circle-ir 3.160.0 → 3.162.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +54 -6
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.d.ts.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.js +12 -0
- package/dist/analysis/passes/taint-propagation-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +10 -2
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +14 -1
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/browser/circle-ir.js +93 -9
- package/dist/core/circle-ir-core.cjs +60 -9
- package/dist/core/circle-ir-core.js +60 -9
- package/dist/languages/plugins/go.d.ts.map +1 -1
- package/dist/languages/plugins/go.js +32 -0
- package/dist/languages/plugins/go.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAoc1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAioDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAwThD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -107,6 +107,15 @@ export const DEFAULT_SOURCES = [
|
|
|
107
107
|
{ method: 'getPathWithinApplication', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
108
108
|
{ method: 'getRequestUri', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
109
109
|
{ method: 'decodeRequestString', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
110
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
111
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
112
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
113
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
114
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
115
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
116
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
117
|
+
// sanitizer for taint that has since been re-expanded.
|
|
118
|
+
{ method: 'decode', class: 'URLDecoder', type: 'http_path', severity: 'high', return_tainted: true },
|
|
110
119
|
// Additional HTTP request methods that can be attacker-controlled
|
|
111
120
|
{ method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
112
121
|
{ method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
@@ -2002,6 +2011,36 @@ export const DEFAULT_SINKS = [
|
|
|
2002
2011
|
{ method: 'unserialize', class: 'serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
2003
2012
|
{ method: 'unserialize', class: 'node-serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
2004
2013
|
{ method: 'unserialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
2014
|
+
// =========================================================================
|
|
2015
|
+
// cognium-dev #241 (non-Java) — real-world sink signatures
|
|
2016
|
+
// =========================================================================
|
|
2017
|
+
// Python SSRF — httpx (sync + async client + top-level module)
|
|
2018
|
+
{ method: 'get', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2019
|
+
{ method: 'post', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2020
|
+
{ method: 'request', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [1] }, // request(method, url, ...)
|
|
2021
|
+
{ method: 'stream', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [1] },
|
|
2022
|
+
{ method: 'delete', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2023
|
+
{ method: 'put', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2024
|
+
{ method: 'patch', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2025
|
+
{ method: 'head', class: 'httpx', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
2026
|
+
// Python SQLi — asyncpg Connection.*
|
|
2027
|
+
{ method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
2028
|
+
{ method: 'fetch', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
2029
|
+
{ method: 'fetchrow', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
2030
|
+
{ method: 'fetchval', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
2031
|
+
// Method-only python-scoped fallback (aliased connections, pool.acquire())
|
|
2032
|
+
{ method: 'fetchrow', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
2033
|
+
{ method: 'fetchval', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
2034
|
+
// Go Open Redirect — net/http.Redirect(w, r, url, code)
|
|
2035
|
+
{ method: 'Redirect', class: 'http', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [2], languages: ['go'] },
|
|
2036
|
+
// Go SSRF — fasthttp Client instance methods (class 'Client' does not
|
|
2037
|
+
// fuzzy-collide with 'http', unlike class 'fasthttp' which would
|
|
2038
|
+
// suffix-match receiver 'http' via receiverMightBeClass's 40% length
|
|
2039
|
+
// heuristic. Package-level `fasthttp.Get/Post/GetTimeout` sinks live
|
|
2040
|
+
// in the Go plugin (`languages/plugins/go.ts::getBuiltinSinks()`) so
|
|
2041
|
+
// they iterate after net/http entries and don't hijack `http.Get`.
|
|
2042
|
+
{ method: 'Do', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['go'] }, // *fasthttp.Client.Do(req)
|
|
2043
|
+
{ method: 'DoTimeout', class: 'Client', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['go'] },
|
|
2005
2044
|
];
|
|
2006
2045
|
export const DEFAULT_SANITIZERS = [
|
|
2007
2046
|
// SQL Injection - proper parameter binding sanitizes input
|
|
@@ -2028,12 +2067,17 @@ export const DEFAULT_SANITIZERS = [
|
|
|
2028
2067
|
{ method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
|
|
2029
2068
|
{ method: 'encodeForJavaScript', removes: ['xss'] },
|
|
2030
2069
|
{ method: 'encodeForCSS', removes: ['xss'] },
|
|
2031
|
-
|
|
2070
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
2071
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
2072
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
2073
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
2074
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
2075
|
+
{ method: 'encodeForURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2032
2076
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
2033
|
-
{ method: 'encodeURL', removes: ['xss', 'ssrf'] },
|
|
2034
|
-
{ method: 'urlEncode', removes: ['xss', 'ssrf'] },
|
|
2035
|
-
{ method: 'escapeUrl', removes: ['xss', 'ssrf'] },
|
|
2036
|
-
{ method: 'escapeURL', removes: ['xss', 'ssrf'] },
|
|
2077
|
+
{ method: 'encodeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2078
|
+
{ method: 'urlEncode', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2079
|
+
{ method: 'escapeUrl', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2080
|
+
{ method: 'escapeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2037
2081
|
// Path Traversal
|
|
2038
2082
|
{ method: 'normalize', class: 'Path', removes: ['path_traversal'] },
|
|
2039
2083
|
{ method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
|
|
@@ -2075,7 +2119,11 @@ export const DEFAULT_SANITIZERS = [
|
|
|
2075
2119
|
{ method: 'setFeature', class: 'XMLReader', removes: ['xxe'] },
|
|
2076
2120
|
{ method: 'setProperty', class: 'XMLReader', removes: ['xxe'] },
|
|
2077
2121
|
// SSRF / URL encoding
|
|
2078
|
-
|
|
2122
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
2123
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
2124
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
2125
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
2126
|
+
{ method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal', 'open_redirect'] },
|
|
2079
2127
|
{ method: 'validateURL', removes: ['ssrf'] },
|
|
2080
2128
|
{ method: 'isAllowedHost', removes: ['ssrf'] },
|
|
2081
2129
|
{ method: 'isInternalHost', removes: ['ssrf'] },
|