circle-ir 3.14.0 → 3.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/passes/n-plus-one-pass.js +18 -3
- package/dist/analysis/passes/n-plus-one-pass.js.map +1 -1
- package/dist/analysis/passes/null-deref-pass.js +17 -1
- package/dist/analysis/passes/null-deref-pass.js.map +1 -1
- package/dist/analysis/passes/sink-filter-pass.js +70 -8
- package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
- package/dist/browser/circle-ir.js +55 -10
- package/package.json +1 -1
|
@@ -46,13 +46,28 @@ const MEDIUM_CONFIDENCE_DB_METHODS = new Set([
|
|
|
46
46
|
'get', 'post', 'put', 'patch', 'request',
|
|
47
47
|
'load', 'lookup',
|
|
48
48
|
]);
|
|
49
|
-
/**
|
|
50
|
-
|
|
49
|
+
/**
|
|
50
|
+
* Receiver patterns that indicate a DB or HTTP client.
|
|
51
|
+
*
|
|
52
|
+
* Two-tier matching:
|
|
53
|
+
* 1. Prefix match: names starting with db, conn, pool, repo, etc.
|
|
54
|
+
* 2. Suffix match: names ending with Repository, Repo, Dao, Service, Client, etc.
|
|
55
|
+
*
|
|
56
|
+
* This catches both `dbConnection.query()` and `userRepository.find()`.
|
|
57
|
+
*/
|
|
58
|
+
const DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
|
|
59
|
+
const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection|Index)$/;
|
|
60
|
+
/**
|
|
61
|
+
* Check if a receiver name indicates a DB or HTTP client.
|
|
62
|
+
*/
|
|
63
|
+
function isDbOrHttpReceiver(receiver) {
|
|
64
|
+
return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
|
|
65
|
+
}
|
|
51
66
|
function isDbOrApiCall(call) {
|
|
52
67
|
if (HIGH_CONFIDENCE_DB_METHODS.has(call.method_name))
|
|
53
68
|
return true;
|
|
54
69
|
if (MEDIUM_CONFIDENCE_DB_METHODS.has(call.method_name)) {
|
|
55
|
-
return call.receiver != null &&
|
|
70
|
+
return call.receiver != null && isDbOrHttpReceiver(call.receiver);
|
|
56
71
|
}
|
|
57
72
|
return false;
|
|
58
73
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH,
|
|
1
|
+
{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,mOAAmO,CAAC;AAEvQ;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -32,6 +32,11 @@ function escRe(s) {
|
|
|
32
32
|
* - Python: `x is not None`, `if x:`
|
|
33
33
|
* - Optional chaining: `x?.`
|
|
34
34
|
* - Optional API: `x.isPresent()`, `Optional`
|
|
35
|
+
* - Java assertions: `assert x != null`
|
|
36
|
+
* - Java stdlib: `Objects.requireNonNull(x)`
|
|
37
|
+
* - Guava: `Preconditions.checkNotNull(x)`
|
|
38
|
+
* - Spring: `Assert.notNull(x, ...)`
|
|
39
|
+
* - JUnit/TestNG: `assertNotNull(x)`
|
|
35
40
|
*/
|
|
36
41
|
function hasNullGuard(codeLines, varName, fromLine, toLine) {
|
|
37
42
|
const esc = escRe(varName);
|
|
@@ -45,7 +50,18 @@ function hasNullGuard(codeLines, varName, fromLine, toLine) {
|
|
|
45
50
|
`|if\\s*\\(\\s*${esc}\\s*[)!&|]` + // if (x), if (!x)
|
|
46
51
|
`|if\\s+${esc}\\s*:` + // Python: if x:
|
|
47
52
|
`|\\b${esc}\\b\\s*\\.\\s*isPresent\\(\\)` + // Optional.isPresent()
|
|
48
|
-
`|\\bOptional\\b`
|
|
53
|
+
`|\\bOptional\\b` +
|
|
54
|
+
// Java assertion: assert x != null
|
|
55
|
+
`|\\bassert\\s+${esc}\\s*!=\\s*null\\b` +
|
|
56
|
+
`|\\bassert\\s+null\\s*!=\\s*${esc}\\b` +
|
|
57
|
+
// Java stdlib: Objects.requireNonNull(x) or requireNonNull(x)
|
|
58
|
+
`|\\b(?:Objects\\.)?requireNonNull\\s*\\(\\s*${esc}\\b` +
|
|
59
|
+
// Guava: Preconditions.checkNotNull(x) or checkNotNull(x)
|
|
60
|
+
`|\\b(?:Preconditions\\.)?checkNotNull\\s*\\(\\s*${esc}\\b` +
|
|
61
|
+
// Spring: Assert.notNull(x, ...) or notNull(x)
|
|
62
|
+
`|\\b(?:Assert\\.)?notNull\\s*\\(\\s*${esc}\\b` +
|
|
63
|
+
// JUnit/TestNG: assertNotNull(x) or Assertions.assertNotNull(x)
|
|
64
|
+
`|\\b(?:Assertions?\\.)?assertNotNull\\s*\\(\\s*${esc}\\b`);
|
|
49
65
|
for (let l = fromLine; l < toLine; l++) {
|
|
50
66
|
const line = codeLines[l - 1] ?? '';
|
