circle-ir 3.152.0 → 3.154.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/configs/sink-semantics.json +102 -0
- package/configs/sinks/command.yaml +0 -10
- package/configs/sinks/deserialization.yaml +54 -0
- package/configs/sinks/path.yaml +0 -94
- package/configs/sinks/sql.yaml +24 -24
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +24 -8
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts +43 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts.map +1 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.js +75 -0
- package/dist/analysis/passes/library-profile-sink-gate-pass.js.map +1 -1
- package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts +104 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts.map +1 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.js +196 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.js.map +1 -0
- package/dist/analysis/require-entry-path.d.ts +91 -0
- package/dist/analysis/require-entry-path.d.ts.map +1 -0
- package/dist/analysis/require-entry-path.js +387 -0
- package/dist/analysis/require-entry-path.js.map +1 -0
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +55 -1
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/analyzer.d.ts.map +1 -1
- package/dist/analyzer.js +37 -1
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +437 -257
- package/dist/core/circle-ir-core.cjs +38 -9
- package/dist/core/circle-ir-core.js +38 -9
- package/dist/types/config.d.ts +11 -1
- package/dist/types/config.d.ts.map +1 -1
- package/dist/types/index.d.ts +25 -0
- package/dist/types/index.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -48,6 +48,108 @@
|
|
|
48
48
|
"real_class": "jdk_internal",
|
|
49
49
|
"overrides": ["code_injection"],
|
|
50
50
|
"note": "java.lang.invoke.MethodHandle — JDK-internal, not attacker-controllable"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"signature": "MongoTemplate#execute",
|
|
54
|
+
"real_class": "nosql_protocol",
|
|
55
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
56
|
+
"note": "Spring Data MongoDB template — BSON serialization, not SQL / shell. Added 3.153.0 (#233)."
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"signature": "MongoOperations#execute",
|
|
60
|
+
"real_class": "nosql_protocol",
|
|
61
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
62
|
+
"note": "Spring Data MongoDB interface — same shape as MongoTemplate"
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"signature": "MongoCollection#execute",
|
|
66
|
+
"real_class": "nosql_protocol",
|
|
67
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
68
|
+
"note": "Mongo driver collection — BSON operation dispatch"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"signature": "CqlSession#execute",
|
|
72
|
+
"real_class": "nosql_protocol",
|
|
73
|
+
"overrides": ["command_injection"],
|
|
74
|
+
"note": "DataStax Cassandra driver — CQL statement dispatch (SQL-injection remains valid; command_injection alias is dropped)"
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"signature": "RedisTemplate#execute",
|
|
78
|
+
"real_class": "nosql_protocol",
|
|
79
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
80
|
+
"note": "Spring Data Redis template — RESP protocol dispatch, not SQL / shell"
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"signature": "StringRedisTemplate#execute",
|
|
84
|
+
"real_class": "nosql_protocol",
|
|
85
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
86
|
+
"note": "Spring Data Redis string-specialised template — same shape as RedisTemplate"
|
|
87
|
+
},
|
|
88
|
+
{
|
|
89
|
+
"signature": "RedissonClient#execute",
|
|
90
|
+
"real_class": "nosql_protocol",
|
|
91
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
92
|
+
"note": "Redisson Redis client — RESP dispatch"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"signature": "LettuceConnection#execute",
|
|
96
|
+
"real_class": "nosql_protocol",
|
|
97
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
98
|
+
"note": "Lettuce Redis driver connection — RESP dispatch"
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
"signature": "RedisConnection#execute",
|
|
102
|
+
"real_class": "nosql_protocol",
|
|
103
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
104
|
+
"note": "Spring Data Redis connection interface — RESP dispatch"
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"signature": "ExecutorService#execute",
|
|
108
|
+
"real_class": "framework_callback",
|
|
109
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
110
|
+
"note": "java.util.concurrent.ExecutorService — Runnable dispatch, not OS exec. JDK concurrency executor callback dispatch. Added 3.153.0 (cognium-dev #233)."
