circle-ir 3.161.0 → 3.163.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +24 -6
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/findings.d.ts.map +1 -1
- package/dist/analysis/findings.js +7 -1
- package/dist/analysis/findings.js.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.d.ts.map +1 -1
- package/dist/analysis/passes/taint-propagation-pass.js +12 -0
- package/dist/analysis/passes/taint-propagation-pass.js.map +1 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +14 -1
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/browser/circle-ir.js +34 -8
- package/dist/core/circle-ir-core.cjs +26 -7
- package/dist/core/circle-ir-core.js +26 -7
- package/package.json +1 -1
|
@@ -10096,6 +10096,15 @@ var DEFAULT_SOURCES = [
|
|
|
10096
10096
|
{ method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10097
10097
|
{ method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10098
10098
|
{ method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
|
|
10099
|
+
// cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
|
|
10100
|
+
// by expanding %XX sequences into arbitrary bytes. This is the
|
|
10101
|
+
// decode-after-encode bypass pattern exercised by SecuriBench Micro
|
|
10102
|
+
// `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
|
|
10103
|
+
// `%2F%2Fevil.com`, then decode restores the redirect payload before
|
|
10104
|
+
// it reaches `sendRedirect`. Registering as a source ensures the
|
|
10105
|
+
// reaching-def walk does not credit an upstream URLEncoder.encode
|
|
10106
|
+
// sanitizer for taint that has since been re-expanded.
|
|
10107
|
+
{ method: "decode", class: "URLDecoder", type: "http_path", severity: "high", return_tainted: true },
|
|
10099
10108
|
// Additional HTTP request methods that can be attacker-controlled
|
|
10100
10109
|
{ method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
10101
10110
|
{ method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
|
|
@@ -12057,12 +12066,17 @@ var DEFAULT_SANITIZERS = [
|
|
|
12057
12066
|
// Rust askama auto-escapes
|
|
12058
12067
|
{ method: "encodeForJavaScript", removes: ["xss"] },
|
|
12059
12068
|
{ method: "encodeForCSS", removes: ["xss"] },
|
|
12060
|
-
|
|
12069
|
+
// cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
|
|
12070
|
+
// sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
|
|
12071
|
+
// `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
|
|
12072
|
+
// this table; the drift surfaced as a SecuriBench Micro FP on
|
|
12073
|
+
// `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
|
|
12074
|
+
{ method: "encodeForURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12061
12075
|
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
12062
|
-
{ method: "encodeURL", removes: ["xss", "ssrf"] },
|
|
12063
|
-
{ method: "urlEncode", removes: ["xss", "ssrf"] },
|
|
12064
|
-
{ method: "escapeUrl", removes: ["xss", "ssrf"] },
|
|
12065
|
-
{ method: "escapeURL", removes: ["xss", "ssrf"] },
|
|
12076
|
+
{ method: "encodeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12077
|
+
{ method: "urlEncode", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12078
|
+
{ method: "escapeUrl", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12079
|
+
{ method: "escapeURL", removes: ["xss", "ssrf", "open_redirect"] },
|
|
12066
12080
|
// Path Traversal
|
|
12067
12081
|
{ method: "normalize", class: "Path", removes: ["path_traversal"] },
|
|
12068
12082
|
{ method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
|
|
@@ -12107,7 +12121,11 @@ var DEFAULT_SANITIZERS = [
|
|
|
12107
12121
|
{ method: "setFeature", class: "XMLReader", removes: ["xxe"] },
|
|
12108
12122
|
{ method: "setProperty", class: "XMLReader", removes: ["xxe"] },
|
|
12109
12123
|
// SSRF / URL encoding
|
|
12110
|
-
|
|
12124
|
+
// cognium-dev #249 3.162.0: `open_redirect` added — see rationale on the
|
|
12125
|
+
// `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
|
|
12126
|
+
// sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
|
|
12127
|
+
// `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
|
|
12128
|
+
{ method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal", "open_redirect"] },
|
|
12111
12129
|
{ method: "validateURL", removes: ["ssrf"] },
|
|
12112
12130
|
{ method: "isAllowedHost", removes: ["ssrf"] },
|
|
12113
12131
|
{ method: "isInternalHost", removes: ["ssrf"] },
|
|
@@ -14490,7 +14508,7 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
|
|
|
14490
14508
|
"crlf",
|
|
14491
14509
|
"mass_assignment"
|
|
14492
14510
|
]);
|
|
14493
|
-
function checkSanitized(
|
|
14511
|
+
function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
14494
14512
|
const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
|
|
14495
14513
|
const sanitizersAtTarget = sanitizersByLine.get(toLine);
|
|
14496
14514
|
if (sanitizersAtTarget && sanitizersAtTarget.length > 0) {
|
|
@@ -14513,6 +14531,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
|
|
|
14513
14531
|
);
|
|
14514
14532
|
for (const line of walk.lines) {
|
|
14515
14533
|
if (line === toLine) continue;
|
|
14534
|
+
if (line < fromLine) continue;
|
|
14516
14535
|
const sansAtLine = sanitizersByLine.get(line);
|
|
14517
14536
|
if (!sansAtLine || sansAtLine.length === 0) continue;
|
|
14518
14537
|
for (const san of sansAtLine) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.163.0",
|
|
4
4
|
"description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|