circle-ir 3.160.0 → 3.162.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +54 -6
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.d.ts.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.js +12 -0
- package/dist/analysis/passes/taint-propagation-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +10 -2
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +14 -1
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/browser/circle-ir.js +93 -9
- package/dist/core/circle-ir-core.cjs +60 -9
- package/dist/core/circle-ir-core.js +60 -9
- package/dist/languages/plugins/go.d.ts.map +1 -1
- package/dist/languages/plugins/go.js +32 -0
- package/dist/languages/plugins/go.js.map +1 -1
- package/package.json +1 -1
|
@@ -301,7 +301,7 @@ const KNOWN_SINK_TYPES = new Set([
|
|
|
301
301
|
* later flows to a SQL sink) but eliminates false positives for correctly
|
|
302
302
|
* sanitized code.
|
|
303
303
|
*/
|
|
304
|
-
function checkSanitized(
|
|
304
|
+
function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
305
305
|
const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
|
|
306
306
|
// Per-line fast path — preserves 3.154.0 semantics for site #1 (propagation
|
|
307
307
|
// hop check) and site #3 (interprocedural fallback), and remains the primary
|
|
@@ -322,11 +322,24 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
|
322
322
|
// cognium-dev #238 — widen the search to the transitive reaching-def chain
|
|
323
323
|
// of the tainted use. Only fires when the caller opts in via `ctx` (site #2
|
|
324
324
|
// sink-reachability check). Cycle-safe + bounded via walkBackwardDefs.
|
|
325
|
+
//
|
|
326
|
+
// cognium-dev #249 3.162.0 — bound sanitizer credit to lines >= fromLine.
|
|
327
|
+
// When a re-taint source (e.g. `URLDecoder.decode` on a previously-encoded
|
|
328
|
+
// value) sits between an upstream sanitizer and the sink, the backward
|
|
329
|
+
// reaching-def walk crosses through the re-taint source. Sanitizers on
|
|
330
|
+
// lines strictly before the current taint's origin cannot cover the
|
|
331
|
+
// freshly re-introduced taint (SecuriBench Micro `sanitizers/Sanitizers5.java`
|
|
332
|
+
// encode-then-decode bypass). The upper hop cap already bounds the walk;
|
|
333
|
+
// this lower bound closes the semantic gap without affecting the classical
|
|
334
|
+
// `safe = escape(x); sink(safe)` credit path (that sanitizer is at
|
|
335
|
+
// `fromLine == taintInfo.line`, which the `>=` check preserves).
|
|
325
336
|
if (ctx) {
|
|
326
337
|
const walk = walkBackwardDefs(ctx.startDefId, ctx.chainsByToDef, ctx.defById, { maxHops: ctx.maxHops ?? 32 });
|
|
327
338
|
for (const line of walk.lines) {
|
|
328
339
|
if (line === toLine)
|
|
329
340
|
continue; // already checked above
|
|
341
|
+
if (line < fromLine)
|
|
342
|
+
continue; // upstream of the current taint's origin
|
|
330
343
|
const sansAtLine = sanitizersByLine.get(line);
|
|
331
344
|
if (!sansAtLine || sansAtLine.length === 0)
|
|
332
345
|
continue;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"taint-propagation.js","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AA8DjD;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,UAA4B;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA4B,CAAC;IAChD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,QAAQ;YAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;;YAC5B,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,UAA2B,EAC3B,cAA0C,EAC1C,cAA2C,EAC3C,iBAAiD,EACjD,aAAgC;IAEhC,IAAI,KAAgB,CAAC;IACrB,IAAI,OAAsB,CAAC;IAC3B,IAAI,KAAkB,CAAC;IACvB,IAAI,UAA4B,CAAC;IAEjC,IAAI,UAAU,YAAY,SAAS,EAAE,CAAC;QACpC,qDAAqD;QACrD,KAAK,GAAG,UAAU,CAAC;QACnB,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,cAA6B,CAAC;QACtC,UAAU,GAAG,iBAAqC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,6DAA6D;QAC7D,MAAM,GAAG,GAAG,UAAiB,CAAC;QAC9B,MAAM,KAAK,GAAG,cAA4B,CAAC;QAC3C,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,iBAAgC,CAAC;QACzC,UAAU,GAAG,aAAa,IAAI,EAAE,CAAC;QACjC,KAAK,GAAG,IAAI,SAAS,CAAC;YACpB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;YACxE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG;YACrD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE;YAC7C,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE3D,yEAAyE;IACzE,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACtC,4EAA4E;IAC5E,6EAA6E;IAC7E,uEAAuE;IACvE,yEAAyE;IACzE,qEAAqE;IACrE,MAAM,gBAAgB,GAAkC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC3E,CAAC,CAAC,qBAAqB,CAAC,UAAU,CAAC;QACnC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IAC3B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAE9B,8DAA8D;IAC9D,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAE3E,6EAA6E;IAC7E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;QAC/C,IAAI,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACzF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAElC,iDAAiD;IACjD,MAAM,eAAe,GAAG,sBAAsB,CAC5C,YAAY,EACZ,KAAK,CAAC,eAAe,EACrB,OAAO,EACP,gBAAgB,CACjB,CAAC;IACF,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAA2B,CAAC;IACxD,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,iEAAiE;IACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,yEAAyE;oBACzE,uEAAuE;oBACvE,oEAAoE;oBACpE,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACtD,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9C,SAAS;wBACX,CAAC;oBACH,CAAC;oBACD,uCAAuC;oBACvC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;wBAC7B,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;4BACzD,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gCACrC,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gCAC/C,IAAI,SAAS,EAAE,CAAC;oCACd,sBAAsB;oCACtB,EAAE;oCACF,iDAAiD;oCACjD,yDAAyD;oCACzD,qDAAqD;oCACrD,6DAA6D;oCAC7D,qCAAqC;oCACrC,MAAM,WAAW,GAAG,cAAc,CAChC,SAAS,CAAC,IAAI,EACd,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,IAAI,EACT,gBAAgB,EAChB;wCACE,UAAU,EAAE,GAAG,CAAC,MAAM;wCACtB,aAAa,EAAE,KAAK,CAAC,aAAa;wCAClC,OAAO;qCACR,CACF,CAAC;oCAEF,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;wCAC3B,kBAAkB;wCAClB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,UAAU,CAAC,CAAC;wCAClE,IAAI,MAAM,EAAE,CAAC;4CACX,kBAAkB;4CAClB,MAAM,IAAI,GAAG,cAAc,CACzB,MAAM,EACN,IAAI,EACJ,SAAS,CACV,CAAC;4CACF,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