|
|
111
|
+
},
|
|
112
|
+
{
|
|
113
|
+
"signature": "ThreadPoolExecutor#execute",
|
|
114
|
+
"real_class": "framework_callback",
|
|
115
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
116
|
+
"note": "JDK ThreadPoolExecutor — Runnable dispatch"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"signature": "ForkJoinPool#execute",
|
|
120
|
+
"real_class": "framework_callback",
|
|
121
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
122
|
+
"note": "JDK ForkJoinPool — Runnable/ForkJoinTask dispatch"
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
"signature": "ScheduledExecutorService#execute",
|
|
126
|
+
"real_class": "framework_callback",
|
|
127
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
128
|
+
"note": "JDK ScheduledExecutorService — Runnable dispatch"
|
|
129
|
+
},
|
|
130
|
+
{
|
|
131
|
+
"signature": "TaskExecutor#execute",
|
|
132
|
+
"real_class": "framework_callback",
|
|
133
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
134
|
+
"note": "Spring TaskExecutor — Runnable dispatch, not OS exec"
|
|
135
|
+
},
|
|
136
|
+
{
|
|
137
|
+
"signature": "AsyncTaskExecutor#execute",
|
|
138
|
+
"real_class": "framework_callback",
|
|
139
|
+
"overrides": ["command_injection", "sql_injection"],
|
|
140
|
+
"note": "Spring AsyncTaskExecutor — Runnable dispatch"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"signature": "TransactionTemplate#execute",
|
|
144
|
+
"real_class": "framework_callback",
|
|
145
|
+
"overrides": ["sql_injection", "command_injection"],
|
|
146
|
+
"note": "Spring TransactionTemplate — TransactionCallback dispatch, not raw SQL / shell"
|
|
147
|
+
},
|
|
148
|
+
{
|
|
149
|
+
"signature": "Handler#post",
|
|
150
|
+
"real_class": "framework_callback",
|
|
151
|
+
"overrides": ["command_injection"],
|
|
152
|
+
"note": "Android / Netty Handler — Runnable dispatch, not OS exec"
|
|
51
153
|
}
|
|
52
154
|
]
|
|
53
155
|
}
|
|
@@ -182,16 +182,6 @@
|
|
|
182
182
|
"cwe": "CWE-078",
|
|
183
183
|
"severity": "high"
|
|
184
184
|
},
|
|
185
|
-
{
|
|
186
|
-
"method": "execute",
|
|
187
|
-
"class": "Executor",
|
|
188
|
-
"type": "command_injection",
|
|
189
|
-
"cwe": "CWE-078",
|
|
190
|
-
"severity": "critical",
|
|
191
|
-
"arg_positions": [
|
|
192
|
-
0
|
|
193
|
-
]
|
|
194
|
-
},
|
|
195
185
|
{
|
|
196
186
|
"method": "execute",
|
|
197
187
|
"class": "DefaultExecutor",
|
|
@@ -100,6 +100,60 @@
|
|
|
100
100
|
"insecure_deserialization"
|
|
101
101
|
],
|
|
102
102
|
"note": "JSON deserialization (safe if default typing disabled)"
|
|
103
|
+
},
|
|
104
|
+
{
|
|
105
|
+
"method": "setupDefaultSecurity",
|
|
106
|
+
"class": "XStream",
|
|
107
|
+
"removes": [
|
|
108
|
+
"insecure_deserialization",
|
|
109
|
+
"deserialization"
|
|
110
|
+
],
|
|
111
|
+
"note": "XStream 1.4.18+ hardened default security. Added 3.153.0 (#233)."