|
51
67
|
if (pattern.test(line))
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"null-deref-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/null-deref-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,oEAAoE;AACpE,MAAM,YAAY,GAAG,+BAA+B,CAAC;AAErD,kDAAkD;AAClD,SAAS,KAAK,CAAC,CAAS;IACtB,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED
|
|
1
|
+
{"version":3,"file":"null-deref-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/null-deref-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,oEAAoE;AACpE,MAAM,YAAY,GAAG,+BAA+B,CAAC;AAErD,kDAAkD;AAClD,SAAS,KAAK,CAAC,CAAS;IACtB,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,YAAY,CACnB,SAAmB,EACnB,OAAe,EACf,QAAgB,EAChB,MAAc;IAEd,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3B,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,MAAM,CACxB,MAAM,GAAG,sCAAsC;QAC/C,wCAAwC,GAAG,KAAK;QAChD,OAAO,GAAG,sCAAsC,GAAK,oBAAoB;QACzE,wCAAwC,GAAG,KAAK;QAChD,gCAAgC,GAAG,KAAK,GAAa,qBAAqB;QAC1E,OAAO,GAAG,8BAA8B;QACxC,iBAAiB,GAAG,YAAY,GAAoB,kBAAkB;QACtE,UAAU,GAAG,OAAO,GAAiC,gBAAgB;QACrE,OAAO,GAAG,+BAA+B,GAAY,uBAAuB;QAC5E,iBAAiB;QACjB,mCAAmC;QACnC,iBAAiB,GAAG,mBAAmB;QACvC,+BAA+B,GAAG,KAAK;QACvC,8DAA8D;QAC9D,+CAA+C,GAAG,KAAK;QACvD,0DAA0D;QAC1D,mDAAmD,GAAG,KAAK;QAC3D,+CAA+C;QAC/C,uCAAuC,GAAG,KAAK;QAC/C,gEAAgE;QAChE,kDAAkD,GAAG,KAAK,CAC3D,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACtC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAWD,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,kEAAkE;QAClE,sCAAsC;QACtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,mBAAmB,EAAE,EAAE,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,mBAAmB,GAA2C,EAAE,CAAC;QACvE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,kCAAkC;QAEtE,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;gBAAE,SAAS;YAEpE,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;YAEzB,0DAA0D;YAC1D,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,UAAU,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,gBAAgB,CAAC;YAEzE,0DAA0D;YAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAErC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;gBAEzB,8DAA8D;gBAC9D,IAAI,OAAO,IAAI,OAAO,IAAI,OAAO,GAAG,SAAS;oBAAE,SAAS;gBAExD,gEAAgE;gBAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBAC/C,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;gBAErE,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC9C,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAChE,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAEnD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa;oBAAE,SAAS;gBAEhD,0CAA0C;gBAC1C,MAAM,eAAe,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;gBACzE,IAAI,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAE7C,wEAAwE;gBACxE,IAAI,YAAY,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,CAAC;oBAAE,SAAS;gBAErE,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;gBACpC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAElB,mBAAmB,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;gBAElE,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,cAAc,IAAI,IAAI,OAAO,EAAE;oBACnC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,gCAAgC,OAAO,+BAA+B,OAAO,GAAG;wBAChF,uBAAuB,OAAO,uBAAuB;oBACvD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;oBACxB,GAAG,EAAE,gDAAgD,OAAO,qBAAqB;oBACjF,QAAQ,EAAE;wBACR,QAAQ,EAAE,OAAO;wBACjB,gBAAgB,EAAE,OAAO;qBAC1B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,mBAAmB,EAAE,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -15,6 +15,27 @@
|
|
|
15
15
|
* Depends on: taint-matcher, constant-propagation, language-sources
|
|
16
16
|
*/
|
|
17
17
|
import { JS_TAINTED_PATTERNS } from './language-sources-pass.js';
|
|
18
|
+
/**
|
|
19
|
+
* Common XSS sanitizer patterns for JavaScript/TypeScript.
