ctx.addFinding(finding);
23863
+ }
23804
23864
  }
23805
23865
  if (language === "java") {
23806
23866
  additionalSanitizers.push(...findJavaSafeJsonParseSanitizers(code));
@@ -27923,6 +27983,909 @@ function findPythonHeaderCrlfInjectionFindings(code, file) {
27923
27983
  }
27924
27984
  return findings;
27925
27985
  }
27986
+ function findJsLdapInjectionFindings(code, file) {
27987
+ const findings = [];
27988
+ if (typeof code !== "string" || code.length === 0) return findings;
27989
+ if (!/\.\s*search\s*\(/.test(code)) return findings;
27990
+ if (!/\breq\s*\.\s*(?:query|body|params|headers|cookies)\b/.test(code)) {
27991
+ return findings;
27992
+ }
27993
+ if (!/\b(?:ldapjs|ldapts|require\(['"]ldapjs['"]\)|from\s+['"]ldapts['"])\b/.test(
27994
+ code
27995
+ )) {
27996
+ return findings;
27997
+ }
27998
+ const lines = code.split("\n");
27999
+ const reqExtractRe = /\breq\s*\.\s*(?:query|body|params|headers|cookies)\b/;
28000
+ const taintedVars = /* @__PURE__ */ new Set();
28001
+ for (let pass = 0; pass < 3; pass++) {
28002
+ const before = taintedVars.size;
28003
+ for (let i2 = 0; i2 < lines.length; i2++) {
28004
+ const t = lines[i2].trim();
28005
+ if (t.startsWith("//")) continue;
28006
+ const m = t.match(/^(?:const|let|var)\s+(\w+)(?:\s*:\s*[^=]+)?\s*=\s*(.+?);?$/);
28007
+ if (!m) continue;
28008
+ const lhs = m[1];
28009
+ const rhs = m[2];
28010
+ if (taintedVars.has(lhs)) continue;
28011
+ if (reqExtractRe.test(rhs)) {
28012
+ taintedVars.add(lhs);
28013
+ continue;
28014
+ }
28015
+ for (const v of taintedVars) {
28016
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28017
+ taintedVars.add(lhs);
28018
+ break;
28019
+ }
28020
+ }
28021
+ }
28022
+ if (taintedVars.size === before) break;
28023
+ }
28024
+ if (taintedVars.size === 0) return findings;
28025
+ const filterPropRe = /\bfilter\s*:\s*([^,}\n]+)/;
28026
+ const filterShorthandRe = /(?:^|[\{,])\s*filter\s*[,}]/;
28027
+ const seen = /* @__PURE__ */ new Set();
28028
+ for (let i2 = 0; i2 < lines.length; i2++) {
28029
+ const line = lines[i2];
28030
+ const fm = line.match(filterPropRe);
28031
+ let expr = null;
28032
+ if (fm) {
28033
+ expr = fm[1].trim();
28034
+ } else if (filterShorthandRe.test(line)) {
28035
+ expr = "filter";
28036
+ } else {
28037
+ continue;
28038
+ }
28039
+ let tainted = false;
28040
+ for (const v of taintedVars) {
28041
+ if (new RegExp(`\\b${v}\\b`).test(expr)) {
28042
+ tainted = true;
28043
+ break;
28044
+ }
28045
+ }
28046
+ if (!tainted) continue;
28047
+ if (seen.has(i2 + 1)) continue;
28048
+ seen.add(i2 + 1);
28049
+ findings.push({
28050
+ id: `ldap_injection-${file}-${i2 + 1}-js-ldap-filter`,
28051
+ pass: "language-sources",
28052
+ category: "security",
28053
+ rule_id: "ldap_injection",
28054
+ cwe: "CWE-90",
28055
+ severity: "critical",
28056
+ level: "error",
28057
+ message: "LDAP injection: ldapjs/ldapts `client.search(..., { filter: <tainted>, ... })` lets the attacker break out of the filter expression (e.g. `*)(uid=*`) and enumerate the directory. Escape the user input with a tight allowlist (`[A-Za-z0-9_-]+`) or use a structured filter builder.",
28058
+ file,
28059
+ line: i2 + 1,
28060
+ snippet: line.trim()
28061
+ });
28062
+ }
28063
+ return findings;
28064
+ }
28065
+ function findGoLdapInjectionFindings(code, file) {
28066
+ const findings = [];
28067
+ if (typeof code !== "string" || code.length === 0) return findings;
28068
+ if (!/\bldap\s*\.\s*NewSearchRequest\s*\(/.test(code)) return findings;
28069
+ if (!/\br\s*\.\s*(?:URL\s*\.\s*Query\s*\(\s*\)|Form|PostForm|FormValue|PostFormValue|Header)/.test(
28070
+ code
28071
+ )) {
28072
+ return findings;
28073
+ }
28074
+ const lines = code.split("\n");
28075
+ const reqExtractRe = /\br\s*\.\s*(?:URL\s*\.\s*Query\s*\(\s*\)\s*\.\s*Get|Form\s*\.\s*Get|PostForm\s*\.\s*Get|FormValue|PostFormValue|Header\s*\.\s*Get)\s*\(/;
28076
+ const taintedVars = /* @__PURE__ */ new Set();
28077
+ for (let pass = 0; pass < 3; pass++) {
28078
+ const before = taintedVars.size;
28079
+ for (let i2 = 0; i2 < lines.length; i2++) {
28080
+ const t = lines[i2].trim();
28081
+ if (t.startsWith("//")) continue;
28082
+ const m = t.match(/^(\w+)\s*(?::=|=)\s*(.+?)$/);
