circle-ir 3.161.0 → 3.162.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAioDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+ShD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAoc1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAioDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAwThD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
@@ -107,6 +107,15 @@ export const DEFAULT_SOURCES = [
107
107
  { method: 'getPathWithinApplication', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
108
108
  { method: 'getRequestUri', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
109
109
  { method: 'decodeRequestString', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
110
+ // cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
111
+ // by expanding %XX sequences into arbitrary bytes. This is the
112
+ // decode-after-encode bypass pattern exercised by SecuriBench Micro
113
+ // `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
114
+ // `%2F%2Fevil.com`, then decode restores the redirect payload before
115
+ // it reaches `sendRedirect`. Registering as a source ensures the
116
+ // reaching-def walk does not credit an upstream URLEncoder.encode
117
+ // sanitizer for taint that has since been re-expanded.
118
+ { method: 'decode', class: 'URLDecoder', type: 'http_path', severity: 'high', return_tainted: true },
110
119
  // Additional HTTP request methods that can be attacker-controlled
111
120
  { method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
112
121
  { method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
@@ -2058,12 +2067,17 @@ export const DEFAULT_SANITIZERS = [
2058
2067
  { method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
2059
2068
  { method: 'encodeForJavaScript', removes: ['xss'] },
2060
2069
  { method: 'encodeForCSS', removes: ['xss'] },
2061
- { method: 'encodeForURL', removes: ['xss', 'ssrf'] },
2070
+ // cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
2071
+ // sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
2072
+ // `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
2073
+ // this table; the drift surfaced as a SecuriBench Micro FP on
2074
+ // `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
2075
+ { method: 'encodeForURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2062
2076
  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
2063
- { method: 'encodeURL', removes: ['xss', 'ssrf'] },
2064
- { method: 'urlEncode', removes: ['xss', 'ssrf'] },
2065
- { method: 'escapeUrl', removes: ['xss', 'ssrf'] },
2066
- { method: 'escapeURL', removes: ['xss', 'ssrf'] },
2077
+ { method: 'encodeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2078
+ { method: 'urlEncode', removes: ['xss', 'ssrf', 'open_redirect'] },
2079
+ { method: 'escapeUrl', removes: ['xss', 'ssrf', 'open_redirect'] },
2080
+ { method: 'escapeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
2067
2081
  // Path Traversal
2068
2082
  { method: 'normalize', class: 'Path', removes: ['path_traversal'] },
2069
2083
  { method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
@@ -2105,7 +2119,11 @@ export const DEFAULT_SANITIZERS = [
2105
2119
  { method: 'setFeature', class: 'XMLReader', removes: ['xxe'] },
2106
2120
  { method: 'setProperty', class: 'XMLReader', removes: ['xxe'] },
2107
2121
  // SSRF / URL encoding
2108
- { method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal'] },
2122
+ // cognium-dev #249 3.162.0: `open_redirect` added see rationale on the
2123
+ // `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
2124
+ // sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
2125
+ // `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
2126
+ { method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal', 'open_redirect'] },
2109
2127
  { method: 'validateURL', removes: ['ssrf'] },
2110
2128
  { method: 'isAllowedHost', removes: ['ssrf'] },
2111
2129
  { method: 'isInternalHost', removes: ['ssrf'] },