|
|
20
|
+
* These indicate the assigned value has been sanitized before use.
|
|
21
|
+
*/
|
|
22
|
+
const JS_XSS_SANITIZERS = [
|
|
23
|
+
/\bDOMPurify\.sanitize\s*\(/,
|
|
24
|
+
/\bsanitizeHtml\s*\(/,
|
|
25
|
+
/\bsanitize\s*\(/,
|
|
26
|
+
/\bescapeHtml\s*\(/,
|
|
27
|
+
/\bescapeHTML\s*\(/,
|
|
28
|
+
/\bhtmlEscape\s*\(/,
|
|
29
|
+
/\bxss\s*\(/, // xss library
|
|
30
|
+
/\bxssFilters\./, // xss-filters library
|
|
31
|
+
/\bvalidator\.escape\s*\(/,
|
|
32
|
+
/\b(?:he|entities)\.encode\s*\(/,
|
|
33
|
+
/\bencodeURIComponent\s*\(/,
|
|
34
|
+
/\bencodeURI\s*\(/,
|
|
35
|
+
/\bcreateSafeHTML\s*\(/,
|
|
36
|
+
/\btrustAsHtml\s*\(/, // Angular
|
|
37
|
+
/\bbypassSecurityTrust/, // Angular
|
|
38
|
+
];
|
|
18
39
|
export class SinkFilterPass {
|
|
19
40
|
name = 'sink-filter';
|
|
20
41
|
category = 'security';
|
|
@@ -63,19 +84,60 @@ export class SinkFilterPass {
|
|
|
63
84
|
// Stage 6 — JavaScript XSS FP reduction
|
|
64
85
|
if (['javascript', 'typescript'].includes(language)) {
|
|
65
86
|
const { jsTaintedVars } = langSources;
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
87
|
+
const sourceLines = ctx.code.split('\n');
|
|
88
|
+
filtered = filtered.filter(sink => {
|
|
89
|
+
if (sink.type !== 'xss')
|
|
90
|
+
return true;
|
|
91
|
+
const sinkLineText = sourceLines[sink.line - 1] ?? '';
|
|
92
|
+
// 6a. If a sanitizer is used on this line, suppress the finding
|
|
93
|
+
if (JS_XSS_SANITIZERS.some(p => p.test(sinkLineText)))
|
|
94
|
+
return false;
|
|
95
|
+
// 6b. If the RHS is a pure string literal, suppress (e.g., `.innerHTML = "<div>Hello</div>"`)
|
|
96
|
+
// Match: `.innerHTML = "..."` or `.innerHTML = '...'` or `.innerHTML = `...``
|
|
97
|
+
const assignmentMatch = sinkLineText.match(/\.(?:innerHTML|outerHTML)\s*=\s*(.+)/);
|
|
98
|
+
if (assignmentMatch) {
|
|
99
|
+
// Strip trailing semicolon and whitespace
|
|
100
|
+
const rhs = assignmentMatch[1].trim().replace(/;$/, '').trim();
|
|
101
|
+
// Pure double-quoted string literal
|
|
102
|
+
if (/^"[^"]*"$/.test(rhs))
|
|
103
|
+
return false;
|
|
104
|
+
// Pure single-quoted string literal
|
|
105
|
+
if (/^'[^']*'$/.test(rhs))
|
|
106
|
+
return false;
|
|
107
|
+
// Template literal without interpolation
|
|
108
|
+
if (/^`[^`]*`$/.test(rhs) && !rhs.includes('${'))
|
|
109
|
+
return false;
|
|
110
|
+
// Empty string
|
|
111
|
+
if (rhs === '""' || rhs === "''" || rhs === '``')
|
|
112
|
+
return false;
|
|
113
|
+
}
|
|
114
|
+
// 6c. If known tainted vars exist, require one on this line to keep the sink
|
|
115
|
+
if (jsTaintedVars.size > 0) {
|
|
72
116
|
if ([...jsTaintedVars.keys()].some(v => new RegExp(`\\b${v}\\b`).test(sinkLineText)))
|
|
73
117
|
return true;
|
|
74
118
|
if (JS_TAINTED_PATTERNS.some(p => p.pattern.test(sinkLineText)))
|
|
75
119
|
return true;
|
|
76
120
|
return false;
|
|
77
|
-
}
|
|
78
|
-
|
|
121
|
+
}
|
|
122
|
+
// 6d. No tainted vars tracked — check if line has any obvious taint source patterns
|
|
123
|
+
// If none found and RHS looks like a variable, keep the sink (conservative)
|
|
124
|
+
if (JS_TAINTED_PATTERNS.some(p => p.pattern.test(sinkLineText)))
|
|
125
|
+
return true;
|
|
126
|
+
// 6e. Check if RHS is a known constant from constant propagation
|
|
127
|
+
if (assignmentMatch) {
|
|
128
|
+
const rhsClean = assignmentMatch[1].trim().replace(/;$/, '').trim();
|
|
129
|
+
// If RHS is just an identifier, check if it's a known constant
|
|
130
|
+
const identMatch = rhsClean.match(/^(\w+)$/);
|
|
131
|
+
if (identMatch) {
|
|
132
|
+
const varName = identMatch[1];
|
|
133
|
+
const symbolInfo = constProp.symbols.get(varName);
|
|
134
|
+
if (symbolInfo && symbolInfo.type === 'string')
|
|
135
|
+
return false;
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Default: keep the sink (conservative when no taint info available)
|
|
139
|
+
return true;
|
|
140
|
+
});
|
|
79
141
|
}
|
|
80
142
|
return { sources, sinks: filtered, sanitizers };
|
|
81
143