28083
+ if (!m) continue;
28084
+ const lhs = m[1];
28085
+ const rhs = m[2];
28086
+ if (taintedVars.has(lhs)) continue;
28087
+ if (reqExtractRe.test(rhs)) {
28088
+ taintedVars.add(lhs);
28089
+ continue;
28090
+ }
28091
+ for (const v of taintedVars) {
28092
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28093
+ taintedVars.add(lhs);
28094
+ break;
28095
+ }
28096
+ }
28097
+ }
28098
+ if (taintedVars.size === before) break;
28099
+ }
28100
+ if (taintedVars.size === 0) return findings;
28101
+ const seen = /* @__PURE__ */ new Set();
28102
+ for (let i2 = 0; i2 < lines.length; i2++) {
28103
+ const openIdx = lines[i2].indexOf("NewSearchRequest(");
28104
+ if (openIdx === -1) continue;
28105
+ let depth = 0;
28106
+ let buf = "";
28107
+ let endLine = i2;
28108
+ let started = false;
28109
+ for (let j = i2; j < Math.min(i2 + 25, lines.length); j++) {
28110
+ for (const ch of lines[j]) {
28111
+ if (ch === "(") {
28112
+ depth++;
28113
+ started = true;
28114
+ } else if (ch === ")") {
28115
+ depth--;
28116
+ }
28117
+ buf += ch;
28118
+ if (started && depth === 0) {
28119
+ endLine = j;
28120
+ break;
28121
+ }
28122
+ }
28123
+ if (started && depth === 0) break;
28124
+ buf += "\n";
28125
+ }
28126
+ const argsStart = buf.indexOf("(");
28127
+ if (argsStart === -1) continue;
28128
+ const args2 = buf.substring(argsStart + 1, buf.length - 1);
28129
+ const parts2 = [];
28130
+ {
28131
+ let d = 0;
28132
+ let b = "";
28133
+ let inStr = null;
28134
+ for (let k = 0; k < args2.length; k++) {
28135
+ const ch = args2[k];
28136
+ if (inStr) {
28137
+ if (ch === "\\") {
28138
+ b += ch + (args2[k + 1] ?? "");
28139
+ k++;
28140
+ continue;
28141
+ }
28142
+ if (ch === inStr) inStr = null;
28143
+ b += ch;
28144
+ continue;
28145
+ }
28146
+ if (ch === '"' || ch === "`") {
28147
+ inStr = ch;
28148
+ b += ch;
28149
+ continue;
28150
+ }
28151
+ if (ch === "(" || ch === "[" || ch === "{") d++;
28152
+ else if (ch === ")" || ch === "]" || ch === "}") d--;
28153
+ if (ch === "," && d === 0) {
28154
+ parts2.push(b);
28155
+ b = "";
28156
+ continue;
28157
+ }
28158
+ b += ch;
28159
+ }
28160
+ if (b.trim().length > 0) parts2.push(b);
28161
+ }
28162
+ if (parts2.length < 7) continue;
28163
+ const filterExpr = parts2[6].trim();
28164
+ let tainted = false;
28165
+ for (const v of taintedVars) {
28166
+ if (new RegExp(`\\b${v}\\b`).test(filterExpr)) {
28167
+ tainted = true;
28168
+ break;
28169
+ }
28170
+ }
28171
+ if (!tainted) continue;
28172
+ if (seen.has(i2 + 1)) continue;
28173
+ seen.add(i2 + 1);
28174
+ findings.push({
28175
+ id: `ldap_injection-${file}-${i2 + 1}-go-newsearchrequest`,
28176
+ pass: "language-sources",
28177
+ category: "security",
28178
+ rule_id: "ldap_injection",
28179
+ cwe: "CWE-90",
28180
+ severity: "critical",
28181
+ level: "error",
28182
+ message: "LDAP injection: go-ldap `ldap.NewSearchRequest(..., <tainted filter>, ...)` lets the attacker break out of the filter expression and enumerate the directory. Escape the user input with `ldap.EscapeFilter(...)` or use a structured filter builder.",
28183
+ file,
28184
+ line: i2 + 1,
28185
+ snippet: (lines[i2] + (endLine > i2 ? " \u2026" : "")).trim()
28186
+ });
28187
+ }
28188
+ return findings;
28189
+ }
28190
+ function findRustLdapInjectionFindings(code, file) {
28191
+ const findings = [];
28192
+ if (typeof code !== "string" || code.length === 0) return findings;
28193
+ if (!/\.\s*search\s*\(/.test(code)) return findings;
28194
+ if (!/\b(?:ldap3|LdapConn|Ldap)\b/.test(code)) return findings;
28195
+ const lines = code.split("\n");
28196
+ const extractorTypeRe = /:\s*(?:String|Bytes|bytes::Bytes|axum::body::Bytes|web::Query\b|web::Path\b|web::Form\b|web::Json\b|HttpRequest\b|actix_web::HttpRequest\b)/;
28197
+ const fns = [];
28198
+ let cur = null;
28199
+ for (let i2 = 0; i2 < lines.length; i2++) {
28200
+ const t = lines[i2];
28201
+ if (/^\s*(?:pub\s+)?(?:async\s+)?fn\s+\w+\s*\(/.test(t)) {
28202
+ if (cur) {
28203
+ cur.end = i2 - 1;
28204
+ fns.push(cur);
28205
+ }
28206
+ cur = { start: i2, end: lines.length - 1, tainted: /* @__PURE__ */ new Set() };
28207
+ let headerJoined = "";
28208
+ for (let j = i2; j < Math.min(i2 + 12, lines.length); j++) {
