circle-ir 3.160.0 → 3.162.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8lDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+ShD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAoc1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAioDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAwThD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -107,6 +107,15 @@ export const DEFAULT_SOURCES = [
107
107
  { method: 'getPathWithinApplication', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
108
108
  { method: 'getRequestUri', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
109
109
  { method: 'decodeRequestString', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
110
+ // cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
111
+ // by expanding %XX sequences into arbitrary bytes. This is the
112
+ // decode-after-encode bypass pattern exercised by SecuriBench Micro
113
+ // `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
114
+ // `%2F%2Fevil.com`, then decode restores the redirect payload before
115
+ // it reaches `sendRedirect`. Registering as a source ensures the
116
+ // reaching-def walk does not credit an upstream URLEncoder.encode
117
+ // sanitizer for taint that has since been re-expanded.
118
+ { method: 'decode', class: 'URLDecoder', type: 'http_path', severity: 'high', return_tainted: true },
110
119
  // Additional HTTP request methods that can be attacker-controlled
111
120
  { method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
112
121
  { method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
@@ -2002,6 +2011,36 @@ export const DEFAULT_SINKS = [
2002
2011
  { method: 'unserialize', class: 'serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
2003
2012
  { method: 'unserialize', class: 'node-serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
2004
2013
  { method: 'unserialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
2014
+ // =========================================================================
2015
+ // cognium-dev #241 (non-Java) — real-world sink signatures
2016
+ // =========================================================================
2017
+ // Python SSRF — httpx (sync + async client + top-level module)
2018
+ { method: 'get', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2019
+ { method: 'post', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2020
+ { method: 'request', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [1] }, // request(method, url, ...)
2021
+ { method: 'stream', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [1] },
2022
+ { method: 'delete', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2023
+ { method: 'put', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2024
+ { method: 'patch', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2025
+ { method: 'head', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
2026
+ // Python SQLi — asyncpg Connection.*
2027
+ { method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
2028
+ { method: 'fetch', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
2029
+ { method: 'fetchrow', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
2030
+ { method: 'fetchval', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
2031
+ // Method-only python-scoped fallback (aliased connections, pool.acquire())
2032
+ { method: 'fetchrow', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
2033
+ { method: 'fetchval', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
2034
+ // Go Open Redirect — net/http.Redirect(w, r, url, code)
2035
+ { method: 'Redirect', class: 'http', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [2], languages: ['go'] },
2036
+ // Go SSRF — fasthttp Client instance methods (class 'Client' does not
2037
+ // fuzzy-collide with 'http', unlike class 'fasthttp' which would
2038
+ // suffix-match receiver 'http' via receiverMightBeClass's 40% length
2039
+ // heuristic. Package-level `fasthttp.Get/Post/GetTimeout` sinks live
2040
+ // in the Go plugin (`languages/plugins/go.ts::getBuiltinSinks()`) so
2041
+ // they iterate after net/http entries and don't hijack `http.Get`.
2042
+ { method: 'Do', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['go'] }, // *fasthttp.Client.Do(req)
2043
+ { method: 'DoTimeout', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['go'] },
2005
2044
  ];
2006
2045
  export const DEFAULT_SANITIZERS = [
2007
2046
  // SQL Injection - proper parameter binding sanitizes input
@@ -2028,12 +2067,17 @@ export const DEFAULT_SANITIZERS = [
2028
2067
  { method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
2029
2068
  { method: 'encodeForJavaScript', removes: ['xss'] },
2030
2069
  { method: 'encodeForCSS', removes: ['xss'] },
2031
- { method: 'encodeForURL', removes: ['xss', 'ssrf'] },
2070
+ // cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
2071
+ // sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
2072
+ // `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
2073
+ // this table; the drift surfaced as a SecuriBench Micro FP on
2074
+ // `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
2075
+ { method: 'encodeForURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2032
2076
  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
2033
- { method: 'encodeURL', removes: ['xss', 'ssrf'] },
2034
- { method: 'urlEncode', removes: ['xss', 'ssrf'] },
2035
- { method: 'escapeUrl', removes: ['xss', 'ssrf'] },
2036
- { method: 'escapeURL', removes: ['xss', 'ssrf'] },
2077
+ { method: 'encodeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2078
+ { method: 'urlEncode', removes: ['xss', 'ssrf', 'open_redirect'] },
2079
+ { method: 'escapeUrl', removes: ['xss', 'ssrf', 'open_redirect'] },
2080
+ { method: 'escapeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2037
2081
  // Path Traversal
2038
2082
  { method: 'normalize', class: 'Path', removes: ['path_traversal'] },
2039
2083
  { method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
@@ -2075,7 +2119,11 @@ export const DEFAULT_SANITIZERS = [
2075
2119
  { method: 'setFeature', class: 'XMLReader', removes: ['xxe'] },
2076
2120
  { method: 'setProperty', class: 'XMLReader', removes: ['xxe'] },
2077
2121
  // SSRF / URL encoding
2078
- { method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal'] },
2122
+ // cognium-dev #249 3.162.0: `open_redirect` added see rationale on the
2123
+ // `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
2124
+ // sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
2125
+ // `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
2126
+ { method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal', 'open_redirect'] },
2079
2127
  { method: 'validateURL', removes: ['ssrf'] },
2080
2128
  { method: 'isAllowedHost', removes: ['ssrf'] },
2081
2129
  { method: 'isInternalHost', removes: ['ssrf'] },