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sink-filter-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/sink-filter-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAOH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAEhC,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAqB,eAAe,CAAC,CAAC;QACxE,MAAM,SAAS,GAAM,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAI,GAAG,CAAC,SAAS,CAAwB,kBAAkB,CAAC,CAAC;QAE9E,qDAAqD;QACrD,MAAM,OAAO,GAAkB,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAE3F,qFAAqF;QACrF,MAAM,KAAK,GAAgB,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;QAE3C,sBAAsB;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEhF,iCAAiC;QACjC,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QAErG,4BAA4B;QAC5B,QAAQ,GAAG,wBAAwB,CACjC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EACrD,GAAG,EAAE,SAAS,CAAC,aAAa,EAAE,SAAS,CAAC,iBAAiB,CAC1D,CAAC;QAEF,4BAA4B;QAC5B,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAE7D,sCAAsC;QACtC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,WAAW,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;gBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;oBAAE,OAAO,IAAI,CAAC;gBACjD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,MAAM,gBAAgB,GAAG,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC1D,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAC5C,CAAC;gBACF,IAAI,CAAC,gBAAgB;oBAAE,OAAO,KAAK,CAAC;gBACpC,IAAI,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACxD,IAAI,IAAI,MAAM,CAAC,0CAA0C,gBAAgB,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACjH,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;YACtC,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;oBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;wBAAE,OAAO,IAAI,CAAC;oBACrC,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;oBACtD,IAAI,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAClG,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAC7E,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAClD,CAAC;CACF;AAUD;;;;GAIG;AACH,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,GAAG,GAAG,CAAC,CAAC;IAEZ,SAAS,IAAI,KAAa,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpD,SAAS,OAAO,KAAa,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzD,SAAS,MAAM,KAAW,OAAO,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG;QAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAEnF,SAAS,WAAW;QAClB,MAAM,EAAE,CAAC;QACT,IAAI,CAAC,GAAG,EAAE,CAAC;QACX,IAAI,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAAC,CAAC,IAAI,OAAO,EAAE,CAAC;QAAC,CAAC;QACvC,OAAO,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAE,CAAC;YAAE,CAAC,IAAI,OAAO,EAAE,CAAC;QACvE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QACxB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChC,CAAC;IAED,SAAS,WAAW;QAClB,MAAM,EAAE,CAAC;QACT,IAAI,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACnB,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;YACxB,MAAM,EAAE,CAAC;YACT,IAAI,IAAI,EAAE,KAAK,GAAG;gBAAE,OAAO,EAAE,CAAC;YAC9B,OAAO,GAAG,CAAC;QACb,CAAC;QACD,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;IAED,SAAS,SAAS;QAChB,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YAClB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG;gBAAE,MAAM;YACpC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;YAC5B,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAChC,IAAI,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC;YACvE,IAAI,IAAI,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;QACjC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,SAAS;QAChB,IAAI,IAAI,GAAG,SAAS,EAAE,CAAC;QACvB,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YAClB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG;gBAAE,MAAM;YACpC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;YAC1B,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAChC,IAAI,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,CAAC;IACT,OAAO,GAAG,KAAK,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAY,EAAE,OAAgB;IAC9D,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IACzE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAiC,EACjC,KAAwB,EACxB,oBAA8C,EAC9C,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC3E,IAAI,gBAAgB,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,IAAI,QAAQ,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACnC,QAAQ,GAAG,