circle-ir 3.18.6 → 3.18.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/analysis/config-loader.js +7 -7
  2. package/dist/analysis/config-loader.js.map +1 -1
  3. package/dist/analysis/passes/sink-filter-pass.d.ts +1 -1
  4. package/dist/analysis/passes/sink-filter-pass.js +19 -4
  5. package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
  6. package/dist/analysis/taint-matcher.js +23 -0
  7. package/dist/analysis/taint-matcher.js.map +1 -1
  8. package/dist/browser/circle-ir.js +45 -20
  9. package/dist/core/circle-ir-core.cjs +29 -8
  10. package/dist/core/circle-ir-core.js +29 -8
  11. package/dist/languages/plugins/javascript.js +2 -9
  12. package/dist/languages/plugins/javascript.js.map +1 -1
  13. package/package.json +1 -1
package/dist/analysis/config-loader.js CHANGED
@@ -407,6 +407,7 @@ export const DEFAULT_SOURCES = [
407
407
  { method: 'lines', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
408
408
  { method: 'read_to_string', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
409
409
  { method: 'read_line', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
410
+ { method: 'lines', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
410
411
  { method: 'recv', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
411
412
  { method: 'read', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
412
413
  { method: 'read_to_end', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
@@ -927,9 +928,8 @@ export const DEFAULT_SINKS = [
927
928
  { method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
928
929
  { method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
929
930
  { method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
930
- // JSON deserialization
931
+ // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
931
932
  { method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
932
- { method: 'parse', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
933
933
  { method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
934
934
  { method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
935
935
  // XMLDecoder
@@ -962,8 +962,8 @@ export const DEFAULT_SINKS = [
962
962
  { method: 'sendRedirect', type: 'ssrf', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
963
963
  { method: 'openConnection', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
964
964
  { method: 'openStream', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
965
- { method: 'URL', class: 'constructor', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
966
- { method: 'URI', class: 'constructor', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
965
+ // NOTE: URL/URI constructors removed constructing a URL object doesn't make a network
966
+ // request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
967
967
  { method: 'execute', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
968
968
  { method: 'send', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
969
969
  { method: 'getForObject', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
@@ -1559,9 +1559,9 @@ export const DEFAULT_SANITIZERS = [
1559
1559
  { method: 'extension', removes: ['path_traversal'] },
1560
1560
  { method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks, validates path exists
1561
1561
  // Rust Command Injection - allowlist validation
1562
- { method: 'contains', removes: ['command_injection', 'ssrf'] }, // Used for allowlist checks
1563
- { method: 'starts_with', removes: ['path_traversal', 'ssrf'] }, // Path/URL prefix validation
1564
- { method: 'ends_with', removes: ['path_traversal'] },
1562
+ { method: 'contains', removes: ['command_injection', 'ssrf', 'open_redirect'] }, // Used for allowlist checks
1563
+ { method: 'starts_with', removes: ['path_traversal', 'ssrf', 'open_redirect'] }, // Path/URL prefix validation
1564
+ { method: 'ends_with', removes: ['path_traversal', 'open_redirect'] },
1565
1565
  // Rust XSS - HTML escaping
1566
1566
  { method: 'escape', class: 'html_escape', removes: ['xss'] },
1567
1567
  { method: 'encode_text', class: 'html_escape', removes: ['xss'] },