|
|
112
|
+
},
|
|
113
|
+
{
|
|
114
|
+
"method": "allowTypes",
|
|
115
|
+
"class": "XStream",
|
|
116
|
+
"removes": [
|
|
117
|
+
"insecure_deserialization",
|
|
118
|
+
"deserialization"
|
|
119
|
+
],
|
|
120
|
+
"note": "XStream type whitelist — restricts deserialized types. Added 3.153.0 (#233)."
|
|
121
|
+
},
|
|
122
|
+
{
|
|
123
|
+
"method": "allowTypeHierarchy",
|
|
124
|
+
"class": "XStream",
|
|
125
|
+
"removes": [
|
|
126
|
+
"insecure_deserialization",
|
|
127
|
+
"deserialization"
|
|
128
|
+
],
|
|
129
|
+
"note": "XStream type-hierarchy whitelist. Added 3.153.0 (#233)."
|
|
130
|
+
},
|
|
131
|
+
{
|
|
132
|
+
"method": "allowTypesByRegExp",
|
|
133
|
+
"class": "XStream",
|
|
134
|
+
"removes": [
|
|
135
|
+
"insecure_deserialization",
|
|
136
|
+
"deserialization"
|
|
137
|
+
],
|
|
138
|
+
"note": "XStream regex type whitelist. Added 3.153.0 (#233)."
|
|
139
|
+
},
|
|
140
|
+
{
|
|
141
|
+
"method": "allowTypesByWildcard",
|
|
142
|
+
"class": "XStream",
|
|
143
|
+
"removes": [
|
|
144
|
+
"insecure_deserialization",
|
|
145
|
+
"deserialization"
|
|
146
|
+
],
|
|
147
|
+
"note": "XStream wildcard type whitelist. Added 3.153.0 (#233)."
|
|
148
|
+
},
|
|
149
|
+
{
|
|
150
|
+
"method": "denyTypes",
|
|
151
|
+
"class": "XStream",
|
|
152
|
+
"removes": [
|
|
153
|
+
"insecure_deserialization",
|
|
154
|
+
"deserialization"
|
|
155
|
+
],
|
|
156
|
+
"note": "XStream deny-list. Added 3.153.0 (#233)."
|
|
103
157
|
}
|
|
104
158
|
]
|
|
105
159
|
}
|
package/configs/sinks/path.yaml
CHANGED
|
@@ -275,69 +275,6 @@
|
|
|
275
275
|
0
|
|
276
276
|
]
|
|
277
277
|
},
|
|
278
|
-
{
|
|
279
|
-
"method": "getResource",
|
|
280
|
-
"class": "ClassLoader",
|
|
281
|
-
"type": "path_traversal",
|
|
282
|
-
"cwe": "CWE-022",
|
|
283
|
-
"severity": "high",
|
|
284
|
-
"arg_positions": [
|
|
285
|
-
0
|
|
286
|
-
],
|
|
287
|
-
"note": "ClassLoader resource path traversal"
|
|
288
|
-
},
|
|
289
|
-
{
|
|
290
|
-
"method": "getResourceAsStream",
|
|
291
|
-
"class": "ClassLoader",
|
|
292
|
-
"type": "path_traversal",
|
|
293
|
-
"cwe": "CWE-022",
|
|
294
|
-
"severity": "high",
|
|
295
|
-
"arg_positions": [
|
|
296
|
-
0
|
|
297
|
-
]
|
|
298
|
-
},
|
|
299
|
-
{
|
|
300
|
-
"method": "getResources",
|
|
301
|
-
"class": "ClassLoader",
|
|
302
|
-
"type": "path_traversal",
|
|
303
|
-
"cwe": "CWE-022",
|
|
304
|
-
"severity": "high",
|
|
305
|
-
"arg_positions": [
|
|
306
|
-
0
|
|
307
|
-
]
|
|
308
|
-
},
|
|
309
|
-
{
|
|
310
|
-
"method": "getResource",
|
|
311
|
-
"class": "Class",
|
|
312
|
-
"type": "path_traversal",
|
|
313
|
-