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM,cAAc,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAC3D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBAC1E,IAAI,CAAC,SAAS;4BAAE,OAAO,KAAK,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,KAAiC,EACjC,KAAwB,EACxB,WAAwB,EACxB,OAAgB,EAChB,GAAqB,EACrB,aAA2B,EAC3B,iBAA+B;IAE/B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,qBAAqB,GAAG,iBAAiB,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC;QAEzE,uFAAuF;QACvF,yFAAyF;QACzF,6FAA6F;QAC7F,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM;YAC/B,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,IAAI,CAAC,MAAM,CAAC;YACxD,CAAC,CAAC,WAAW,CAAC;QAEhB,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,eAAe,GAAG,IAAI,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAElC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnD,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;oBAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;oBAErE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAC7F,IAAI,aAAa,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBAC5E,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEnG,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBACpE,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS;wBAAE,SAAS;oBAE5D,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACN,IAAI,GAAG,CAAC,OAAO,IAAI,IAAI;wBAAE,SAAS;oBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,yBAAyB,CAAC,GAAG,CAAC,UAAU,CAAC;wBAAE,SAAS;oBAC3F,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;YACH,CAAC;YAED,IAAI,eAAe,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QACjE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAiC,EACjC,UAA2C,EAC3C,KAAwB;IAExB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC9D,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,cAAc,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAoC,CAAC,EAAE,CAAC;gBACtE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACnD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;wBACjC,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;wBAClC,MAAM,cAAc,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;wBACjE,IAAI,cAAc,EAAE,CAAC;4BACnB,MAAM,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,MAAM,YAAY,GAAI,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,IAAI,YAAY,EAAE,CAAC;gCACjB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,IAAI,aAAa,GAAG,CAAC;oCAAE,OAAO,KAAK,CAAC;4BACvE,CAAC;iCAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;gCAC9C,OAAO,KAAK,CAAC;4BACf,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
1
|
+
{"version":3,"file":"sink-filter-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/sink-filter-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAOH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE;;;GAGG;AACH,MAAM,iBAAiB,GAAG;IACxB,4BAA4B;IAC5B,qBAAqB;IACrB,iBAAiB;IACjB,mBAAmB;IACnB,mBAAmB;IACnB,mBAAmB;IACnB,YAAY,EAAe,cAAc;IACzC,gBAAgB,EAAW,sBAAsB;IACjD,0BAA0B;IAC1B,gCAAgC;IAChC,2BAA2B;IAC3B,kBAAkB;IAClB,uBAAuB;IACvB,oBAAoB,EAAO,UAAU;IACrC,uBAAuB,EAAI,UAAU;CACtC,CAAC;AAUF,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAEhC,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAqB,eAAe,CAAC,CAAC;QACxE,MAAM,SAAS,GAAM,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAI,GAAG,CAAC,SAAS,CAAwB,kBAAkB,CAAC,CAAC;QAE9E,qDAAqD;QACrD,MAAM,OAAO,GAAkB,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAE3F,qFAAqF;QACrF,MAAM,KAAK,GAAgB,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;QAE3C,sBAAsB;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEhF,iCAAiC;QACjC,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QAErG,4BAA4B;QAC5B,QAAQ,GAAG,wBAAwB,CACjC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EACrD,GAAG,EAAE,SAAS,CAAC,aAAa,EAAE,SAAS,CAAC,iBAAiB,CAC1D,CAAC;QAEF,4BAA4B;QAC5B,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAE7D,sCAAsC;QACtC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,WAAW,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;gBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;oBAAE,OAAO,IAAI,CAAC;gBACjD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,MAAM,gBAAgB,GAAG,