4CAEjB,wBAAwB;4CACxB,MAAM,eAAe,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;4CACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gDACvD,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4CAC/B,CAAC;4CACD,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;wCAC5C,CAAC;oCACH,CAAC;gCACH,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAsB,EACtB,WAAoC,EACpC,UAAiC;IAEjC,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,kDAAkD;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;gBACb,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,oFAAoF;QACpF,EAAE;QACF,0EAA0E;QAC1E,yEAAyE;QACzE,mEAAmE;QACnE,iEAAiE;QACjE,yEAAyE;QACzE,qEAAqE;QACrE,sEAAsE;QACtE,mEAAmE;QACnE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,oDAAoD;YACpD,MAAM,iBAAiB,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,IAAI,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ;oBAAE,SAAS;gBAClE,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;oBACb,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,UAAU,GAAG,GAAG,EAAE,4BAA4B;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,8EAA8E;QAC9E,6EAA6E;QAC7E,4BAA4B;QAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC7D,OAAO,CAAC,IAAI,CAAC;wBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;wBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;wBACb,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,UAAU,EAAE,MAAM,CAAC,IAAI;wBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;wBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,YAA+B,EAC/B,eAAwC,EACxC,OAA4B,EAC5B,gBAA+C;IAE/C,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAS,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE5D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,yBAAyB;IACzB,MAAM,KAAK,GAAG,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,CAAC;IAEvC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QACpC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,MAAM,cAAc,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAE/D,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,SAAS;YAExC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,2DAA2D;YAC3D,MAAM,aAAa,GAAG,cAAc,CAClC,YAAY,CAAC,UAAU,EACvB,SAAS,CAAC,IAAI,EACd,YAAY,CAAC,UAAU,EACvB,gBAAgB,CACjB,CAAC;YAEF,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAoB;oBAChC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,KAAK,EAAE,SAAS,CAAC,EAAE;oBACnB,IAAI,EAAE,SAAS,CAAC,IAAI;oBACpB,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU,GAAG,IAAI,EAAE,4BAA4B;iBACzE,CAAC;gBAEF,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC1B,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAChC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,wEAAwE;AACxE,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS;IACvC,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB;IAC7D,MAAM,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe;IAC5D,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,qBAAqB;IACjE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,iBAAiB;CACpD,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,cAAc,CACrB,SAAiB,EACjB,MAAc,EACd,QAAgB,EAChB,gBAA+C,EAC/C,GAAuB;IAEvB,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEvD,4EAA4E;IAC5E,6EAA6E;IAC7E,wEAAwE;IACxE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;oBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;gBAC7C,CAAC;YACH,CAAC;iBAAM,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,uEAAuE;IACvE,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,IAAI,GAAG,gBAAgB,CAC3B,GAAG,CAAC,UAAU,EACd,GAAG,CAAC,aAAa,EACjB,GAAG,CAAC,OAAO,EACX,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,EAAE,EAAE,CAC/B,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,KAAK,MAAM;gBAAE,SAAS,CAAC,wBAAwB;YACvD,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACrD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,IAAI,eAAe,EAAE,CAAC;oBACpB,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;wBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;oBAC7C,CAAC;gBACH,CAAC;qBAAM,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;gBAC7C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,MAAmB,EACnB,IAAe,EACf,SAA0B;IAE1B,MAAM,IAAI,GAAoB,EAAE,CAAC;IAEjC,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,2BAA2B,MAAM,CAAC,IAAI,EAAE;KACtD,CAAC,CAAC;IAEH,oDAAoD;IACpD,oDAAoD;IACpD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC;YACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,6BAA6B,SAAS,CAAC,QAAQ,EAAE;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,yBAAyB,IAAI,CAAC,IAAI,OAAO;KACvD,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,IAAI;QACJ,IAAI;QACJ,SAAS,EAAE,KAAK;QAChB,UAAU,EAAE,SAAS,CAAC,UAAU,GAAG,GAAG,EAAE,wBAAwB;KACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAQ,EACR,KAAiB,EACjB,WAA8B;IAE9B,MAAM,eAAe,GAAsB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D,oDAAoD;IACpD,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE7D,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,CAAC,CAAC;QAEnE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,gDAAgD;gBAChD,wDAAwD;gBACxD,mEAAmE;YACrE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAe;IACrD,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,8BAA8B;IAC9B,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;IAErC,wDAAwD;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,yBAAyB;IAEvE,yBAAyB;IACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAA8B;IAM1D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAElD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9E,CAAC,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;QAC3C,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC/B,eAAe;QACf,aAAa;KACd,CAAC;AACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"taint-propagation.js","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AA8DjD;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,UAA4B;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA4B,CAAC;IAChD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,QAAQ;YAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;;YAC5B,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,UAA2B,EAC3B,cAA0C,EAC1C,cAA2C,EAC3C,iBAAiD,EACjD,aAAgC;IAEhC,IAAI,KAAgB,CAAC;IACrB,IAAI,OAAsB,CAAC;IAC3B