circle-ir 3.153.0 → 3.155.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/configs/sinks/code_injection.yaml +2 -1
  2. package/configs/sinks/javascript_dom_xss.yaml +4 -2
  3. package/configs/sinks/xpath.yaml +40 -0
  4. package/dist/analysis/config-loader.d.ts.map +1 -1
  5. package/dist/analysis/config-loader.js +13 -3
  6. package/dist/analysis/config-loader.js.map +1 -1
  7. package/dist/analysis/dfg-walk.d.ts +36 -0
  8. package/dist/analysis/dfg-walk.d.ts.map +1 -0
  9. package/dist/analysis/dfg-walk.js +59 -0
  10. package/dist/analysis/dfg-walk.js.map +1 -0
  11. package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
  12. package/dist/analysis/passes/language-sources-pass.js +22 -0
  13. package/dist/analysis/passes/language-sources-pass.js.map +1 -1
  14. package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts +43 -1
  15. package/dist/analysis/passes/library-profile-sink-gate-pass.d.ts.map +1 -1
  16. package/dist/analysis/passes/library-profile-sink-gate-pass.js +75 -0
  17. package/dist/analysis/passes/library-profile-sink-gate-pass.js.map +1 -1
  18. package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts +104 -0
  19. package/dist/analysis/passes/library-profile-xss-gate-pass.d.ts.map +1 -0
  20. package/dist/analysis/passes/library-profile-xss-gate-pass.js +196 -0
  21. package/dist/analysis/passes/library-profile-xss-gate-pass.js.map +1 -0
  22. package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
  23. package/dist/analysis/passes/weak-crypto-pass.js +6 -0
  24. package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
  25. package/dist/analysis/path-classification.d.ts +24 -0
  26. package/dist/analysis/path-classification.d.ts.map +1 -0
  27. package/dist/analysis/path-classification.js +69 -0
  28. package/dist/analysis/path-classification.js.map +1 -0
  29. package/dist/analysis/taint-propagation.d.ts +17 -1
  30. package/dist/analysis/taint-propagation.d.ts.map +1 -1
  31. package/dist/analysis/taint-propagation.js +47 -16
  32. package/dist/analysis/taint-propagation.js.map +1 -1
  33. package/dist/analyzer.d.ts.map +1 -1
  34. package/dist/analyzer.js +25 -1
  35. package/dist/analyzer.js.map +1 -1
  36. package/dist/browser/circle-ir.js +299 -15
  37. package/dist/core/circle-ir-core.cjs +103 -15
  38. package/dist/core/circle-ir-core.js +103 -15
  39. package/dist/graph/code-graph.d.ts +7 -0
  40. package/dist/graph/code-graph.d.ts.map +1 -1
  41. package/dist/graph/code-graph.js +17 -0
  42. package/dist/graph/code-graph.js.map +1 -1
  43. package/package.json +1 -1
@@ -109,7 +109,8 @@
109
109
  "arg_positions": [
110
110
  0
111
111
  ],
112
- "note": "Can load arbitrary classes with user input"
112
+ "safe_if_string_literal_at": 0,
113
+ "note": "Can load arbitrary classes with user input. Literal FQN (Class.forName(\"com.foo.Bar\")) is safe; tainted argument still fires (cognium-dev #239 C.1)."