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC1D,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAC5C,CAAC;gBACF,IAAI,CAAC,gBAAgB;oBAAE,OAAO,KAAK,CAAC;gBACpC,IAAI,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACxD,IAAI,IAAI,MAAM,CAAC,0CAA0C,gBAAgB,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACjH,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;YACtC,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;gBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;oBAAE,OAAO,IAAI,CAAC;gBACrC,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEtD,gEAAgE;gBAChE,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBAAE,OAAO,KAAK,CAAC;gBAEpE,8FAA8F;gBAC9F,kFAAkF;gBAClF,MAAM,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;gBACnF,IAAI,eAAe,EAAE,CAAC;oBACpB,0CAA0C;oBAC1C,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC/D,oCAAoC;oBACpC,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC;wBAAE,OAAO,KAAK,CAAC;oBACxC,oCAAoC;oBACpC,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC;wBAAE,OAAO,KAAK,CAAC;oBACxC,yCAAyC;oBACzC,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAAE,OAAO,KAAK,CAAC;oBAC/D,eAAe;oBACf,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI;wBAAE,OAAO,KAAK,CAAC;gBACjE,CAAC;gBAED,6EAA6E;gBAC7E,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;oBAC3B,IAAI,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAClG,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAC7E,OAAO,KAAK,CAAC;gBACf,CAAC;gBAED,oFAAoF;gBACpF,gFAAgF;gBAChF,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBAAE,OAAO,IAAI,CAAC;gBAE7E,iEAAiE;gBACjE,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACpE,+DAA+D;oBAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;oBAC7C,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;wBAC9B,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBAClD,IAAI,UAAU,IAAI,UAAU,CAAC,IAAI,KAAK,QAAQ;4BAAE,OAAO,KAAK,CAAC;oBAC/D,CAAC;gBACH,CAAC;gBAED,qEAAqE;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAClD,CAAC;CACF;AAUD;;;;GAIG;AACH,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,GAAG,GAAG,CAAC,CAAC;IAEZ,SAAS,IAAI,KAAa,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpD,SAAS,OAAO,KAAa,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzD,SAAS,MAAM,KAAW,OAAO,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG;QAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAEnF,SAAS,WAAW;QAClB,MAAM,EAAE,CAAC;QACT,IAAI,CAAC,GAAG,EAAE,CAAC;QACX,IAAI,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAAC,CAAC,IAAI,OAAO,EAAE,CAAC;QAAC,CAAC;QACvC,OAAO,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAE,CAAC;YAAE,CAAC,IAAI,OAAO,EAAE,CAAC;QACvE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QACxB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChC,CAAC;IAED,SAAS,WAAW;QAClB,MAAM,EAAE,CAAC;QACT,IAAI,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACnB,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;YACxB,MAAM,EAAE,CAAC;YACT,IAAI,IAAI,EAAE,KAAK,GAAG;gBAAE,OAAO,EAAE,CAAC;YAC9B,OAAO,GAAG,CAAC;QACb,CAAC;QACD,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;IAED,SAAS,SAAS;QAChB,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YAClB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG;gBAAE,MAAM;YACpC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;YAC5B,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAChC,IAAI,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC;YACvE,IAAI,IAAI,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;QACjC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,SAAS;QAChB,IAAI,IAAI,GAAG,SAAS,EAAE,CAAC;QACvB,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YAClB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG;gBAAE,MAAM;YACpC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;YAC1B,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAChC,IAAI,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,CAAC;IACT,OAAO,GAAG,KAAK,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAY,EAAE,OAAgB;IAC9D,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IACzE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAiC,EACjC,KAAwB,EACxB,oBAA8C,EAC9C,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC3E,IAAI,gBAAgB,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,IAAI,QAAQ,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACnC,QAAQ,GAAG,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM,cAAc,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAC3D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBAC1E,IAAI,CAAC,SAAS;4BAAE,OAAO,KAAK,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,KAAiC,EACjC,KAAwB,EACxB,WAAwB,EACxB,OAAgB,EAChB,GAAqB,EACrB,aAA2B,EAC3B,iBAA+B;IAE/B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,qBAAqB,GAAG,iBAAiB,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC;QAEzE,uFAAuF;QACvF,yFAAyF;QACzF,6FAA6F;QAC7F,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM;YAC/B,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,IAAI,CAAC,MAAM,CAAC;YACxD,CAAC,CAAC,WAAW,CAAC;QAEhB,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,eAAe,GAAG,IAAI,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAElC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnD,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;oBAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;oBAErE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAC7F,IAAI,aAAa,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBAC5E,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEnG,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBACpE,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS;wBAAE,SAAS;oBAE5D,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACN,IAAI,GAAG,CAAC,OAAO,IAAI,IAAI;wBAAE,SAAS;oBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,yBAAyB,CAAC,GAAG,CAAC,UAAU,CAAC;wBAAE,SAAS;oBAC3F,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;YACH,CAAC;YAED,IAAI,eAAe,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QACjE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAiC,EACjC,UAA2C,EAC3C,KAAwB;IAExB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC9D,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,cAAc,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAoC,CAAC,EAAE,CAAC;gBACtE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACnD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;wBACjC,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;wBAClC,MAAM,cAAc,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;wBACjE,IAAI,cAAc,EAAE,CAAC;4BACnB,MAAM,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,MAAM,YAAY,GAAI,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,IAAI,YAAY,EAAE,CAAC;gCACjB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,IAAI,aAAa,GAAG,CAAC;oCAAE,OAAO,KAAK,CAAC;4BACvE,CAAC;iCAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;gCAC9C,OAAO,KAAK,CAAC;4BACf,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -18034,6 +18034,27 @@ function buildJavaScriptTaintedVars(sourceCode, language) {
|
|
|
18034
18034
|
}
|
|
18035
18035
|
|
|
18036
18036
|
// src/analysis/passes/sink-filter-pass.ts
|
|
18037
|
+
var JS_XSS_SANITIZERS = [
|
|
18038
|
+
/\bDOMPurify\.sanitize\s*\(/,
|
|
18039
|
+
/\bsanitizeHtml\s*\(/,
|
|
18040
|
+
/\bsanitize\s*\(/,
|
|
18041
|
+
/\bescapeHtml\s*\(/,
|
|
18042
|
+
/\bescapeHTML\s*\(/,
|
|
18043
|
+
/\bhtmlEscape\s*\(/,
|
|
18044
|
+
/\bxss\s*\(/,
|
|
18045
|
+
// xss library
|
|
18046
|
+
/\bxssFilters\./,
|
|
18047
|
+
// xss-filters library
|
|
18048
|
+
/\bvalidator\.escape\s*\(/,
|
|
18049
|
+
/\b(?:he|entities)\.encode\s*\(/,
|
|
18050
|
+
/\bencodeURIComponent\s*\(/,
|
|
18051
|
+
/\bencodeURI\s*\(/,
|
|
18052
|
+
/\bcreateSafeHTML\s*\(/,
|
|
18053
|
+
/\btrustAsHtml\s*\(/,
|
|
18054
|
+
// Angular
|
|
18055
|
+
/\bbypassSecurityTrust/
|
|
18056
|
+
// Angular
|
|
18057
|
+
];
|
|
18037
18058
|
var SinkFilterPass = class {
|
|
18038
18059
|
name = "sink-filter";
|
|
18039
18060
|
category = "security";
|
|
@@ -18080,16 +18101,36 @@ var SinkFilterPass = class {
|
|
|
18080
18101
|
}
|
|
18081
18102
|
if (["javascript", "typescript"].includes(language)) {
|
|
18082
18103
|
const { jsTaintedVars } = langSources;
|
|
18083
|
-
|
|
18084
|
-
|
|
18085
|
-
|
|
18086
|
-
|
|
18087
|
-
|
|
18104
|
+
const sourceLines = ctx.code.split("\n");
|
|
18105
|
+
filtered = filtered.filter((sink) => {
