circle-ir 3.161.0 → 3.163.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10096,6 +10096,15 @@ var DEFAULT_SOURCES = [
10096
10096
  { method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
10097
10097
  { method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
10098
10098
  { method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
10099
+ // cognium-dev #249 3.162.0: java.net.URLDecoder.decode reintroduces taint
10100
+ // by expanding %XX sequences into arbitrary bytes. This is the
10101
+ // decode-after-encode bypass pattern exercised by SecuriBench Micro
10102
+ // `sanitizers/Sanitizers5.java`: encode sanitizes `//evil.com` into
10103
+ // `%2F%2Fevil.com`, then decode restores the redirect payload before
10104
+ // it reaches `sendRedirect`. Registering as a source ensures the
10105
+ // reaching-def walk does not credit an upstream URLEncoder.encode
10106
+ // sanitizer for taint that has since been re-expanded.
10107
+ { method: "decode", class: "URLDecoder", type: "http_path", severity: "high", return_tainted: true },
10099
10108
  // Additional HTTP request methods that can be attacker-controlled
10100
10109
  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
10101
10110
  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
@@ -12057,12 +12066,17 @@ var DEFAULT_SANITIZERS = [
12057
12066
  // Rust askama auto-escapes
12058
12067
  { method: "encodeForJavaScript", removes: ["xss"] },
12059
12068
  { method: "encodeForCSS", removes: ["xss"] },
12060
- { method: "encodeForURL", removes: ["xss", "ssrf"] },
12069
+ // cognium-dev #249 3.162.0: `open_redirect` restored to the URL-encoder
12070
+ // sanitizer cluster. Sprint 82 (#189) reclassified `sendRedirect` from
12071
+ // `ssrf` → `open_redirect` (config-loader.ts:1296-1299) without updating
12072
+ // this table; the drift surfaced as a SecuriBench Micro FP on
12073
+ // `sanitizers/Sanitizers3.java` (`URLEncoder.encode` + `sendRedirect`).
12074
+ { method: "encodeForURL", removes: ["xss", "ssrf", "open_redirect"] },
12061
12075
  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
12062
- { method: "encodeURL", removes: ["xss", "ssrf"] },
12063
- { method: "urlEncode", removes: ["xss", "ssrf"] },
12064
- { method: "escapeUrl", removes: ["xss", "ssrf"] },
12065
- { method: "escapeURL", removes: ["xss", "ssrf"] },
12076
+ { method: "encodeURL", removes: ["xss", "ssrf", "open_redirect"] },
12077
+ { method: "urlEncode", removes: ["xss", "ssrf", "open_redirect"] },
12078
+ { method: "escapeUrl", removes: ["xss", "ssrf", "open_redirect"] },
12079
+ { method: "escapeURL", removes: ["xss", "ssrf", "open_redirect"] },
12066
12080
  // Path Traversal
12067
12081
  { method: "normalize", class: "Path", removes: ["path_traversal"] },
12068
12082
  { method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
@@ -12107,7 +12121,11 @@ var DEFAULT_SANITIZERS = [
12107
12121
  { method: "setFeature", class: "XMLReader", removes: ["xxe"] },
12108
12122
  { method: "setProperty", class: "XMLReader", removes: ["xxe"] },
12109
12123
  // SSRF / URL encoding
12110
- { method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal"] },
12124
+ // cognium-dev #249 3.162.0: `open_redirect` added see rationale on the
12125
+ // `encodeForURL` cluster above. `java.net.URLEncoder.encode` is the specific
12126
+ // sanitizer used by SecuriBench Micro `sanitizers/Sanitizers3.java` before
12127
+ // `HttpServletResponse.sendRedirect` (Sprint 82 CWE-601 sink).
12128
+ { method: "encode", class: "URLEncoder", removes: ["ssrf", "xss", "path_traversal", "open_redirect"] },
12111
12129
  { method: "validateURL", removes: ["ssrf"] },
12112
12130
  { method: "isAllowedHost", removes: ["ssrf"] },
12113
12131
  { method: "isInternalHost", removes: ["ssrf"] },
@@ -14490,7 +14508,7 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
14490
14508
  "crlf",
14491
14509
  "mass_assignment"
14492
14510
  ]);
14493
- function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
14511
+ function checkSanitized(fromLine, toLine, sinkType, sanitizersByLine, ctx) {
14494
14512
  const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
14495
14513
  const sanitizersAtTarget = sanitizersByLine.get(toLine);
14496
14514
  if (sanitizersAtTarget && sanitizersAtTarget.length > 0) {
@@ -14513,6 +14531,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine, ctx) {
14513
14531
  );
14514
14532
  for (const line of walk.lines) {
14515
14533
  if (line === toLine) continue;
14534
+ if (line < fromLine) continue;
14516
14535
  const sansAtLine = sanitizersByLine.get(line);
14517
14536
  if (!sansAtLine || sansAtLine.length === 0) continue;
14518
14537
  for (const san of sansAtLine) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir",
3
- "version": "3.161.0",
3
+ "version": "3.163.0",
4
4
  "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",