28209
+ headerJoined += lines[j];
28210
+ if (/\{\s*$/.test(lines[j])) break;
28211
+ }
28212
+ const open = headerJoined.indexOf("(");
28213
+ const close = headerJoined.lastIndexOf(")");
28214
+ if (open !== -1 && close > open) {
28215
+ const params = headerJoined.substring(open + 1, close);
28216
+ let depth = 0;
28217
+ let buf = "";
28218
+ const parts2 = [];
28219
+ for (const ch of params) {
28220
+ if (ch === "<" || ch === "(") depth++;
28221
+ else if (ch === ">" || ch === ")") depth--;
28222
+ if (ch === "," && depth === 0) {
28223
+ parts2.push(buf);
28224
+ buf = "";
28225
+ continue;
28226
+ }
28227
+ buf += ch;
28228
+ }
28229
+ if (buf.trim().length > 0) parts2.push(buf);
28230
+ for (const p of parts2) {
28231
+ const pm = p.match(/(?:mut\s+)?(\w+)\s*:/);
28232
+ if (!pm) continue;
28233
+ if (extractorTypeRe.test(p)) cur.tainted.add(pm[1]);
28234
+ }
28235
+ }
28236
+ }
28237
+ }
28238
+ if (cur) fns.push(cur);
28239
+ for (const fn of fns) {
28240
+ for (let pass = 0; pass < 3; pass++) {
28241
+ const before = fn.tainted.size;
28242
+ for (let i2 = fn.start; i2 <= fn.end; i2++) {
28243
+ const t = lines[i2].trim();
28244
+ const m = t.match(/^let\s+(?:mut\s+)?(\w+)\s*(?::\s*[^=]+)?=\s*(.+?);?$/);
28245
+ if (!m) continue;
28246
+ const lhs = m[1];
28247
+ const rhs = m[2];
28248
+ if (fn.tainted.has(lhs)) continue;
28249
+ for (const v of fn.tainted) {
28250
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28251
+ fn.tainted.add(lhs);
28252
+ break;
28253
+ }
28254
+ }
28255
+ }
28256
+ if (fn.tainted.size === before) break;
28257
+ }
28258
+ }
28259
+ const seen = /* @__PURE__ */ new Set();
28260
+ for (const fn of fns) {
28261
+ if (fn.tainted.size === 0) continue;
28262
+ for (let i2 = fn.start; i2 <= fn.end; i2++) {
28263
+ const searchIdx = lines[i2].indexOf(".search(");
28264
+ if (searchIdx === -1) continue;
28265
+ let depth = 0;
28266
+ let buf = "";
28267
+ let started = false;
28268
+ for (let j = i2; j < Math.min(i2 + 15, lines.length); j++) {
28269
+ const startCol = j === i2 ? searchIdx : 0;
28270
+ for (let k = startCol; k < lines[j].length; k++) {
28271
+ const ch = lines[j][k];
28272
+ if (ch === "(") {
28273
+ depth++;
28274
+ started = true;
28275
+ } else if (ch === ")") {
28276
+ depth--;
28277
+ }
28278
+ buf += ch;
28279
+ if (started && depth === 0) break;
28280
+ }
28281
+ if (started && depth === 0) break;
28282
+ buf += "\n";
28283
+ }
28284
+ const argsStart = buf.indexOf("(");
28285
+ if (argsStart === -1) continue;
28286
+ const args2 = buf.substring(argsStart + 1, buf.length - 1);
28287
+ const parts2 = [];
28288
+ {
28289
+ let d = 0;
28290
+ let b = "";
28291
+ let inStr = null;
28292
+ for (let k = 0; k < args2.length; k++) {
28293
+ const ch = args2[k];
28294
+ if (inStr) {
28295
+ if (ch === "\\") {
28296
+ b += ch + (args2[k + 1] ?? "");
28297
+ k++;
28298
+ continue;
28299
+ }
28300
+ if (ch === inStr) inStr = null;
28301
+ b += ch;
28302
+ continue;
28303
+ }
28304
+ if (ch === '"') {
28305
+ inStr = ch;
28306
+ b += ch;
28307
+ continue;
28308
+ }
28309
+ if (ch === "(" || ch === "[" || ch === "{") d++;
28310
+ else if (ch === ")" || ch === "]" || ch === "}") d--;
28311
+ if (ch === "," && d === 0) {
28312
+ parts2.push(b);
28313
+ b = "";
28314
+ continue;
28315
+ }
28316
+ b += ch;
28317
+ }
28318
+ if (b.trim().length > 0) parts2.push(b);
28319
+ }
28320
+ if (parts2.length < 3) continue;
28321
+ const filterExpr = parts2[2].trim();
28322
+ let tainted = false;
28323
+ for (const v of fn.tainted) {
28324
+ if (new RegExp(`\\b${v}\\b`).test(filterExpr)) {
28325
+ tainted = true;
28326
+ break;
28327
+ }
28328
+ }
28329
+ if (!tainted) continue;
28330
+ if (seen.has(i2 + 1)) continue;
28331
+ seen.add(i2 + 1);
28332
+ findings.push({
28333
+ id: `ldap_injection-${file}-${i2 + 1}-rust-ldap3-search`,
28334
+ pass: "language-sources",
28335
+ category: "security",
28336
+ rule_id: "ldap_injection",
28337
+ cwe: "CWE-90",
28338
+ severity: "critical",
28339
+ level: "error",
28340
+ message: "LDAP injection: ldap3 `LdapConn::search(..., &<tainted filter>, ...)` lets the attacker break out of the filter expression and enumerate the directory. Escape the user input or use a structured filter builder.",