"cwe": "CWE-022",
|
|
314
|
-
"severity": "high",
|
|
315
|
-
"arg_positions": [
|
|
316
|
-
0
|
|
317
|
-
],
|
|
318
|
-
"note": "Class.getResource() path traversal"
|
|
319
|
-
},
|
|
320
|
-
{
|
|
321
|
-
"method": "getResourceAsStream",
|
|
322
|
-
"class": "Class",
|
|
323
|
-
"type": "path_traversal",
|
|
324
|
-
"cwe": "CWE-022",
|
|
325
|
-
"severity": "high",
|
|
326
|
-
"arg_positions": [
|
|
327
|
-
0
|
|
328
|
-
]
|
|
329
|
-
},
|
|
330
|
-
{
|
|
331
|
-
"method": "getResource",
|
|
332
|
-
"class": "ResourceLoader",
|
|
333
|
-
"type": "path_traversal",
|
|
334
|
-
"cwe": "CWE-022",
|
|
335
|
-
"severity": "high",
|
|
336
|
-
"arg_positions": [
|
|
337
|
-
0
|
|
338
|
-
],
|
|
339
|
-
"note": "Spring ResourceLoader"
|
|
340
|
-
},
|
|
341
278
|
{
|
|
342
279
|
"method": "PathResource",
|
|
343
280
|
"type": "path_traversal",
|
|
@@ -398,26 +335,6 @@
|
|
|
398
335
|
0
|
|
399
336
|
]
|
|
400
337
|
},
|
|
401
|
-
{
|
|
402
|
-
"method": "getResourceAsStream",
|
|
403
|
-
"type": "path_traversal",
|
|
404
|
-
"cwe": "CWE-22",
|
|
405
|
-
"severity": "high",
|
|
406
|
-
"arg_positions": [
|
|
407
|
-
0
|
|
408
|
-
],
|
|
409
|
-
"note": "Auto-mined from CVE analysis"
|
|
410
|
-
},
|
|
411
|
-
{
|
|
412
|
-
"method": "getResource",
|
|
413
|
-
"type": "path_traversal",
|
|
414
|
-
"cwe": "CWE-22",
|
|
415
|
-
"severity": "high",
|
|
416
|
-
"arg_positions": [
|
|
417
|
-
0
|
|
418
|
-
],
|
|
419
|
-
"note": "Auto-mined from CVE analysis"
|
|
420
|
-
},
|
|
421
338
|
{
|
|
422
339
|
"method": "File",
|
|
423
340
|
"class": "constructor",
|
|
@@ -430,17 +347,6 @@
|
|
|
430
347
|
],
|
|
431
348
|
"note": "Auto-mined from CVE analysis. arg 1 covers File(parent, child) overload (CVE-2018-8041)"
|
|
432
349
|
},
|
|
433
|
-
{
|
|
434
|
-
"method": "openStream",
|
|
435
|
-
"class": "URL",
|
|
436
|
-
"type": "path_traversal",
|
|
437
|
-
"cwe": "CWE-22",
|
|
438
|
-
"severity": "high",
|
|
439
|
-
"arg_positions": [
|
|
440
|
-
0
|
|
441
|
-
],
|
|
442
|
-
"note": "Auto-mined from CVE analysis"
|
|
443
|
-
},
|
|
444
350
|
{
|
|
445
351
|
"method": "resolve",
|
|
446
352
|
"type": "path_traversal",
|
package/configs/sinks/sql.yaml
CHANGED
|
@@ -67,9 +67,9 @@
|
|
|
67
67
|
"type": "sql_injection",
|
|
68
68
|
"cwe": "CWE-89",
|
|
69
69
|
"severity": "critical",
|
|
70
|
-
"arg_positions": [
|
|
71
|
-
|
|
72
|
-
|
|
70
|
+
"arg_positions": [0],
|
|
71
|
+
"safe_if_string_literal_at": 0,
|
|
72
|
+
"note": "Parameterised SQL literal with ? placeholders is bound by the driver; only non-literal SQL (variable / concat / format) taints. Added 3.153.0 (#233)."
