circle-ir 3.18.5 → 3.18.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.js +23 -7
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +7 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/analysis/passes/sink-filter-pass.d.ts +1 -1
- package/dist/analysis/passes/sink-filter-pass.js +22 -3
- package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.js +31 -1
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/browser/circle-ir.js +75 -21
- package/dist/core/circle-ir-core.cjs +51 -9
- package/dist/core/circle-ir-core.js +51 -9
- package/dist/languages/plugins/javascript.js +2 -9
- package/dist/languages/plugins/javascript.js.map +1 -1
- package/package.json +1 -1
|
@@ -406,6 +406,8 @@ export const DEFAULT_SOURCES = [
|
|
|
406
406
|
{ method: 'read_line', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
407
407
|
{ method: 'lines', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
408
408
|
{ method: 'read_to_string', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
409
|
+
{ method: 'read_line', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
410
|
+
{ method: 'lines', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
409
411
|
{ method: 'recv', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
410
412
|
{ method: 'read', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
411
413
|
{ method: 'read_to_end', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
@@ -926,9 +928,8 @@ export const DEFAULT_SINKS = [
|
|
|
926
928
|
{ method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
927
929
|
{ method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
928
930
|
{ method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
929
|
-
// JSON deserialization
|
|
931
|
+
// JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
|
|
930
932
|
{ method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
931
|
-
{ method: 'parse', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
932
933
|
{ method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
933
934
|
{ method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
934
935
|
// XMLDecoder
|
|
@@ -961,8 +962,8 @@ export const DEFAULT_SINKS = [
|
|
|
961
962
|
{ method: 'sendRedirect', type: 'ssrf', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
962
963
|
{ method: 'openConnection', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
963
964
|
{ method: 'openStream', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
964
|
-
|
|
965
|
-
|
|
965
|
+
// NOTE: URL/URI constructors removed — constructing a URL object doesn't make a network
|
|
966
|
+
// request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
|
|
966
967
|
{ method: 'execute', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
967
968
|
{ method: 'send', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
968
969
|
{ method: 'getForObject', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
@@ -1126,6 +1127,8 @@ export const DEFAULT_SINKS = [
|
|
|
1126
1127
|
{ method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1127
1128
|
{ method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
1128
1129
|
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
|
|
1130
|
+
// Browser DOM XSS sinks
|
|
1131
|
+
{ method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
1129
1132
|
// Express.js XSS (response methods)
|
|
1130
1133
|
{ method: 'send', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1131
1134
|
{ method: 'write', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
@@ -1373,6 +1376,14 @@ export const DEFAULT_SINKS = [
|
|
|
1373
1376
|
// Rust Open Redirect
|
|
1374
1377
|
{ method: 'redirect', class: 'HttpResponse', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1375
1378
|
{ method: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1379
|
+
{ method: 'see_other', class: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
1380
|
+
{ method: 'to', class: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
1381
|
+
{ method: 'temporary', class: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
1382
|
+
{ method: 'permanent', class: 'Redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
1383
|
+
{ method: 'header', class: 'Response', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [1] },
|
|
1384
|
+
{ method: 'insert_header', class: 'HttpResponse', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [1] },
|
|
1385
|
+
{ method: 'append_header', class: 'HttpResponse', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [1] },
|
|
1386
|
+
{ method: 'from_str', class: 'HeaderValue', type: 'open_redirect', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
1376
1387
|
// Rust Log Injection (log crate, tracing)
|
|
1377
1388
|
{ method: 'info!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
1378
1389
|
{ method: 'warn!', type: 'log_injection', cwe: 'CWE-117', severity: 'low', arg_positions: [0, 1, 2] },
|
|
@@ -1407,6 +1418,9 @@ export const DEFAULT_SINKS = [
|
|
|
1407
1418
|
{ method: 'body', class: 'HttpResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1408
1419
|
{ method: 'body', class: 'HttpResponseBuilder', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1409
1420
|
{ method: 'body', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1421
|
+
// warp::reply::html
|
|
1422
|
+
{ method: 'html', class: 'reply', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1423
|
+
{ method: 'html', class: 'warp', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1410
1424
|
// Rust serde deserialization
|
|
1411
1425
|
{ method: 'from_str', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
1412
1426
|
{ method: 'from_reader', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
@@ -1473,6 +1487,8 @@ export const DEFAULT_SANITIZERS = [
|
|
|
1473
1487
|
// DOMPurify and similar
|
|
1474
1488
|
{ method: 'sanitize', class: 'DOMPurify', removes: ['xss'] },
|
|
1475
1489
|
{ method: 'escape', class: 'validator', removes: ['xss'] },
|
|
1490
|
+
// JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
|
|
1491
|
+
{ method: 'parse', class: 'JSON', removes: ['xss', 'code_injection'] },
|
|
1476
1492
|
// Type coercion (removes string-based injections)
|
|
1477
1493
|
{ method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss'] },
|
|
1478
1494
|
{ method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
|
|
@@ -1543,9 +1559,9 @@ export const DEFAULT_SANITIZERS = [
|
|
|
1543
1559
|
{ method: 'extension', removes: ['path_traversal'] },
|
|
1544
1560
|
{ method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks, validates path exists
|
|
1545
1561
|
// Rust Command Injection - allowlist validation
|
|
1546
|
-
{ method: 'contains', removes: ['command_injection', 'ssrf'] }, // Used for allowlist checks
|
|
1547
|
-
{ method: 'starts_with', removes: ['path_traversal', 'ssrf'] }, // Path/URL prefix validation
|
|
1548
|
-
{ method: 'ends_with', removes: ['path_traversal'] },
|
|
1562
|
+
{ method: 'contains', removes: ['command_injection', 'ssrf', 'open_redirect'] }, // Used for allowlist checks
|
|
1563
|
+
{ method: 'starts_with', removes: ['path_traversal', 'ssrf', 'open_redirect'] }, // Path/URL prefix validation
|
|
1564
|
+
{ method: 'ends_with', removes: ['path_traversal', 'open_redirect'] },
|
|
1549
1565
|
// Rust XSS - HTML escaping
|
|
1550
1566
|
{ method: 'escape', class: 'html_escape', removes: ['xss'] },
|
|
1551
1567
|
{ method: 'encode_text', class: 'html_escape', removes: ['xss'] },
|