28341
+ file,
28342
+ line: i2 + 1,
28343
+ snippet: lines[i2].trim()
28344
+ });
28345
+ }
28346
+ }
28347
+ return findings;
28348
+ }
28349
+ function findRustLogInjectionFindings(code, file) {
28350
+ const findings = [];
28351
+ if (typeof code !== "string" || code.length === 0) return findings;
28352
+ if (!/\b(?:info|warn|error|debug|trace)\s*!\s*\(/.test(code)) return findings;
28353
+ if (!/\b(?:log|tracing)\b/.test(code)) return findings;
28354
+ const lines = code.split("\n");
28355
+ const extractorTypeRe = /:\s*(?:String|Bytes|bytes::Bytes|axum::body::Bytes|web::Query\b|web::Path\b|web::Form\b|web::Json\b|HttpRequest\b|actix_web::HttpRequest\b)/;
28356
+ const fns = [];
28357
+ let cur = null;
28358
+ for (let i2 = 0; i2 < lines.length; i2++) {
28359
+ const t = lines[i2];
28360
+ if (/^\s*(?:pub\s+)?(?:async\s+)?fn\s+\w+\s*\(/.test(t)) {
28361
+ if (cur) {
28362
+ cur.end = i2 - 1;
28363
+ fns.push(cur);
28364
+ }
28365
+ cur = { start: i2, end: lines.length - 1, tainted: /* @__PURE__ */ new Set() };
28366
+ let headerJoined = "";
28367
+ for (let j = i2; j < Math.min(i2 + 12, lines.length); j++) {
28368
+ headerJoined += lines[j];
28369
+ if (/\{\s*$/.test(lines[j])) break;
28370
+ }
28371
+ const open = headerJoined.indexOf("(");
28372
+ const close = headerJoined.lastIndexOf(")");
28373
+ if (open !== -1 && close > open) {
28374
+ const params = headerJoined.substring(open + 1, close);
28375
+ let depth = 0;
28376
+ let buf = "";
28377
+ const parts2 = [];
28378
+ for (const ch of params) {
28379
+ if (ch === "<" || ch === "(") depth++;
28380
+ else if (ch === ">" || ch === ")") depth--;
28381
+ if (ch === "," && depth === 0) {
28382
+ parts2.push(buf);
28383
+ buf = "";
28384
+ continue;
28385
+ }
28386
+ buf += ch;
28387
+ }
28388
+ if (buf.trim().length > 0) parts2.push(buf);
28389
+ for (const p of parts2) {
28390
+ const pm = p.match(/(?:mut\s+)?(\w+)\s*:/);
28391
+ if (!pm) continue;
28392
+ if (extractorTypeRe.test(p)) cur.tainted.add(pm[1]);
28393
+ }
28394
+ }
28395
+ }
28396
+ }
28397
+ if (cur) fns.push(cur);
28398
+ for (const fn of fns) {
28399
+ for (let pass = 0; pass < 3; pass++) {
28400
+ const before = fn.tainted.size;
28401
+ for (let i2 = fn.start; i2 <= fn.end; i2++) {
28402
+ const t = lines[i2].trim();
28403
+ const m = t.match(/^let\s+(?:mut\s+)?(\w+)\s*(?::\s*[^=]+)?=\s*(.+?);?$/);
28404
+ if (!m) continue;
28405
+ const lhs = m[1];
28406
+ const rhs = m[2];
28407
+ if (fn.tainted.has(lhs)) continue;
28408
+ for (const v of fn.tainted) {
28409
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28410
+ fn.tainted.add(lhs);
28411
+ break;
28412
+ }
28413
+ }
28414
+ }
28415
+ if (fn.tainted.size === before) break;
28416
+ }
28417
+ }
28418
+ const macroRe = /\b(info|warn|error|debug|trace)\s*!\s*\(\s*([^;]+?)\)\s*;?\s*$/;
28419
+ const seen = /* @__PURE__ */ new Set();
28420
+ for (const fn of fns) {
28421
+ if (fn.tainted.size === 0) continue;
28422
+ for (let i2 = fn.start; i2 <= fn.end; i2++) {
28423
+ const line = lines[i2];
28424
+ const m = line.match(macroRe);
28425
+ if (!m) continue;
28426
+ const macroName = m[1];
28427
+ const argSpan = m[2];
28428
+ const parts2 = [];
28429
+ {
28430
+ let d = 0;
28431
+ let b = "";
28432
+ let inStr = null;
28433
+ for (let k = 0; k < argSpan.length; k++) {
28434
+ const ch = argSpan[k];
28435
+ if (inStr) {
28436
+ if (ch === "\\") {
28437
+ b += ch + (argSpan[k + 1] ?? "");
28438
+ k++;
28439
+ continue;
28440
+ }
28441
+ if (ch === inStr) inStr = null;
28442
+ b += ch;
28443
+ continue;
28444
+ }
28445
+ if (ch === '"') {
28446
+ inStr = ch;
28447
+ b += ch;
28448
+ continue;
28449
+ }
28450
+ if (ch === "(" || ch === "[" || ch === "{") d++;
28451
+ else if (ch === ")" || ch === "]" || ch === "}") d--;
28452
+ if (ch === "," && d === 0) {
28453
+ parts2.push(b);
28454
+ b = "";
28455
+ continue;
28456
+ }
28457
+ b += ch;
28458
+ }
28459
+ if (b.trim().length > 0) parts2.push(b);
28460
+ }
28461
+ if (parts2.length < 2) continue;
28462
+ let tainted = false;
28463
+ for (let p = 1; p < parts2.length; p++) {
28464
+ for (const v of fn.tainted) {
28465
+ if (new RegExp(`\\b${v}\\b`).test(parts2[p])) {
28466