|
|
73
73
|
},
|
|
74
74
|
{
|
|
75
75
|
"method": "queryForObject",
|
|
@@ -77,9 +77,9 @@
|
|
|
77
77
|
"type": "sql_injection",
|
|
78
78
|
"cwe": "CWE-89",
|
|
79
79
|
"severity": "critical",
|
|
80
|
-
"arg_positions": [
|
|
81
|
-
|
|
82
|
-
|
|
80
|
+
"arg_positions": [0],
|
|
81
|
+
"safe_if_string_literal_at": 0,
|
|
82
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
83
83
|
},
|
|
84
84
|
{
|
|
85
85
|
"method": "queryForList",
|
|
@@ -87,9 +87,9 @@
|
|
|
87
87
|
"type": "sql_injection",
|
|
88
88
|
"cwe": "CWE-89",
|
|
89
89
|
"severity": "critical",
|
|
90
|
-
"arg_positions": [
|
|
91
|
-
|
|
92
|
-
|
|
90
|
+
"arg_positions": [0],
|
|
91
|
+
"safe_if_string_literal_at": 0,
|
|
92
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
93
93
|
},
|
|
94
94
|
{
|
|
95
95
|
"method": "update",
|
|
@@ -97,9 +97,9 @@
|
|
|
97
97
|
"type": "sql_injection",
|
|
98
98
|
"cwe": "CWE-89",
|
|
99
99
|
"severity": "critical",
|
|
100
|
-
"arg_positions": [
|
|
101
|
-
|
|
102
|
-
|
|
100
|
+
"arg_positions": [0],
|
|
101
|
+
"safe_if_string_literal_at": 0,
|
|
102
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
103
103
|
},
|
|
104
104
|
{
|
|
105
105
|
"method": "execute",
|
|
@@ -107,9 +107,9 @@
|
|
|
107
107
|
"type": "sql_injection",
|
|
108
108
|
"cwe": "CWE-89",
|
|
109
109
|
"severity": "critical",
|
|
110
|
-
"arg_positions": [
|
|
111
|
-
|
|
112
|
-
|
|
110
|
+
"arg_positions": [0],
|
|
111
|
+
"safe_if_string_literal_at": 0,
|
|
112
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
113
113
|
},
|
|
114
114
|
{
|
|
115
115
|
"method": "queryForRowSet",
|
|
@@ -117,9 +117,9 @@
|
|
|
117
117
|
"type": "sql_injection",
|
|
118
118
|
"cwe": "CWE-89",
|
|
119
119
|
"severity": "critical",
|
|
120
|
-
"arg_positions": [
|
|
121
|
-
|
|
122
|
-
|
|
120
|
+
"arg_positions": [0],
|
|
121
|
+
"safe_if_string_literal_at": 0,
|
|
122
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
123
123
|
},
|
|
124
124
|
{
|
|
125
125
|
"method": "queryForMap",
|
|
@@ -127,9 +127,9 @@
|
|
|
127
127
|
"type": "sql_injection",
|
|
128
128
|
"cwe": "CWE-89",
|
|
129
129
|
"severity": "critical",
|
|
130
|
-
"arg_positions": [
|
|
131
|
-
|
|
132
|
-
|
|
130
|
+
"arg_positions": [0],
|
|
131
|
+
"safe_if_string_literal_at": 0,
|
|
132
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
133
133
|
},
|
|
134
134
|
{
|
|
135
135
|
"method": "batchUpdate",
|
|
@@ -137,9 +137,9 @@
|
|
|
137
137
|
"type": "sql_injection",
|
|
138
138
|
"cwe": "CWE-89",
|
|
139
139
|
"severity": "critical",
|
|
140
|
-
"arg_positions": [
|
|
141
|
-
|
|
142
|
-
|
|
140
|
+
"arg_positions": [0],
|
|
141
|
+
"safe_if_string_literal_at": 0,
|
|
142
|
+
"note": "Parameterised SQL literal — see JdbcTemplate.query. Added 3.153.0 (#233)."
