circle-ir 3.161.0 → 3.162.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +24 -6
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.d.ts.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.js +12 -0
- package/dist/analysis/passes/taint-propagation-pass.js.map +1 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +14 -1
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/browser/circle-ir.js +27 -7
- package/dist/core/circle-ir-core.cjs +26 -7
- package/dist/core/circle-ir-core.js +26 -7
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,kBAAkB,EAAE,CAQtB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,EACtB,qBAAqB,GAAE,MAAM,EAAO,GACnC,WAAW,CAYb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAoc1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAioDtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAwThD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,kBAAkB,EAiDtD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAO9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -107,6 +107,15 @@ export const DEFAULT_SOURCES = [
|
|
|
107
107
|
{ method: 'getPathWithinApplication', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
108
108
|
{ method: 'getRequestUri', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
109
109
|
{ method: 'decodeRequestString', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
110
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
111
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
112
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
113
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
114
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
115
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
116
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
117
|
+
// sanitizer for taint that has since been re-expanded.
|
|
118
|
+
{ method: 'decode', class: 'URLDecoder', type: 'http_path', severity: 'high', return_tainted: true },
|
|
110
119
|
// Additional HTTP request methods that can be attacker-controlled
|
|
111
120
|
{ method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
112
121
|
{ method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
@@ -2058,12 +2067,17 @@ export const DEFAULT_SANITIZERS = [
|
|
|
2058
2067
|
{ method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
|
|
2059
2068
|
{ method: 'encodeForJavaScript', removes: ['xss'] },
|
|
2060
2069
|
{ method: 'encodeForCSS', removes: ['xss'] },
|
|
2061
|
-
|
|
2070
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
2071
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
2072
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
2073
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
2074
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
2075
|
+
{ method: 'encodeForURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2062
2076
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
2063
|
-
{ method: 'encodeURL', removes: ['xss', 'ssrf'] },
|
|
2064
|
-
{ method: 'urlEncode', removes: ['xss', 'ssrf'] },
|
|
2065
|
-
{ method: 'escapeUrl', removes: ['xss', 'ssrf'] },
|
|
2066
|
-
{ method: 'escapeURL', removes: ['xss', 'ssrf'] },
|
|
2077
|
+
{ method: 'encodeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2078
|
+
{ method: 'urlEncode', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2079
|
+
{ method: 'escapeUrl', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2080
|
+
{ method: 'escapeURL', removes: ['xss', 'ssrf', 'open_redirect'] },
|
|
2067
2081
|
// Path Traversal
|
|
2068
2082
|
{ method: 'normalize', class: 'Path', removes: ['path_traversal'] },
|
|
2069
2083
|
{ method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
|
|
@@ -2105,7 +2119,11 @@ export const DEFAULT_SANITIZERS = [
|
|
|
2105
2119
|
{ method: 'setFeature', class: 'XMLReader', removes: ['xxe'] },
|
|
2106
2120
|
{ method: 'setProperty', class: 'XMLReader', removes: ['xxe'] },
|
|
2107
2121
|
// SSRF / URL encoding
|
|
2108
|
-
|
|
2122
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
2123
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
2124
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
2125
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
2126
|
+
{ method: 'encode', class: 'URLEncoder', removes: ['ssrf', 'xss', 'path_traversal', 'open_redirect'] },
|
|
2109
2127
|
{ method: 'validateURL', removes: ['ssrf'] },
|
|
2110
2128
|
{ method: 'isAllowedHost', removes: ['ssrf'] },
|
|
2111
2129
|
{ method: 'isInternalHost', removes: ['ssrf'] },
|