circle-ir 3.153.0 → 3.155.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/configs/sinks/code_injection.yaml +2 -1
- package/configs/sinks/javascript_dom_xss.yaml +4 -2
- package/configs/sinks/xpath.yaml +40 -0
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +13 -3
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/dfg-walk.d.ts +36 -0
- package/dist/analysis/dfg-walk.d.ts.map +1 -0
- package/dist/analysis/dfg-walk.js +59 -0
- package/dist/analysis/dfg-walk.js.map +1 -0
- package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +22 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts +43 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts.map +1 -1
- package/dist/analysis/passes/library-profile-sink-gate-pass.js +75 -0
- package/dist/analysis/passes/library-profile-sink-gate-pass.js.map +1 -1
- package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts +104 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts.map +1 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.js +196 -0
- package/dist/analysis/passes/library-profile-xss-gate-pass.js.map +1 -0
- package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
- package/dist/analysis/passes/weak-crypto-pass.js +6 -0
- package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
- package/dist/analysis/path-classification.d.ts +24 -0
- package/dist/analysis/path-classification.d.ts.map +1 -0
- package/dist/analysis/path-classification.js +69 -0
- package/dist/analysis/path-classification.js.map +1 -0
- package/dist/analysis/taint-propagation.d.ts +17 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +47 -16
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/analyzer.d.ts.map +1 -1
- package/dist/analyzer.js +25 -1
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +299 -15
- package/dist/core/circle-ir-core.cjs +103 -15
- package/dist/core/circle-ir-core.js +103 -15
- package/dist/graph/code-graph.d.ts +7 -0
- package/dist/graph/code-graph.d.ts.map +1 -1
- package/dist/graph/code-graph.js +17 -0
- package/dist/graph/code-graph.js.map +1 -1
- package/package.json +1 -1
|
@@ -109,7 +109,8 @@
|
|
|
109
109
|
"arg_positions": [
|
|
110
110
|
0
|
|
111
111
|
],
|
|
112
|
-
"
|
|
112
|
+
"safe_if_string_literal_at": 0,
|
|
113
|
+
"note": "Can load arbitrary classes with user input. Literal FQN (Class.forName(\"com.foo.Bar\")) is safe; tainted argument still fires (cognium-dev #239 C.1)."
|
|
113
114
|
},
|
|
114
115
|
{
|
|
115
116
|
"method": "newInstance",
|
|
@@ -21,7 +21,8 @@
|
|
|
21
21
|
"cwe": "CWE-79",
|
|
22
22
|
"severity": "critical",
|
|
23
23
|
"arg_positions": [0],
|
|
24
|
-
"
|
|
24
|
+
"safe_if_string_literal_at": 0,
|
|
25
|
+
"note": "DOM XSS - document.write with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
|
|
25
26
|
},
|
|
26
27
|
{
|
|
27
28
|
"method": "writeln",
|
|
@@ -30,7 +31,8 @@
|
|
|
30
31
|
"cwe": "CWE-79",
|
|
31
32
|
"severity": "critical",
|
|
32
33
|
"arg_positions": [0],
|
|
33
|
-
"
|
|
34
|
+
"safe_if_string_literal_at": 0,
|
|
35
|
+
"note": "DOM XSS - document.writeln with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
|
|
34
36
|
},
|
|
35
37
|
{
|
|
36
38
|
"method": "insertAdjacentHTML",
|
package/configs/sinks/xpath.yaml
CHANGED
|
@@ -111,11 +111,51 @@
|
|
|
111
111
|
],
|
|
112
112
|
"note": "Using variables is safe"
|
|
113
113
|
},
|
|
114
|
+
{
|
|
115
|
+
"method": "setXPathVariableResolver",
|
|
116
|
+
"class": "XPathExpression",
|
|
117
|
+
"removes": [
|
|
118
|
+
"xpath_injection"
|
|
119
|
+
],
|
|
120
|
+
"note": "cognium-dev #238 A.2 — XPathExpression receiver variant"
|
|
121