,IAAI,KAAkB,CAAC;IACvB,IAAI,UAA4B,CAAC;IAEjC,IAAI,UAAU,YAAY,SAAS,EAAE,CAAC;QACpC,qDAAqD;QACrD,KAAK,GAAG,UAAU,CAAC;QACnB,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,cAA6B,CAAC;QACtC,UAAU,GAAG,iBAAqC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,6DAA6D;QAC7D,MAAM,GAAG,GAAG,UAAiB,CAAC;QAC9B,MAAM,KAAK,GAAG,cAA4B,CAAC;QAC3C,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,iBAAgC,CAAC;QACzC,UAAU,GAAG,aAAa,IAAI,EAAE,CAAC;QACjC,KAAK,GAAG,IAAI,SAAS,CAAC;YACpB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;YACxE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG;YACrD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE;YAC7C,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE3D,yEAAyE;IACzE,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACtC,4EAA4E;IAC5E,6EAA6E;IAC7E,uEAAuE;IACvE,yEAAyE;IACzE,qEAAqE;IACrE,MAAM,gBAAgB,GAAkC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC3E,CAAC,CAAC,qBAAqB,CAAC,UAAU,CAAC;QACnC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IAC3B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAE9B,8DAA8D;IAC9D,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAE3E,6EAA6E;IAC7E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;QAC/C,IAAI,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACzF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAElC,iDAAiD;IACjD,MAAM,eAAe,GAAG,sBAAsB,CAC5C,YAAY,EACZ,KAAK,CAAC,eAAe,EACrB,OAAO,EACP,gBAAgB,CACjB,CAAC;IACF,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAA2B,CAAC;IACxD,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,iEAAiE;IACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,yEAAyE;oBACzE,uEAAuE;oBACvE,oEAAoE;oBACpE,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACtD,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9C,SAAS;wBACX,CAAC;oBACH,CAAC;oBACD,uCAAuC;oBACvC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;wBAC7B,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;4BACzD,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gCACrC,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gCAC/C,IAAI,SAAS,EAAE,CAAC;oCACd,sBAAsB;oCACtB,EAAE;oCACF,iDAAiD;oCACjD,yDAAyD;oCACzD,qDAAqD;oCACrD,6DAA6D;oCAC7D,qCAAqC;oCACrC,MAAM,WAAW,GAAG,cAAc,CAChC,SAAS,CAAC,IAAI,EACd,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,IAAI,EACT,gBAAgB,EAChB;wCACE,UAAU,EAAE,GAAG,CAAC,MAAM;wCACtB,aAAa,EAAE,KAAK,CAAC,aAAa;wCAClC,OAAO;qCACR,CACF,CAAC;oCAEF,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;wCAC3B,kBAAkB;wCAClB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,UAAU,CAAC,CAAC;wCAClE,IAAI,MAAM,EAAE,CAAC;4CACX,kBAAkB;4CAClB,MAAM,IAAI,GAAG,cAAc,CACzB,MAAM,EACN,IAAI,EACJ,SAAS,CACV,CAAC;4CACF,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4CAEjB,wBAAwB;4CACxB,MAAM,eAAe,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;4CACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gDACvD,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4CAC/B,CAAC;4CACD,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;wCAC5C,CAAC;oCACH,CAAC;gCACH,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAsB,EACtB,WAAoC,EACpC,UAAiC;IAEjC,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,kDAAkD;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;gBACb,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,oFAAoF;QACpF,EAAE;QACF,0EAA0E;QAC1E,yEAAyE;QACzE,mEAAmE;QACnE,iEAAiE;QACjE,yEAAyE;QACzE,qEAAqE;QACrE,sEAAsE;QACtE,mEAAmE;QACnE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,oDAAoD;YACpD,MAAM,iBAAiB,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,IAAI,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ;oBAAE,SAAS;gBAClE,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;oBACb,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,UAAU,GAAG,GAAG,EAAE,4BAA4B;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,8EAA8E;QAC9E,6EAA6E;QAC7E,4BAA4B;QAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC7D,OAAO,CAAC,IAAI,CAAC;wBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;wBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;wBACb,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,UAAU,EAAE,MAAM,CAAC,IAAI;wBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;wBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,YAA+B,EAC/B,eAAwC,EACxC,OAA4B,EAC5B,gBAA+C;IAE/C,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAS,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE5D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,yBAAyB;IACzB,MAAM,KAAK,GAAG,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,CAAC;IAEvC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QACpC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,MAAM,cAAc,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAE/D,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,SAAS;YAExC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,2DAA2D;YAC3D,MAAM,aAAa,GAAG,cAAc,CAClC,YAAY,CAAC,UAAU,EACvB,SAAS,CAAC,IAAI,EACd,YAAY,CAAC,UAAU,EACvB,gBAAgB,CACjB,CAAC;YAEF,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAoB;oBAChC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,KAAK,EAAE,SAAS,CAAC,EAAE;oBACnB,IAAI,EAAE,SAAS,CAAC,IAAI;oBACpB,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU,GAAG,IAAI,EAAE,4BAA4B;iBACzE,CAAC;gBAEF,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC1B,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAChC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,wEAAwE;AACxE,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS;IACvC,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB;IAC7D,MAAM,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe;IAC5D,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,qBAAqB;IACjE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,iBAAiB;CACpD,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,cAAc,CACrB,QAAgB,EAChB,MAAc,EACd,QAAgB,EAChB,gBAA+C,EAC/C,GAAuB;IAEvB,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEvD,4EAA4E;IAC5E,6EAA6E;IAC7E,wEAAwE;IACxE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;oBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;gBAC7C,CAAC;YACH,CAAC;iBAAM,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,uEAAuE;IACvE,EAAE;IACF,0EAA0E;IAC1E,2EAA2E;IAC3E,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