+ tainted = true;
28467
+ break;
28468
+ }
28469
+ }
28470
+ if (tainted) break;
28471
+ }
28472
+ if (!tainted) continue;
28473
+ const key = `${i2 + 1}:${macroName}`;
28474
+ if (seen.has(key)) continue;
28475
+ seen.add(key);
28476
+ findings.push({
28477
+ id: `log_injection-${file}-${i2 + 1}-rust-${macroName}`,
28478
+ pass: "language-sources",
28479
+ category: "security",
28480
+ rule_id: "log_injection",
28481
+ cwe: "CWE-117",
28482
+ severity: "medium",
28483
+ level: "warning",
28484
+ message: `Log injection: Rust \`${macroName}!(...)\` interpolates a tainted value into the log line. Unsanitized CRLF lets an attacker forge log entries or split records. Strip control characters or use a structured logging API.`,
28485
+ file,
28486
+ line: i2 + 1,
28487
+ snippet: line.trim()
28488
+ });
28489
+ }
28490
+ }
28491
+ return findings;
28492
+ }
28493
+ function findGoGobDeserializationFindings(code, file) {
28494
+ const findings = [];
28495
+ if (typeof code !== "string" || code.length === 0) return findings;
28496
+ if (!/\bgob\s*\.\s*NewDecoder\s*\(/.test(code)) return findings;
28497
+ if (!/\*http\.Request\b/.test(code) && !/\bhttp\.HandlerFunc\b/.test(code)) {
28498
+ return findings;
28499
+ }
28500
+ const lines = code.split("\n");
28501
+ const decoderFromBody = /* @__PURE__ */ new Set();
28502
+ const newDecoderAssignRe = /^(\w+)\s*(?::=|=)\s*gob\s*\.\s*NewDecoder\s*\(\s*([^)]+)\)/;
28503
+ for (const raw of lines) {
28504
+ const t = raw.trim();
28505
+ if (t.startsWith("//")) continue;
28506
+ const m = t.match(newDecoderAssignRe);
28507
+ if (!m) continue;
28508
+ const lhs = m[1];
28509
+ const arg = m[2];
28510
+ if (/\b\w+\s*\.\s*Body\b/.test(arg)) {
28511
+ decoderFromBody.add(lhs);
28512
+ }
28513
+ }
28514
+ const seen = /* @__PURE__ */ new Set();
28515
+ if (decoderFromBody.size > 0) {
28516
+ for (let i2 = 0; i2 < lines.length; i2++) {
28517
+ const line = lines[i2];
28518
+ if (line.trim().startsWith("//")) continue;
28519
+ const m = line.match(/\b(\w+)\s*\.\s*Decode\s*\(/);
28520
+ if (!m) continue;
28521
+ if (!decoderFromBody.has(m[1])) continue;
28522
+ if (seen.has(i2 + 1)) continue;
28523
+ seen.add(i2 + 1);
28524
+ findings.push({
28525
+ id: `insecure_deserialization-${file}-${i2 + 1}-go-gob`,
28526
+ pass: "language-sources",
28527
+ category: "security",
28528
+ rule_id: "insecure_deserialization",
28529
+ cwe: "CWE-502",
28530
+ severity: "critical",
28531
+ level: "error",
28532
+ message: "Insecure deserialization: `gob.NewDecoder(req.Body).Decode(...)` reconstructs arbitrary registered Go types from attacker-controlled bytes. Use an authenticated framing (signed/MAC payloads), avoid decoding interface{} values, or switch to a schema-bound format (JSON with explicit types, Protocol Buffers).",
28533
+ file,
28534
+ line: i2 + 1,
28535
+ snippet: line.trim()
28536
+ });
28537
+ }
28538
+ }
28539
+ for (let i2 = 0; i2 < lines.length; i2++) {
28540
+ const line = lines[i2];
28541
+ if (line.trim().startsWith("//")) continue;
28542
+ if (!/\bgob\s*\.\s*NewDecoder\s*\(\s*\w+\s*\.\s*Body\s*\)\s*\.\s*Decode\s*\(/.test(
28543
+ line
28544
+ )) {
28545
+ continue;
28546
+ }
28547
+ if (seen.has(i2 + 1)) continue;
28548
+ seen.add(i2 + 1);
28549
+ findings.push({
28550
+ id: `insecure_deserialization-${file}-${i2 + 1}-go-gob-inline`,
28551
+ pass: "language-sources",
28552
+ category: "security",
28553
+ rule_id: "insecure_deserialization",
28554
+ cwe: "CWE-502",
28555
+ severity: "critical",
28556
+ level: "error",
28557
+ message: "Insecure deserialization: `gob.NewDecoder(req.Body).Decode(...)` reconstructs arbitrary registered Go types from attacker-controlled bytes. Use an authenticated framing (signed/MAC payloads), avoid decoding interface{} values, or switch to a schema-bound format (JSON with explicit types, Protocol Buffers).",
28558
+ file,
28559
+ line: i2 + 1,
28560
+ snippet: line.trim()
28561
+ });
28562
+ }
28563
+ return findings;
28564
+ }
28565
+ function findJsJsonParseBodyFindings(code, file) {
28566
+ const findings = [];
28567
+ if (typeof code !== "string" || code.length === 0) return findings;
28568
+ if (!/\bJSON\s*\.\s*parse\s*\(/.test(code)) return findings;
28569