|
+
},
|
|
114
122
|
{
|
|
115
123
|
"method": "encodeForXPath",
|
|
116
124
|
"removes": [
|
|
117
125
|
"xpath_injection"
|
|
118
126
|
]
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
"method": "encodeForXPath",
|
|
130
|
+
"class": "Encoder",
|
|
131
|
+
"removes": [
|
|
132
|
+
"xpath_injection"
|
|
133
|
+
],
|
|
134
|
+
"note": "cognium-dev #238 A.2 — ESAPI.encoder().encodeForXPath()"
|
|
135
|
+
},
|
|
136
|
+
{
|
|
137
|
+
"method": "escapeXml",
|
|
138
|
+
"class": "StringEscapeUtils",
|
|
139
|
+
"removes": [
|
|
140
|
+
"xpath_injection"
|
|
141
|
+
],
|
|
142
|
+
"note": "cognium-dev #238 A.2 — commons-text / commons-lang3"
|
|
143
|
+
},
|
|
144
|
+
{
|
|
145
|
+
"method": "escapeXml10",
|
|
146
|
+
"class": "StringEscapeUtils",
|
|
147
|
+
"removes": [
|
|
148
|
+
"xpath_injection"
|
|
149
|
+
],
|
|
150
|
+
"note": "cognium-dev #238 A.2 — commons-text"
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
"method": "escapeXml11",
|
|
154
|
+
"class": "StringEscapeUtils",
|
|
155
|
+
"removes": [
|
|
156
|
+
"xpath_injection"
|
|
157
|
+
],
|
|
158
|
+
"note": "cognium-dev #238 A.2 — commons-text"
|
|
119
159
|
}
|
|
120
160
|
]
|
|
121
161
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAgShD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -644,9 +644,16 @@ export const DEFAULT_SINKS = [
|
|
|
644
644
|
{ method: 'newBufferedWriter', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
645
645
|
{ method: 'copy', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
646
646
|
{ method: 'move', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
647
|
+
// NOTE: `Files.exists`, `Files.isDirectory`, `Files.isRegularFile`
|
|
648
|
+
// were removed in 3.154.0 (#245 RC2). These NIO methods are pure
|
|
649
|
+
// boolean queries — they read a filesystem attribute and cannot
|
|
650
|
+
// cause traversal escape. A CWE-22 sink must consume the path to
|
|
651
|
+
// open, read, write, delete, list, or link a filesystem entry;
|
|
652
|
+
// check-only receivers reveal at most a boolean. Empirically
|
|
653
|
+
// ~12 H+C FPs across the 10-repo Tier 2 cohort
|
|
654
|
+
// (cognium-ai#189 §4). `java.io.File` instance methods
|
|
655
|
+
// (`file.isDirectory()`, `file.exists()`, `file.canRead()`, …)
|
|
656
|
+
// are already not registered as CWE-22 sinks.
|
|
650
657
|
// RandomAccessFile
|
|
651
658
|
{ method: 'RandomAccessFile', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
652
659
|
// Framework-specific resource loading (Cocoon, Spring, etc.)
|
|
@@ -2220,6 +2227,9 @@ export const DEFAULT_SANITIZERS = [
|
|
|
2220
2227
|
{ method: 'parseDouble', class: 'Double', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
|
|
2221
2228
|
{ method: 'parseShort', class: 'Short', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
|
|
2222
2229
|
{ method: 'parseByte', class: 'Byte', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
|
|
2230
|
+
// cognium-dev #238 A.3 — parseBoolean and expanded coercion coverage for XSS/CRLF/log/xpath/ldap/xxe.
|
|
2231
|
+
// A parsed boolean/numeric cannot carry a string-injection payload for any string-based sink.
|
|
2232
|
+
{ method: 'parseBoolean', class: 'Boolean', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection', 'xss', 'crlf', 'log_injection', 'xpath_injection', 'ldap_injection', 'xxe'] },
|
|
2223
2233
|
// Java UUID parse — UUID.fromString rejects non-UUID strings
|
|
2224
2234
|
{ method: 'fromString', class: 'UUID', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
|
|
2225
2235
|
// JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)
|