,+EAA+E;IAC/E,yEAAyE;IACzE,2EAA2E;IAC3E,mEAAmE;IACnE,iEAAiE;IACjE,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,IAAI,GAAG,gBAAgB,CAC3B,GAAG,CAAC,UAAU,EACd,GAAG,CAAC,aAAa,EACjB,GAAG,CAAC,OAAO,EACX,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,EAAE,EAAE,CAC/B,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,KAAK,MAAM;gBAAE,SAAS,CAAC,wBAAwB;YACvD,IAAI,IAAI,GAAG,QAAQ;gBAAE,SAAS,CAAC,yCAAyC;YACxE,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACrD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,IAAI,eAAe,EAAE,CAAC;oBACpB,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;wBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;oBAC7C,CAAC;gBACH,CAAC;qBAAM,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;gBAC7C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,MAAmB,EACnB,IAAe,EACf,SAA0B;IAE1B,MAAM,IAAI,GAAoB,EAAE,CAAC;IAEjC,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,2BAA2B,MAAM,CAAC,IAAI,EAAE;KACtD,CAAC,CAAC;IAEH,oDAAoD;IACpD,oDAAoD;IACpD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC;YACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,6BAA6B,SAAS,CAAC,QAAQ,EAAE;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,yBAAyB,IAAI,CAAC,IAAI,OAAO;KACvD,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,IAAI;QACJ,IAAI;QACJ,SAAS,EAAE,KAAK;QAChB,UAAU,EAAE,SAAS,CAAC,UAAU,GAAG,GAAG,EAAE,wBAAwB;KACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAQ,EACR,KAAiB,EACjB,WAA8B;IAE9B,MAAM,eAAe,GAAsB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D,oDAAoD;IACpD,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE7D,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,CAAC,CAAC;QAEnE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,gDAAgD;gBAChD,wDAAwD;gBACxD,mEAAmE;YACrE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAe;IACrD,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,8BAA8B;IAC9B,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;IAErC,wDAAwD;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,yBAAyB;IAEvE,yBAAyB;IACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAA8B;IAM1D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAElD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9E,CAAC,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;QAC3C,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC/B,eAAe;QACf,aAAa;KACd,CAAC;AACJ,CAAC"}
|
|
@@ -10767,6 +10767,15 @@ var DEFAULT_SOURCES = [
|
|
|
10767
10767
|
{ method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10768
10768
|
{ method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10769
10769
|
{ method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10770
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
10771
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
10772
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
10773
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
10774
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
10775
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
10776
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
10777
|
+
// sanitizer for taint that has since been re-expanded.
|
|
10778
|
+
{ method: "decode", class: "URLDecoder", type: "http_path", severity: "high", return_tainted: true },
|
|
10770
10779
|
// Additional HTTP request methods that can be attacker-controlled
|
|
10771
10780
|
{ method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
10772
10781
|
{ method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
@@ -12662,7 +12671,39 @@ var DEFAULT_SINKS = [
|
|
|
12662
12671
|
// (`const { unserialize } = require('node-serialize')`).
|
|
12663
12672
|
{ method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12664
12673
|
{ method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12665
|
-
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
|
|
12674
|
+
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12675
|
+
// =========================================================================
|
|
12676
|
+
// cognium-dev #241 (non-Java) — real-world sink signatures
|
|
12677
|
+
// =========================================================================
|
|
12678
|
+
// Python SSRF — httpx (sync + async client + top-level module)
|
|
12679
|
+
{ method: "get", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12680
|
+
{ method: "post", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12681
|
+
{ method: "request", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12682
|
+
// request(method, url, ...)
|
|
12683
|
+
{ method: "stream", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12684
|
+
{ method: "delete", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12685
|
+
{ method: "put", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12686
|
+
{ method: "patch", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12687
|
+
{ method: "head", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12688
|
+
// Python SQLi — asyncpg Connection.*
|
|
12689
|
+
{ method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12690
|
+
{ method: "fetch", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12691
|
+
{ method: "fetchrow", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12692
|
+
{ method: "fetchval", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12693
|
+
// Method-only python-scoped fallback (aliased connections, pool.acquire())
|
|
12694
|
+
{ method: "fetchrow", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12695
|
+
{ method: "fetchval", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12696
|
+
// Go Open Redirect — net/http.Redirect(w, r, url, code)
|
|
12697
|
+
{ method: "Redirect", class: "http", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [2], languages: ["go"] },
|
|
12698
|
+
// Go SSRF — fasthttp Client instance methods (class 'Client' does not
|
|
12699
|
+
// fuzzy-collide with 'http', unlike class 'fasthttp' which would
|
|
12700
|
+
// suffix-match receiver 'http' via receiverMightBeClass's 40% length
|
|
12701
|
+
// heuristic. Package-level `fasthttp.Get/Post/GetTimeout` sinks live
|
|
12702
|
+
// in the Go plugin (`languages/plugins/go.ts::getBuiltinSinks()`) so
|
|
12703
|
+
// they iterate after net/http entries and don't hijack `http.Get`.