113
114
  },
114
115
  {
115
116
  "method": "newInstance",
@@ -21,7 +21,8 @@
21
21
  "cwe": "CWE-79",
22
22
  "severity": "critical",
23
23
  "arg_positions": [0],
24
- "note": "DOM XSS - document.write with user input"
24
+ "safe_if_string_literal_at": 0,
25
+ "note": "DOM XSS - document.write with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
25
26
  },
26
27
  {
27
28
  "method": "writeln",
@@ -30,7 +31,8 @@
30
31
  "cwe": "CWE-79",
31
32
  "severity": "critical",
32
33
  "arg_positions": [0],
33
- "note": "DOM XSS - document.writeln with user input"
34
+ "safe_if_string_literal_at": 0,
35
+ "note": "DOM XSS - document.writeln with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
34
36
  },
35
37
  {
36
38
  "method": "insertAdjacentHTML",
@@ -111,11 +111,51 @@
111
111
  ],
112
112
  "note": "Using variables is safe"
113
113
  },
114
+ {
115
+ "method": "setXPathVariableResolver",
116
+ "class": "XPathExpression",
117
+ "removes": [
118
+ "xpath_injection"
119
+ ],
120
+ "note": "cognium-dev #238 A.2 — XPathExpression receiver variant"
121
+ },
114
122
  {
115
123
  "method": "encodeForXPath",
116
124
  "removes": [
117
125
  "xpath_injection"
118
126
  ]
127
+ },
128
+ {
129
+ "method": "encodeForXPath",
130
+ "class": "Encoder",
131
+ "removes": [
132
+ "xpath_injection"
133
+ ],
134
+ "note": "cognium-dev #238 A.2 — ESAPI.encoder().encodeForXPath()"
135
+ },
136
+ {
137
+ "method": "escapeXml",
138
+ "class": "StringEscapeUtils",
139
+ "removes": [
140
+ "xpath_injection"
141
+ ],
142
+ "note": "cognium-dev #238 A.2 — commons-text / commons-lang3"
143
+ },
144
+ {
145
+ "method": "escapeXml10",
146
+ "class": "StringEscapeUtils",
147
+ "removes": [
148
+ "xpath_injection"
149
+ ],
150
+ "note": "cognium-dev #238 A.2 — commons-text"
151
+ },
152
+ {
153
+ "method": "escapeXml11",
154
+ "class": "StringEscapeUtils",
155
+ "removes": [
156
+ "xpath_injection"
157
+ ],
158
+ "note": "cognium-dev #238 A.2 — commons-text"
119
159
  }
120
160
  ]
121
161
  }
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAulDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6RhD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAgShD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -644,9 +644,16 @@ export const DEFAULT_SINKS = [
644
644
  { method: 'newBufferedWriter', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
645
645
  { method: 'copy', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
646
646
  { method: 'move', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
647
- { method: 'exists', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
648
- { method: 'isDirectory', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
649
- { method: 'isRegularFile', class: 'Files', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
647
+ // NOTE: `Files.exists`, `Files.isDirectory`, `Files.isRegularFile`
648
+ // were removed in 3.154.0 (#245 RC2). These NIO methods are pure
649
+ // boolean queries they read a filesystem attribute and cannot
650
+ // cause traversal escape. A CWE-22 sink must consume the path to
651
+ // open, read, write, delete, list, or link a filesystem entry;
652
+ // check-only receivers reveal at most a boolean. Empirically
653
+ // ~12 H+C FPs across the 10-repo Tier 2 cohort
654
+ // (cognium-ai#189 §4). `java.io.File` instance methods
655
+ // (`file.isDirectory()`, `file.exists()`, `file.canRead()`, …)
656
+ // are already not registered as CWE-22 sinks.
650
657
  // RandomAccessFile
651
658
  { method: 'RandomAccessFile', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
652
659
  // Framework-specific resource loading (Cocoon, Spring, etc.)
@@ -2220,6 +2227,9 @@ export const DEFAULT_SANITIZERS = [
2220
2227
  { method: 'parseDouble', class: 'Double', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2221
2228
  { method: 'parseShort', class: 'Short', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2222
2229
  { method: 'parseByte', class: 'Byte', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2230
+ // cognium-dev #238 A.3 — parseBoolean and expanded coercion coverage for XSS/CRLF/log/xpath/ldap/xxe.
2231
+ // A parsed boolean/numeric cannot carry a string-injection payload for any string-based sink.
2232
+ { method: 'parseBoolean', class: 'Boolean', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection', 'xss', 'crlf', 'log_injection', 'xpath_injection', 'ldap_injection', 'xxe'] },
2223
2233
  // Java UUID parse — UUID.fromString rejects non-UUID strings
2224
2234
  { method: 'fromString', class: 'UUID', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2225
2235
  // JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)