circle-ir 3.154.0 → 3.156.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/configs/sinks/code_injection.yaml +2 -1
  2. package/configs/sinks/javascript_dom_xss.yaml +4 -2
  3. package/configs/sinks/xpath.yaml +40 -0
  4. package/dist/analysis/config-loader.d.ts.map +1 -1
  5. package/dist/analysis/config-loader.js +3 -0
  6. package/dist/analysis/config-loader.js.map +1 -1
  7. package/dist/analysis/dfg-walk.d.ts +36 -0
  8. package/dist/analysis/dfg-walk.d.ts.map +1 -0
  9. package/dist/analysis/dfg-walk.js +59 -0
  10. package/dist/analysis/dfg-walk.js.map +1 -0
  11. package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
  12. package/dist/analysis/passes/language-sources-pass.js +22 -0
  13. package/dist/analysis/passes/language-sources-pass.js.map +1 -1
  14. package/dist/analysis/passes/mybatis-annotation-sql-sink-pass.d.ts +49 -0
  15. package/dist/analysis/passes/mybatis-annotation-sql-sink-pass.d.ts.map +1 -0
  16. package/dist/analysis/passes/mybatis-annotation-sql-sink-pass.js +329 -0
  17. package/dist/analysis/passes/mybatis-annotation-sql-sink-pass.js.map +1 -0
  18. package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
  19. package/dist/analysis/passes/weak-crypto-pass.js +6 -0
  20. package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
  21. package/dist/analysis/path-classification.d.ts +24 -0
  22. package/dist/analysis/path-classification.d.ts.map +1 -0
  23. package/dist/analysis/path-classification.js +69 -0
  24. package/dist/analysis/path-classification.js.map +1 -0
  25. package/dist/analysis/taint-matcher.d.ts.map +1 -1
  26. package/dist/analysis/taint-matcher.js +30 -0
  27. package/dist/analysis/taint-matcher.js.map +1 -1
  28. package/dist/analysis/taint-propagation.d.ts +17 -1
  29. package/dist/analysis/taint-propagation.d.ts.map +1 -1
  30. package/dist/analysis/taint-propagation.js +47 -16
  31. package/dist/analysis/taint-propagation.js.map +1 -1
  32. package/dist/analyzer.d.ts.map +1 -1
  33. package/dist/analyzer.js +8 -0
  34. package/dist/analyzer.js.map +1 -1
  35. package/dist/browser/circle-ir.js +475 -12
  36. package/dist/core/circle-ir-core.cjs +96 -12
  37. package/dist/core/circle-ir-core.js +96 -12
  38. package/dist/graph/code-graph.d.ts +7 -0
  39. package/dist/graph/code-graph.d.ts.map +1 -1
  40. package/dist/graph/code-graph.js +17 -0
  41. package/dist/graph/code-graph.js.map +1 -1
  42. package/dist/resolution/type-hierarchy.d.ts +15 -0
  43. package/dist/resolution/type-hierarchy.d.ts.map +1 -1
  44. package/dist/resolution/type-hierarchy.js +159 -0
  45. package/dist/resolution/type-hierarchy.js.map +1 -1
  46. package/package.json +1 -1
@@ -109,7 +109,8 @@
109
109
  "arg_positions": [
110
110
  0
111
111
  ],
112
- "note": "Can load arbitrary classes with user input"
112
+ "safe_if_string_literal_at": 0,
113
+ "note": "Can load arbitrary classes with user input. Literal FQN (Class.forName(\"com.foo.Bar\")) is safe; tainted argument still fires (cognium-dev #239 C.1)."
113
114
  },
114
115
  {
115
116
  "method": "newInstance",
@@ -21,7 +21,8 @@
21
21
  "cwe": "CWE-79",
22
22
  "severity": "critical",
23
23
  "arg_positions": [0],
24
- "note": "DOM XSS - document.write with user input"
24
+ "safe_if_string_literal_at": 0,
25
+ "note": "DOM XSS - document.write with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
25
26
  },
26
27
  {
27
28
  "method": "writeln",
@@ -30,7 +31,8 @@
30
31
  "cwe": "CWE-79",
31
32
  "severity": "critical",
32
33
  "arg_positions": [0],
33
- "note": "DOM XSS - document.writeln with user input"
34
+ "safe_if_string_literal_at": 0,
35
+ "note": "DOM XSS - document.writeln with user input. Literal-only argument is safe (cognium-dev #239 C.4)."
34
36
  },
35
37
  {
36
38
  "method": "insertAdjacentHTML",
@@ -111,11 +111,51 @@
111
111
  ],
112
112
  "note": "Using variables is safe"
113
113
  },
114
+ {
115
+ "method": "setXPathVariableResolver",
116
+ "class": "XPathExpression",
117
+ "removes": [
118
+ "xpath_injection"
119
+ ],
120
+ "note": "cognium-dev #238 A.2 — XPathExpression receiver variant"
121
+ },
114
122
  {
115
123
  "method": "encodeForXPath",
116
124
  "removes": [
117
125
  "xpath_injection"
118
126
  ]
127
+ },
128
+ {
129
+ "method": "encodeForXPath",
130
+ "class": "Encoder",
131
+ "removes": [
132
+ "xpath_injection"
133
+ ],
134
+ "note": "cognium-dev #238 A.2 — ESAPI.encoder().encodeForXPath()"
135
+ },
136
+ {
137
+ "method": "escapeXml",
138
+ "class": "StringEscapeUtils",
139
+ "removes": [
140
+ "xpath_injection"
141
+ ],
142
+ "note": "cognium-dev #238 A.2 — commons-text / commons-lang3"
143
+ },
144
+ {
145
+ "method": "escapeXml10",
146
+ "class": "StringEscapeUtils",
147
+ "removes": [
148
+ "xpath_injection"
149
+ ],
150
+ "note": "cognium-dev #238 A.2 — commons-text"
151
+ },
152
+ {
153
+ "method": "escapeXml11",
154
+ "class": "StringEscapeUtils",
155
+ "removes": [
156
+ "xpath_injection"
157
+ ],
158
+ "note": "cognium-dev #238 A.2 — commons-text"
119
159
  }
120
160
  ]
121
161
  }
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6RhD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAgShD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -2227,6 +2227,9 @@ export const DEFAULT_SANITIZERS = [
2227
2227
  { method: 'parseDouble', class: 'Double', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2228
2228
  { method: 'parseShort', class: 'Short', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2229
2229
  { method: 'parseByte', class: 'Byte', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2230
+ // cognium-dev #238 A.3 — parseBoolean and expanded coercion coverage for XSS/CRLF/log/xpath/ldap/xxe.
2231
+ // A parsed boolean/numeric cannot carry a string-injection payload for any string-based sink.
2232
+ { method: 'parseBoolean', class: 'Boolean', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection', 'xss', 'crlf', 'log_injection', 'xpath_injection', 'ldap_injection', 'xxe'] },
2230
2233
  // Java UUID parse — UUID.fromString rejects non-UUID strings
2231
2234
  { method: 'fromString', class: 'UUID', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
2232
2235
  // JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)