|
|
12704
|
+
{ method: "Do", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] },
|
|
12705
|
+
// *fasthttp.Client.Do(req)
|
|
12706
|
+
{ method: "DoTimeout", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] }
|
|
12666
12707
|
];
|
|
12667
12708
|
var DEFAULT_SANITIZERS = [
|
|
12668
12709
|
// SQL Injection - proper parameter binding sanitizes input
|
|
@@ -12696,12 +12737,17 @@ var DEFAULT_SANITIZERS = [
|
|
|
12696
12737
|
// Rust askama auto-escapes
|
|
12697
12738
|
{ method: "encodeForJavaScript", removes: ["xss"] },
|
|
12698
12739
|
{ method: "encodeForCSS", removes: ["xss"] },
|
|
12699
|
-
|
|
12740
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
12741
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
12742
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
12743
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
12744
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
12745
|
+
{ method: "encodeForURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12700
12746
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
12701
|
-
{ method: "encodeURL", removes: ["xss", "ssrf"] },
|
|
12702
|
-
{ method: "urlEncode", removes: ["xss", "ssrf"] },
|
|
12703
|
-
{ method: "escapeUrl", removes: ["xss", "ssrf"] },
|
|
12704
|
-
{ method: "escapeURL", removes: ["xss", "ssrf"] },
|
|
12747
|
+
{ method: "encodeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12748
|
+
{ method: "urlEncode", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12749
|
+
{ method: "escapeUrl", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12750
|
+
{ method: "escapeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12705
12751
|
// Path Traversal
|
|
12706
12752
|
{ method: "normalize", class: "Path", removes: ["path_traversal"] },
|
|
12707
12753
|
{ method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
|
|
@@ -12746,7 +12792,11 @@ var DEFAULT_SANITIZERS = [
|
|
|
12746
12792
|
{ method: "setFeature", class: "XMLReader", removes: ["xxe"] },
|
|
12747
12793
|
{ method: "setProperty", class: "XMLReader", removes: ["xxe"] },
|
|
12748
12794
|
// SSRF / URL encoding
|
|
12749
|
-
|
|
12795
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
12796
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
12797
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
12798
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
12799
|
+
{ method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal", "open_redirect"] },
|
|
12750
12800
|
{ method: "validateURL", removes: ["ssrf"] },
|
|
12751
12801
|
{ method: "isAllowedHost", removes: ["ssrf"] },
|
|
12752
12802
|
{ method: "isInternalHost", removes: ["ssrf"] },
|
|
@@ -14282,7 +14332,7 @@ function receiverMightBeClass(receiver, className) {
|
|
|
14282
14332
|
}
|
|
14283
14333
|
const lowerReceiver = receiver.toLowerCase();
|
|
14284
14334
|
const lowerClass = className.toLowerCase();
|
|
14285
|
-
if (lowerReceiver
|
|
14335
|
+
if (lowerReceiver === lowerClass || lowerReceiver.endsWith("." + lowerClass)) {
|
|
14286
14336
|
return true;
|
|
14287
14337
|
}
|
|
14288
14338
|
if (receiver.includes(".") && !receiver.endsWith(")")) {
|
|
@@ -16467,7 +16517,7 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
|
|
|
16467
16517
|
"crlf",
|
|
16468
16518
|
"mass_assignment"
|
|
16469
16519
|
]);
|
|
16470
|
-
function checkSanitized(
|
|
16520
|
+
function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
16471
16521
|
const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
|
|
16472
16522
|
const sanitizersAtTarget = sanitizersByLine.get(toLine);
|
|
16473
16523
|
if (sanitizersAtTarget && sanitizersAtTarget.length > 0) {
|
|
@@ -16490,6 +16540,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
|
16490
16540
|
);
|
|
16491
16541
|
for (const line of walk.lines) {
|
|
16492
16542
|
if (line === toLine) continue;
|
|
16543
|
+
if (line < fromLine) continue;
|
|
16493
16544
|
const sansAtLine = sanitizersByLine.get(line);
|
|
16494
16545
|
if (!sansAtLine || sansAtLine.length === 0) continue;
|
|
16495
16546
|
for (const san of sansAtLine) {
|
|
@@ -23183,6 +23234,38 @@ var GoPlugin = class extends BaseLanguagePlugin {
|
|
|
23183
23234
|
severity: "high",
|
|
23184
23235
|
argPositions: [0, 2]
|
|
23185
23236
|
},
|
|
23237
|
+
// fasthttp package-level helpers — registered here (plugin sinks
|
|
23238
|
+
// iterate after DEFAULT_SINKS) so `net/http.Get` at line 366 wins
|
|
23239
|
+
// the sink-map insertion race for receiver 'http' before the fuzzy
|
|
23240
|
+
// suffix match in `receiverMightBeClass` ('fasthttp'.endsWith('http'))
|
|
23241
|
+
// would otherwise let a `fasthttp` pattern hijack an `http.Get(url)`
|
|
23242
|
+
// call site. Real `fasthttp.Get(dst, url)` calls have receiver
|
|
23243
|
+
// 'fasthttp' which does not fuzzy-match 'http'. cognium-dev #241
|
|
23244
|
+
// non-Java, 3.161.0.
|
|
23245
|
+
{
|
|
23246
|
+
method: "Get",
|
|
23247
|
+
class: "fasthttp",
|
|
23248
|
+
type: "ssrf",
|
|
23249
|
+
cwe: "CWE-918",
|
|
23250
|
+
severity: "high",
|
|
23251
|
+
argPositions: [1]
|
|
23252
|
+
},
|
|
23253
|
+
{
|
|
23254
|
+
method: "Post",
|
|
23255
|
+
class: "fasthttp",
|
|
23256
|
+
type: "ssrf",
|
|
23257
|
+
cwe: "CWE-918",
|
|
23258
|
+
severity: "high",
|
|
23259
|
+
argPositions: [1]
|
|
23260
|
+
},
|
|
23261
|
+
{
|
|
23262
|
+
method: "GetTimeout",
|
|
23263
|
+
class: "fasthttp",
|
|
23264
|
+
type: "ssrf",
|
|
23265
|
+
cwe: "CWE-918",
|
|
23266
|
+
severity: "high",
|
|
23267
|
+
argPositions: [1]
|
|
23268
|
+
},
|
|
23186
23269
|
// Deserialization
|
|
23187
23270
|
{
|
|
23188
23271
|
method: "Unmarshal",
|
|
@@ -32198,6 +32281,7 @@ var TaintPropagationPass = class {
|
|
|
32198
32281
|
);
|
|
32199
32282
|
for (const line of walk.lines) {
|
|
32200
32283
|
if (line === f.sink_line) continue;
|
|
32284
|
+
if (line < f.source_line) continue;
|
|
32201
32285
|
const sansAtLine = sanitizersByLine.get(line);
|
|
32202
32286
|
if (!sansAtLine || sansAtLine.length === 0) continue;
|
|
32203
32287
|
for (const san of sansAtLine) {
|
|
@@ -10162,6 +10162,15 @@ var DEFAULT_SOURCES = [
|
|
|
10162
10162
|
{ method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10163
10163
|
{ method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10164
10164
|
{ method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10165
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
10166
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
10167
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
10168
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
10169
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
10170
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
10171
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
10172
|
+
// sanitizer for taint that has since been re-expanded.