+ if (!/\breq\s*\.\s*body\b/.test(code)) return findings;
28570
+ const lines = code.split("\n");
28571
+ const reqBodyRe = /\breq\s*\.\s*body\b/;
28572
+ const taintedVars = /* @__PURE__ */ new Set();
28573
+ for (let pass = 0; pass < 3; pass++) {
28574
+ const before = taintedVars.size;
28575
+ for (let i2 = 0; i2 < lines.length; i2++) {
28576
+ const t = lines[i2].trim();
28577
+ if (t.startsWith("//")) continue;
28578
+ const m = t.match(/^(?:const|let|var)\s+(\w+)(?:\s*:\s*[^=]+)?\s*=\s*(.+?);?$/);
28579
+ if (!m) continue;
28580
+ const lhs = m[1];
28581
+ const rhs = m[2];
28582
+ if (taintedVars.has(lhs)) continue;
28583
+ if (reqBodyRe.test(rhs)) {
28584
+ taintedVars.add(lhs);
28585
+ continue;
28586
+ }
28587
+ for (const v of taintedVars) {
28588
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28589
+ taintedVars.add(lhs);
28590
+ break;
28591
+ }
28592
+ }
28593
+ }
28594
+ if (taintedVars.size === before) break;
28595
+ }
28596
+ const callRe = /\bJSON\s*\.\s*parse\s*\(\s*([^)]+?)\s*\)/g;
28597
+ const seen = /* @__PURE__ */ new Set();
28598
+ for (let i2 = 0; i2 < lines.length; i2++) {
28599
+ const line = lines[i2];
28600
+ if (line.trim().startsWith("//")) continue;
28601
+ callRe.lastIndex = 0;
28602
+ let m;
28603
+ while ((m = callRe.exec(line)) !== null) {
28604
+ const arg = m[1];
28605
+ let tainted = reqBodyRe.test(arg);
28606
+ if (!tainted) {
28607
+ for (const v of taintedVars) {
28608
+ if (new RegExp(`\\b${v}\\b`).test(arg)) {
28609
+ tainted = true;
28610
+ break;
28611
+ }
28612
+ }
28613
+ }
28614
+ if (!tainted) continue;
28615
+ if (seen.has(i2 + 1)) continue;
28616
+ seen.add(i2 + 1);
28617
+ findings.push({
28618
+ id: `insecure_deserialization-${file}-${i2 + 1}-js-jsonparse-body`,
28619
+ pass: "language-sources",
28620
+ category: "security",
28621
+ rule_id: "insecure_deserialization",
28622
+ cwe: "CWE-502",
28623
+ severity: "high",
28624
+ level: "warning",
28625
+ message: "`JSON.parse(req.body)` deserializes attacker-controlled bytes directly. With `express.text()` / `bodyParser.raw()` middleware `req.body` is an unvetted string; the parsed object can carry a `__proto__` payload that pollutes downstream property lookups. Validate against a schema (zod/ajv) before consuming the value.",
28626
+ file,
28627
+ line: i2 + 1,
28628
+ snippet: line.trim()
28629
+ });
28630
+ }
28631
+ }
28632
+ return findings;
28633
+ }
28634
+ function findJsDomXpathInjectionFindings(code, file) {
28635
+ const findings = [];
28636
+ if (typeof code !== "string" || code.length === 0) return findings;
28637
+ if (!/\.\s*evaluate\s*\(/.test(code)) return findings;
28638
+ if (!/\bXPathResult\b/.test(code)) return findings;
28639
+ const browserSourceRe = /\b(?:location\s*\.\s*(?:search|hash|href)|URLSearchParams|window\s*\.\s*name|document\s*\.\s*cookie)\b/;
28640
+ if (!browserSourceRe.test(code)) return findings;
28641
+ const lines = code.split("\n");
28642
+ const taintedVars = /* @__PURE__ */ new Set();
28643
+ for (let pass = 0; pass < 3; pass++) {
28644
+ const before = taintedVars.size;
28645
+ for (let i2 = 0; i2 < lines.length; i2++) {
28646
+ const t = lines[i2].trim();
28647
+ if (t.startsWith("//")) continue;
28648
+ const m = t.match(/^(?:const|let|var)\s+(\w+)(?:\s*:\s*[^=]+)?\s*=\s*(.+?);?$/);
28649
+ if (!m) continue;
28650
+ const lhs = m[1];
28651
+ const rhs = m[2];
28652
+ if (taintedVars.has(lhs)) continue;
28653
+ if (browserSourceRe.test(rhs)) {
28654
+ taintedVars.add(lhs);
28655
+ continue;
28656
+ }
28657
+ for (const v of taintedVars) {
28658
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28659
+ taintedVars.add(lhs);
28660
+ break;
28661
+ }
28662
+ }
28663
+ }
28664
+ if (taintedVars.size === before) break;
28665
+ }
28666
+ if (taintedVars.size === 0) return findings;
28667
+ const evalRe = /\.\s*evaluate\s*\(\s*([^,)]+)/;
28668
+ const seen = /* @__PURE__ */ new Set();
28669
+ for (let i2 = 0; i2 < lines.length; i2++) {
28670
+ const line = lines[i2];
28671
+ if (line.trim().startsWith("//")) continue;
28672
+ const m = line.match(evalRe);
28673
+ if (!m) continue;
28674
+ const arg = m[1].trim();
28675
+ let tainted = false;
28676
+ for (const v of taintedVars) {
28677
+ if (new RegExp(`\\b${v}\\b`).test(arg)) {