|
|
18106
|
+
if (sink.type !== "xss") return true;
|
|
18107
|
+
const sinkLineText = sourceLines[sink.line - 1] ?? "";
|
|
18108
|
+
if (JS_XSS_SANITIZERS.some((p) => p.test(sinkLineText))) return false;
|
|
18109
|
+
const assignmentMatch = sinkLineText.match(/\.(?:innerHTML|outerHTML)\s*=\s*(.+)/);
|
|
18110
|
+
if (assignmentMatch) {
|
|
18111
|
+
const rhs = assignmentMatch[1].trim().replace(/;$/, "").trim();
|
|
18112
|
+
if (/^"[^"]*"$/.test(rhs)) return false;
|
|
18113
|
+
if (/^'[^']*'$/.test(rhs)) return false;
|
|
18114
|
+
if (/^`[^`]*`$/.test(rhs) && !rhs.includes("${")) return false;
|
|
18115
|
+
if (rhs === '""' || rhs === "''" || rhs === "``") return false;
|
|
18116
|
+
}
|
|
18117
|
+
if (jsTaintedVars.size > 0) {
|
|
18088
18118
|
if ([...jsTaintedVars.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(sinkLineText))) return true;
|
|
18089
18119
|
if (JS_TAINTED_PATTERNS.some((p) => p.pattern.test(sinkLineText))) return true;
|
|
18090
18120
|
return false;
|
|
18091
|
-
}
|
|
18092
|
-
|
|
18121
|
+
}
|
|
18122
|
+
if (JS_TAINTED_PATTERNS.some((p) => p.pattern.test(sinkLineText))) return true;
|
|
18123
|
+
if (assignmentMatch) {
|
|
18124
|
+
const rhsClean = assignmentMatch[1].trim().replace(/;$/, "").trim();
|
|
18125
|
+
const identMatch = rhsClean.match(/^(\w+)$/);
|
|
18126
|
+
if (identMatch) {
|
|
18127
|
+
const varName = identMatch[1];
|
|
18128
|
+
const symbolInfo = constProp.symbols.get(varName);
|
|
18129
|
+
if (symbolInfo && symbolInfo.type === "string") return false;
|
|
18130
|
+
}
|
|
18131
|
+
}
|
|
18132
|
+
return true;
|
|
18133
|
+
});
|
|
18093
18134
|
}
|
|
18094
18135
|
return { sources, sinks: filtered, sanitizers };
|
|
18095
18136
|
}
|
|
@@ -18870,11 +18911,15 @@ var MEDIUM_CONFIDENCE_DB_METHODS = /* @__PURE__ */ new Set([
|
|
|
18870
18911
|
"load",
|
|
18871
18912
|
"lookup"
|
|
18872
18913
|
]);
|
|
18873
|
-
var
|
|
18914
|
+
var DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
|
|
18915
|
+
var DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection|Index)$/;
|
|
18916
|
+
function isDbOrHttpReceiver(receiver) {
|
|
18917
|
+
return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
|
|
18918
|
+
}
|
|
18874
18919
|
function isDbOrApiCall(call) {
|
|
18875
18920
|
if (HIGH_CONFIDENCE_DB_METHODS.has(call.method_name)) return true;
|
|
18876
18921
|
if (MEDIUM_CONFIDENCE_DB_METHODS.has(call.method_name)) {
|
|
18877
|
-
return call.receiver != null &&
|
|
18922
|
+
return call.receiver != null && isDbOrHttpReceiver(call.receiver);
|
|
18878
18923
|
}
|
|
18879
18924
|
return false;
|
|
18880
18925
|
}
|
|
@@ -19252,7 +19297,7 @@ function escRe(s) {
|
|
|
19252
19297
|
function hasNullGuard(codeLines, varName, fromLine, toLine) {
|
|
19253
19298
|
const esc = escRe(varName);
|
|
19254
19299
|
const pattern = new RegExp(
|
|
19255
|
-
`\\b${esc}\\b\\s*!==?\\s*(null|None|undefined)|(null|None|undefined)\\s*!==?\\s*\\b${esc}\\b|\\b${esc}\\b\\s*===?\\s*(null|None|undefined)|(null|None|undefined)\\s*===?\\s*\\b${esc}\\b|\\bis\\s+not\\s+None\\b.*\\b${esc}\\b|\\b${esc}\\b.*\\bis\\s+not\\s+None\\b|if\\s*\\(\\s*${esc}\\s*[)!&|]|if\\s+${esc}\\s*:|\\b${esc}\\b\\s*\\.\\s*isPresent\\(\\)|\\bOptional\\b`
|
|
19300
|
+
`\\b${esc}\\b\\s*!==?\\s*(null|None|undefined)|(null|None|undefined)\\s*!==?\\s*\\b${esc}\\b|\\b${esc}\\b\\s*===?\\s*(null|None|undefined)|(null|None|undefined)\\s*===?\\s*\\b${esc}\\b|\\bis\\s+not\\s+None\\b.*\\b${esc}\\b|\\b${esc}\\b.*\\bis\\s+not\\s+None\\b|if\\s*\\(\\s*${esc}\\s*[)!&|]|if\\s+${esc}\\s*:|\\b${esc}\\b\\s*\\.\\s*isPresent\\(\\)|\\bOptional\\b|\\bassert\\s+${esc}\\s*!=\\s*null\\b|\\bassert\\s+null\\s*!=\\s*${esc}\\b|\\b(?:Objects\\.)?requireNonNull\\s*\\(\\s*${esc}\\b|\\b(?:Preconditions\\.)?checkNotNull\\s*\\(\\s*${esc}\\b|\\b(?:Assert\\.)?notNull\\s*\\(\\s*${esc}\\b|\\b(?:Assertions?\\.)?assertNotNull\\s*\\(\\s*${esc}\\b`
|
|
19256
19301
|
);
|
|
19257
19302
|
for (let l = fromLine; l < toLine; l++) {
|
|
19258
19303
|
const line = codeLines[l - 1] ?? "";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.15.0",
|
|
4
4
|
"description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|