|
|
10173
|
+
{ method: "decode", class: "URLDecoder", type: "http_path", severity: "high", return_tainted: true },
|
|
10165
10174
|
// Additional HTTP request methods that can be attacker-controlled
|
|
10166
10175
|
{ method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
10167
10176
|
{ method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
@@ -12057,7 +12066,39 @@ var DEFAULT_SINKS = [
|
|
|
12057
12066
|
// (`const { unserialize } = require('node-serialize')`).
|
|
12058
12067
|
{ method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12059
12068
|
{ method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12060
|
-
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
|
|
12069
|
+
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12070
|
+
// =========================================================================
|
|
12071
|
+
// cognium-dev #241 (non-Java) — real-world sink signatures
|
|
12072
|
+
// =========================================================================
|
|
12073
|
+
// Python SSRF — httpx (sync + async client + top-level module)
|
|
12074
|
+
{ method: "get", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12075
|
+
{ method: "post", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12076
|
+
{ method: "request", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12077
|
+
// request(method, url, ...)
|
|
12078
|
+
{ method: "stream", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12079
|
+
{ method: "delete", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12080
|
+
{ method: "put", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12081
|
+
{ method: "patch", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12082
|
+
{ method: "head", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12083
|
+
// Python SQLi — asyncpg Connection.*
|
|
12084
|
+
{ method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12085
|
+
{ method: "fetch", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12086
|
+
{ method: "fetchrow", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12087
|
+
{ method: "fetchval", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12088
|
+
// Method-only python-scoped fallback (aliased connections, pool.acquire())
|
|
12089
|
+
{ method: "fetchrow", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12090
|
+
{ method: "fetchval", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12091
|
+
// Go Open Redirect — net/http.Redirect(w, r, url, code)
|
|
12092
|
+
{ method: "Redirect", class: "http", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [2], languages: ["go"] },
|
|
12093
|
+
// Go SSRF — fasthttp Client instance methods (class 'Client' does not
|
|
12094
|
+
// fuzzy-collide with 'http', unlike class 'fasthttp' which would
|
|
12095
|
+
// suffix-match receiver 'http' via receiverMightBeClass's 40% length
|
|
12096
|
+
// heuristic. Package-level `fasthttp.Get/Post/GetTimeout` sinks live
|
|
12097
|
+
// in the Go plugin (`languages/plugins/go.ts::getBuiltinSinks()`) so
|
|
12098
|
+
// they iterate after net/http entries and don't hijack `http.Get`.
|
|
12099
|
+
{ method: "Do", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] },
|
|
12100
|
+
// *fasthttp.Client.Do(req)
|
|
12101
|
+
{ method: "DoTimeout", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] }
|
|
12061
12102
|
];
|
|
12062
12103
|
var DEFAULT_SANITIZERS = [
|
|
12063
12104
|
// SQL Injection - proper parameter binding sanitizes input
|
|
@@ -12091,12 +12132,17 @@ var DEFAULT_SANITIZERS = [
|
|
|
12091
12132
|
// Rust askama auto-escapes
|
|
12092
12133
|
{ method: "encodeForJavaScript", removes: ["xss"] },
|
|
12093
12134
|
{ method: "encodeForCSS", removes: ["xss"] },
|
|
12094
|
-
|
|
12135
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
12136
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
12137
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
12138
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
12139
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
12140
|
+
{ method: "encodeForURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12095
12141
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
12096
|
-
{ method: "encodeURL", removes: ["xss", "ssrf"] },
|
|
12097
|
-
{ method: "urlEncode", removes: ["xss", "ssrf"] },
|
|
12098
|
-
{ method: "escapeUrl", removes: ["xss", "ssrf"] },
|
|
12099
|
-
{ method: "escapeURL", removes: ["xss", "ssrf"] },
|
|
12142
|
+
{ method: "encodeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12143
|
+
{ method: "urlEncode", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12144
|
+
{ method: "escapeUrl", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12145
|
+
{ method: "escapeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12100
12146
|
// Path Traversal
|
|
12101
12147
|
{ method: "normalize", class: "Path", removes: ["path_traversal"] },
|
|
12102
12148
|
{ method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
|
|
@@ -12141,7 +12187,11 @@ var DEFAULT_SANITIZERS = [
|
|
|
12141
12187
|
{ method: "setFeature", class: "XMLReader", removes: ["xxe"] },
|
|
12142
12188
|
{ method: "setProperty", class: "XMLReader", removes: ["xxe"] },
|
|
12143
12189
|
// SSRF / URL encoding
|
|
12144
|
-
|
|
12190
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
12191
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
12192
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
12193
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
12194
|
+
{ method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal", "open_redirect"] },
|
|
12145
12195
|
{ method: "validateURL", removes: ["ssrf"] },
|
|
12146
12196
|
{ method: "isAllowedHost", removes: ["ssrf"] },
|
|
12147
12197
|
{ method: "isInternalHost", removes: ["ssrf"] },
|
|
@@ -13590,7 +13640,7 @@ function receiverMightBeClass(receiver, className) {
|
|
|
13590
13640
|
}
|
|
13591
13641
|
const lowerReceiver = receiver.toLowerCase();
|
|
13592
13642
|
const lowerClass = className.toLowerCase();
|
|
13593
|
-
if (lowerReceiver
|
|
13643
|
+
if (lowerReceiver === lowerClass || lowerReceiver.endsWith("." + lowerClass)) {
|
|
13594
13644
|
return true;
|
|
13595
13645
|
}
|
|
13596
13646
|
if (receiver.includes(".") && !receiver.endsWith(")")) {
|
|
@@ -14524,7 +14574,7 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
|
|
|
14524
14574
|
"crlf",
|
|
14525
14575
|
"mass_assignment"
|
|
14526
14576
|
]);
|
|
14527
|
-
function checkSanitized(
|
|
14577
|
+
function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
14528
14578
|
const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
|
|
14529
14579
|
const sanitizersAtTarget = sanitizersByLine.get(toLine);
|
|
14530
14580
|
if (sanitizersAtTarget && sanitizersAtTarget.length > 0) {
|
|
@@ -14547,6 +14597,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
|
14547
14597
|
);
|
|
14548
14598
|
for (const line of walk.lines) {
|
|
14549
14599
|
if (line === toLine) continue;
|
|
14600
|
+
if (line < fromLine) continue;
|
|
14550
14601
|
const sansAtLine = sanitizersByLine.get(line);
|
|
14551
14602
|
if (!sansAtLine || sansAtLine.length === 0) continue;
|
|
14552
14603
|
for (const san of sansAtLine) {
|
|
@@ -10096,6 +10096,15 @@ var DEFAULT_SOURCES = [
|
|
|
10096
10096
|
{ method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10097
10097
|
{ method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10098
10098
|
{ method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10099
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
10100
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
10101
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
10102
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
10103
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
10104
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
10105
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
10106
|
+
// sanitizer for taint that has since been re-expanded.