28678
+ tainted = true;
28679
+ break;
28680
+ }
28681
+ }
28682
+ if (!tainted) continue;
28683
+ if (seen.has(i2 + 1)) continue;
28684
+ seen.add(i2 + 1);
28685
+ findings.push({
28686
+ id: `xpath_injection-${file}-${i2 + 1}-js-dom-evaluate`,
28687
+ pass: "language-sources",
28688
+ category: "security",
28689
+ rule_id: "xpath_injection",
28690
+ cwe: "CWE-643",
28691
+ severity: "high",
28692
+ level: "warning",
28693
+ message: "XPath injection: `document.evaluate(<tainted>, ...)` lets the attacker break out of the XPath expression and read sibling nodes. Bind user input through XPath variables / parameterized expressions, or escape with an allowlist before concatenation.",
28694
+ file,
28695
+ line: i2 + 1,
28696
+ snippet: line.trim()
28697
+ });
28698
+ }
28699
+ return findings;
28700
+ }
28701
+ function findGoXmlDecoderXxeFindings(code, file) {
28702
+ const findings = [];
28703
+ if (typeof code !== "string" || code.length === 0) return findings;
28704
+ if (!/\bxml\s*\.\s*NewDecoder\s*\(/.test(code)) return findings;
28705
+ if (!/\*http\.Request\b/.test(code) && !/\bhttp\.HandlerFunc\b/.test(code)) {
28706
+ return findings;
28707
+ }
28708
+ const lines = code.split("\n");
28709
+ const decoderFromBody = /* @__PURE__ */ new Map();
28710
+ for (let i2 = 0; i2 < lines.length; i2++) {
28711
+ const t = lines[i2].trim();
28712
+ if (t.startsWith("//")) continue;
28713
+ const m = t.match(
28714
+ /^(\w+)\s*(?::=|=)\s*xml\s*\.\s*NewDecoder\s*\(\s*([^)]+)\)/
28715
+ );
28716
+ if (!m) continue;
28717
+ if (/\b\w+\s*\.\s*Body\b/.test(m[2])) decoderFromBody.set(m[1], i2);
28718
+ }
28719
+ if (decoderFromBody.size === 0) return findings;
28720
+ const seen = /* @__PURE__ */ new Set();
28721
+ for (let i2 = 0; i2 < lines.length; i2++) {
28722
+ const line = lines[i2];
28723
+ if (line.trim().startsWith("//")) continue;
28724
+ const m = line.match(
28725
+ /\b(\w+)\s*\.\s*(?:Strict\s*=\s*false|Entity\s*=)\b/
28726
+ );
28727
+ if (!m) continue;
28728
+ if (!decoderFromBody.has(m[1])) continue;
28729
+ if (seen.has(i2 + 1)) continue;
28730
+ seen.add(i2 + 1);
28731
+ findings.push({
28732
+ id: `xml_entity_expansion-${file}-${i2 + 1}-go-xml-decoder`,
28733
+ pass: "language-sources",
28734
+ category: "security",
28735
+ rule_id: "xml_entity_expansion",
28736
+ cwe: "CWE-611",
28737
+ severity: "high",
28738
+ level: "warning",
28739
+ message: "XXE: Go `xml.NewDecoder(req.Body)` with `Strict = false` (or a custom `Entity` map) allows entity references that the standard library normally rejects. Keep `Strict = true` and avoid setting `Entity` from attacker-controlled inputs.",
28740
+ file,
28741
+ line: i2 + 1,
28742
+ snippet: line.trim()
28743
+ });
28744
+ }
28745
+ return findings;
28746
+ }
28747
+ function findPythonJinjaTemplateSstiFindings(code, file) {
28748
+ const findings = [];
28749
+ if (typeof code !== "string" || code.length === 0) return findings;
28750
+ if (!/\bfrom\s+jinja2\s+import\s+[^#\n]*\bTemplate\b/.test(code) && !/\bjinja2\s*\.\s*Template\b/.test(code)) {
28751
+ return findings;
28752
+ }
28753
+ const reqExtractRe = /\brequest\s*\.\s*(?:args|form|values|json|data|cookies|headers)\b/;
28754
+ if (!reqExtractRe.test(code)) return findings;
28755
+ const lines = code.split("\n");
28756
+ const taintedVars = /* @__PURE__ */ new Set();
28757
+ for (let pass = 0; pass < 3; pass++) {
28758
+ const before = taintedVars.size;
28759
+ for (let i2 = 0; i2 < lines.length; i2++) {
28760
+ const t = lines[i2].trim();
28761
+ if (t.startsWith("#")) continue;
28762
+ const m = t.match(/^(\w+)\s*=\s*(.+?)$/);
28763
+ if (!m) continue;
28764
+ const lhs = m[1];
28765
+ const rhs = m[2];
28766
+ if (taintedVars.has(lhs)) continue;
28767
+ if (reqExtractRe.test(rhs)) {
28768
+ taintedVars.add(lhs);
28769
+ continue;
28770
+ }
28771
+ for (const v of taintedVars) {
28772
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28773
+ taintedVars.add(lhs);
28774
+ break;
28775
+ }
28776
+ }
28777
+ }
28778
+ if (taintedVars.size === before) break;
28779
+ }
28780
+ if (taintedVars.size === 0) return findings;
28781
+ const ctorRe = /\b(?:jinja2\s*\.\s*)?Template\s*\(\s*([^)]+?)\s*\)/;
28782