|
|
143
143
|
},
|
|
144
144
|
{
|
|
145
145
|
"method": "insert",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6RhD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -626,11 +626,11 @@ export const DEFAULT_SINKS = [
|
|
|
626
626
|
{ method: 'FileOutputStream', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
627
627
|
{ method: 'FileReader', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
628
628
|
{ method: 'FileWriter', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
629
|
-
// ClassLoader/Class
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
|
|
629
|
+
// NOTE: ClassLoader.getResource / Class.getResource were removed in
|
|
630
|
+
// 3.153.0 (#233). Classpath resource resolution cannot escape the
|
|
631
|
+
// classpath root via `../` (JAR entries are opaque). If reintroduced,
|
|
632
|
+
// the correct CWE is CWE-829 (untrusted-classpath-resource), not
|
|
633
|
+
// CWE-22 path traversal.
|
|
634
634
|
// Paths.get can be used for path traversal
|
|
635
635
|
{ method: 'get', class: 'Paths', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
636
636
|
{ method: 'of', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
@@ -644,9 +644,16 @@ export const DEFAULT_SINKS = [
|
|
|
644
644
|
{ method: 'newBufferedWriter', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
645
645
|
{ method: 'copy', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
646
646
|
{ method: 'move', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
647
|
+
// NOTE: `Files.exists`, `Files.isDirectory`, `Files.isRegularFile`
|
|
648
|
+
// were removed in 3.154.0 (#245 RC2). These NIO methods are pure
|
|
649
|
+
// boolean queries — they read a filesystem attribute and cannot
|
|
650
|
+
// cause traversal escape. A CWE-22 sink must consume the path to
|
|
651
|
+
// open, read, write, delete, list, or link a filesystem entry;
|
|
652
|
+
// check-only receivers reveal at most a boolean. Empirically
|
|
653
|
+
// ~12 H+C FPs across the 10-repo Tier 2 cohort
|
|
654
|
+
// (cognium-ai#189 §4). `java.io.File` instance methods
|
|
655
|
+
// (`file.isDirectory()`, `file.exists()`, `file.canRead()`, …)
|
|
656
|
+
// are already not registered as CWE-22 sinks.
|
|
650
657
|
// RandomAccessFile
|
|
651
658
|
{ method: 'RandomAccessFile', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
652
659
|
// Framework-specific resource loading (Cocoon, Spring, etc.)
|
|
@@ -1132,6 +1139,15 @@ export const DEFAULT_SINKS = [
|
|
|
1132
1139
|
{ method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1133
1140
|
{ method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1134
1141
|
{ method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1142
|
+
// Jackson ObjectReader — pre-configured reader; typed 2-arg overload is safe
|
|
1143
|
+
// when arg[1] is a class literal or TypeReference<>()/TypeToken<>() (handled
|
|
1144
|
+
// by argIsClassLiteral extension). Added 3.153.0 (cognium-dev #233).
|
|
1145
|
+
{ method: 'readValue', class: 'ObjectReader', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1146
|
+
// Jackson ObjectMapper.convertValue — same class-literal shape as readValue.
|
|
1147
|
+
{ method: 'convertValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1148
|
+
// Kryo.readObject(input, User.class) — typed form is safe; polymorphic form
|
|
1149
|
+
// (Kryo.readClassAndObject or non-literal type) remains a sink.
|
|
1150
|
+
{ method: 'readObject', class: 'Kryo', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
|
|
1135
1151
|
// XMLDecoder
|
|
1136
1152
|
{ method: 'readObject', class: 'XMLDecoder', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
1137
1153
|
// Java serialization constructors
|