|
|
10107
|
+
{ method: "decode", class: "URLDecoder", type: "http_path", severity: "high", return_tainted: true },
|
|
10099
10108
|
// Additional HTTP request methods that can be attacker-controlled
|
|
10100
10109
|
{ method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
10101
10110
|
{ method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
@@ -11991,7 +12000,39 @@ var DEFAULT_SINKS = [
|
|
|
11991
12000
|
// (`const { unserialize } = require('node-serialize')`).
|
|
11992
12001
|
{ method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
11993
12002
|
{ method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
11994
|
-
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
|
|
12003
|
+
{ method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
|
|
12004
|
+
// =========================================================================
|
|
12005
|
+
// cognium-dev #241 (non-Java) — real-world sink signatures
|
|
12006
|
+
// =========================================================================
|
|
12007
|
+
// Python SSRF — httpx (sync + async client + top-level module)
|
|
12008
|
+
{ method: "get", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12009
|
+
{ method: "post", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12010
|
+
{ method: "request", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12011
|
+
// request(method, url, ...)
|
|
12012
|
+
{ method: "stream", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [1] },
|
|
12013
|
+
{ method: "delete", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12014
|
+
{ method: "put", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12015
|
+
{ method: "patch", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12016
|
+
{ method: "head", class: "httpx", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
|
|
12017
|
+
// Python SQLi — asyncpg Connection.*
|
|
12018
|
+
{ method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12019
|
+
{ method: "fetch", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12020
|
+
{ method: "fetchrow", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12021
|
+
{ method: "fetchval", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12022
|
+
// Method-only python-scoped fallback (aliased connections, pool.acquire())
|
|
12023
|
+
{ method: "fetchrow", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12024
|
+
{ method: "fetchval", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12025
|
+
// Go Open Redirect — net/http.Redirect(w, r, url, code)
|
|
12026
|
+
{ method: "Redirect", class: "http", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [2], languages: ["go"] },
|
|
12027
|
+
// Go SSRF — fasthttp Client instance methods (class 'Client' does not
|
|
12028
|
+
// fuzzy-collide with 'http', unlike class 'fasthttp' which would
|
|
12029
|
+
// suffix-match receiver 'http' via receiverMightBeClass's 40% length
|
|
12030
|
+
// heuristic. Package-level `fasthttp.Get/Post/GetTimeout` sinks live
|
|
12031
|
+
// in the Go plugin (`languages/plugins/go.ts::getBuiltinSinks()`) so
|
|
12032
|
+
// they iterate after net/http entries and don't hijack `http.Get`.