+ const seen = /* @__PURE__ */ new Set();
28783
+ for (let i2 = 0; i2 < lines.length; i2++) {
28784
+ const line = lines[i2];
28785
+ if (line.trim().startsWith("#")) continue;
28786
+ const m = line.match(ctorRe);
28787
+ if (!m) continue;
28788
+ const arg = m[1].trim();
28789
+ let tainted = reqExtractRe.test(arg);
28790
+ if (!tainted) {
28791
+ for (const v of taintedVars) {
28792
+ if (new RegExp(`\\b${v}\\b`).test(arg)) {
28793
+ tainted = true;
28794
+ break;
28795
+ }
28796
+ }
28797
+ }
28798
+ if (!tainted) continue;
28799
+ if (seen.has(i2 + 1)) continue;
28800
+ seen.add(i2 + 1);
28801
+ findings.push({
28802
+ id: `template_injection-${file}-${i2 + 1}-py-jinja-template`,
28803
+ pass: "language-sources",
28804
+ category: "security",
28805
+ rule_id: "template_injection",
28806
+ cwe: "CWE-1336",
28807
+ severity: "critical",
28808
+ level: "error",
28809
+ message: "Server-side template injection: `jinja2.Template(<tainted>).render()` compiles attacker-controlled source. Sandbox-escape gadgets such as `{{ ().__class__.__bases__[0].__subclasses__() }}` lead to RCE. Render fixed templates with user data passed as context variables.",
28810
+ file,
28811
+ line: i2 + 1,
28812
+ snippet: line.trim()
28813
+ });
28814
+ }
28815
+ return findings;
28816
+ }
28817
+ function findJsTemplateInjectionSstiFindings(code, file) {
28818
+ const findings = [];
28819
+ if (typeof code !== "string" || code.length === 0) return findings;
28820
+ if (!/\bHandlebars\s*\.\s*compile\s*\(/.test(code) && !/\bejs\s*\.\s*(?:render|compile)\s*\(/.test(code)) {
28821
+ return findings;
28822
+ }
28823
+ if (!/\breq\s*\.\s*(?:query|body|params|headers|cookies)\b/.test(code)) {
28824
+ return findings;
28825
+ }
28826
+ const lines = code.split("\n");
28827
+ const reqExtractRe = /\breq\s*\.\s*(?:query|body|params|headers|cookies)\b/;
28828
+ const taintedVars = /* @__PURE__ */ new Set();
28829
+ for (let pass = 0; pass < 3; pass++) {
28830
+ const before = taintedVars.size;
28831
+ for (let i2 = 0; i2 < lines.length; i2++) {
28832
+ const t = lines[i2].trim();
28833
+ if (t.startsWith("//")) continue;
28834
+ const m = t.match(/^(?:const|let|var)\s+(\w+)(?:\s*:\s*[^=]+)?\s*=\s*(.+?);?$/);
28835
+ if (!m) continue;
28836
+ const lhs = m[1];
28837
+ const rhs = m[2];
28838
+ if (taintedVars.has(lhs)) continue;
28839
+ if (reqExtractRe.test(rhs)) {
28840
+ taintedVars.add(lhs);
28841
+ continue;
28842
+ }
28843
+ for (const v of taintedVars) {
28844
+ if (new RegExp(`\\b${v}\\b`).test(rhs)) {
28845
+ taintedVars.add(lhs);
28846
+ break;
28847
+ }
28848
+ }
28849
+ }
28850
+ if (taintedVars.size === before) break;
28851
+ }
28852
+ if (taintedVars.size === 0) return findings;
28853
+ const callRe = /\b(Handlebars\s*\.\s*compile|ejs\s*\.\s*(?:render|compile))\s*\(\s*([^,)]+)/;
28854
+ const seen = /* @__PURE__ */ new Set();
28855
+ for (let i2 = 0; i2 < lines.length; i2++) {
28856
+ const line = lines[i2];
28857
+ if (line.trim().startsWith("//")) continue;
28858
+ const m = line.match(callRe);
28859
+ if (!m) continue;
28860
+ const arg = m[2].trim();
28861
+ let tainted = reqExtractRe.test(arg);
28862
+ if (!tainted) {
28863
+ for (const v of taintedVars) {
28864
+ if (new RegExp(`\\b${v}\\b`).test(arg)) {
28865
+ tainted = true;
28866
+ break;
28867
+ }
28868
+ }
28869
+ }
28870
+ if (!tainted) continue;
28871
+ if (seen.has(i2 + 1)) continue;
28872
+ seen.add(i2 + 1);
28873
+ findings.push({
28874
+ id: `template_injection-${file}-${i2 + 1}-js-${m[1].replace(/[\s.]/g, "").toLowerCase()}`,
28875
+ pass: "language-sources",
28876
+ category: "security",
28877
+ rule_id: "template_injection",
28878
+ cwe: "CWE-1336",
28879
+ severity: "critical",
28880
+ level: "error",
28881
+ message: "Server-side template injection: compiling/rendering a template whose source is attacker-controlled (`Handlebars.compile(...)` / `ejs.render(...)`) opens helper-shadowing and prototype-gadget RCE paths. Use a fixed template and pass user data as context.",
28882
+ file,
28883
+ line: i2 + 1,
28884
+ snippet: line.trim()
28885
+ });
28886
+ }
28887
+ return findings;
28888
+ }
27926
28889
 
27927
28890
  // src/analysis/passes/sink-filter-pass.ts
27928
28891
  var JS_XSS_SANITIZERS = [