|
|
12033
|
+
{ method: "Do", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] },
|
|
12034
|
+
// *fasthttp.Client.Do(req)
|
|
12035
|
+
{ method: "DoTimeout", class: "Client", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["go"] }
|
|
11995
12036
|
];
|
|
11996
12037
|
var DEFAULT_SANITIZERS = [
|
|
11997
12038
|
// SQL Injection - proper parameter binding sanitizes input
|
|
@@ -12025,12 +12066,17 @@ var DEFAULT_SANITIZERS = [
|
|
|
12025
12066
|
// Rust askama auto-escapes
|
|
12026
12067
|
{ method: "encodeForJavaScript", removes: ["xss"] },
|
|
12027
12068
|
{ method: "encodeForCSS", removes: ["xss"] },
|
|
12028
|
-
|
|
12069
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
12070
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
12071
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
12072
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
12073
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
12074
|
+
{ method: "encodeForURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12029
12075
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
12030
|
-
{ method: "encodeURL", removes: ["xss", "ssrf"] },
|
|
12031
|
-
{ method: "urlEncode", removes: ["xss", "ssrf"] },
|
|
12032
|
-
{ method: "escapeUrl", removes: ["xss", "ssrf"] },
|
|
12033
|
-
{ method: "escapeURL", removes: ["xss", "ssrf"] },
|
|
12076
|
+
{ method: "encodeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12077
|
+
{ method: "urlEncode", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12078
|
+
{ method: "escapeUrl", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12079
|
+
{ method: "escapeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12034
12080
|
// Path Traversal
|
|
12035
12081
|
{ method: "normalize", class: "Path", removes: ["path_traversal"] },
|
|
12036
12082
|
{ method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
|
|
@@ -12075,7 +12121,11 @@ var DEFAULT_SANITIZERS = [
|
|
|
12075
12121
|
{ method: "setFeature", class: "XMLReader", removes: ["xxe"] },
|
|
12076
12122
|
{ method: "setProperty", class: "XMLReader", removes: ["xxe"] },
|
|
12077
12123
|
// SSRF / URL encoding
|
|
12078
|
-
|
|
12124
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
12125
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
12126
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
12127
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
12128
|
+
{ method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal", "open_redirect"] },
|
|
12079
12129
|
{ method: "validateURL", removes: ["ssrf"] },
|
|
12080
12130
|
{ method: "isAllowedHost", removes: ["ssrf"] },
|
|
12081
12131
|
{ method: "isInternalHost", removes: ["ssrf"] },
|
|
@@ -13524,7 +13574,7 @@ function receiverMightBeClass(receiver, className) {
|
|
|
13524
13574
|
}
|
|
13525
13575
|
const lowerReceiver = receiver.toLowerCase();
|
|
13526
13576
|
const lowerClass = className.toLowerCase();
|
|
13527
|
-
if (lowerReceiver
|
|
13577
|
+
if (lowerReceiver === lowerClass || lowerReceiver.endsWith("." + lowerClass)) {
|
|
13528
13578
|
return true;
|
|
13529
13579
|
}
|
|
13530
13580
|
if (receiver.includes(".") && !receiver.endsWith(")")) {
|
|
@@ -14458,7 +14508,7 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
|
|
|
14458
14508
|
"crlf",
|
|
14459
14509
|
"mass_assignment"
|
|
14460
14510
|
]);
|
|
14461
|
-
function checkSanitized(
|
|
14511
|
+
function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
14462
14512
|
const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
|
|
14463
14513
|
const sanitizersAtTarget = sanitizersByLine.get(toLine);
|
|
14464
14514
|
if (sanitizersAtTarget && sanitizersAtTarget.length > 0) {
|
|
@@ -14481,6 +14531,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
|
14481
14531
|
);
|
|
14482
14532
|
for (const line of walk.lines) {
|
|
14483
14533
|
if (line === toLine) continue;
|
|
14534
|
+
if (line < fromLine) continue;
|
|
14484
14535
|
const sansAtLine = sanitizersByLine.get(line);
|
|
14485
14536
|
if (!sansAtLine || sansAtLine.length === 0) continue;
|
|
14486
14537
|
for (const san of sansAtLine) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"go.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/go.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,QAAS,SAAQ,kBAAkB;IAC9C,QAAQ,CAAC,EAAE,EAAG,IAAI,CAAU;IAC5B,QAAQ,CAAC,IAAI,QAAQ;IACrB,QAAQ,CAAC,UAAU,WAAW;IAC9B,QAAQ,CAAC,QAAQ,yBAAyB;IAE1C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAwDtE;;OAEG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IAkHzC;;OAEG;IACH,eAAe,IAAI,gBAAgB,EAAE;
|
|
1
|
+
{"version":3,"file":"go.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/go.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,QAAS,SAAQ,kBAAkB;IAC9C,QAAQ,CAAC,EAAE,EAAG,IAAI,CAAU;IAC5B,QAAQ,CAAC,IAAI,QAAQ;IACrB,QAAQ,CAAC,UAAU,WAAW;IAC9B,QAAQ,CAAC,QAAQ,yBAAyB;IAE1C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAwDtE;;OAEG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IAkHzC;;OAEG;IACH,eAAe,IAAI,gBAAgB,EAAE;IAiTrC;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;IAiBlF;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAK1C;;OAEG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS;IAkBpD;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IA0FpD;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAsDpD;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,UAAU,EAAE;IA6BxD;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;IAkB9D,OAAO,CAAC,eAAe;IA8BvB,OAAO,CAAC,eAAe;CAiBxB"}
|
|
@@ -339,6 +339,38 @@ export class GoPlugin extends BaseLanguagePlugin {
|
|
|
339
339
|
severity: 'high',
|
|
340
340
|
argPositions: [0, 2],
|
|
341
341
|
},
|
|
342
|
+
// fasthttp package-level helpers — registered here (plugin sinks
|
|
343
|
+
// iterate after DEFAULT_SINKS) so `net/http.Get` at line 366 wins
|
|
344
|
+
// the sink-map insertion race for receiver 'http' before the fuzzy
|
|
345
|
+
// suffix match in `receiverMightBeClass` ('fasthttp'.endsWith('http'))
|
|
346
|
+
// would otherwise let a `fasthttp` pattern hijack an `http.Get(url)`
|
|
347
|
+
// call site. Real `fasthttp.Get(dst, url)` calls have receiver
|
|
348
|
+
// 'fasthttp' which does not fuzzy-match 'http'. cognium-dev #241
|
|
349
|
+
// non-Java, 3.161.0.
|
|
350
|
+
{
|
|
351
|
+
method: 'Get',
|
|
352
|
+
class: 'fasthttp',
|
|
353
|
+
type: 'ssrf',
|
|
354
|
+
cwe: 'CWE-918',
|
|
355
|
+
severity: 'high',
|
|
356
|
+
argPositions: [1],
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
method: 'Post',
|
|
360
|
+
class: 'fasthttp',
|
|
361
|
+
type: 'ssrf',
|
|
362
|
+
cwe: 'CWE-918',
|
|
363
|
+
severity: 'high',
|
|
364
|
+
argPositions: [1],
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
method: 'GetTimeout',
|
|
368
|
+
class: 'fasthttp',
|
|
369
|
+
type: 'ssrf',
|
|
370
|
+
cwe: 'CWE-918',
|
|
371
|
+
severity: 'high',
|
|
372
|
+
argPositions: [1],
|
|
373
|
+
},
|
|
342
374
|
// Deserialization
|
|
343
375
|
{
|
|
344
376
|
method: 'Unmarshal',
|