circle-ir 3.18.6 → 3.18.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.js +50 -7
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +7 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/analysis/passes/sink-filter-pass.d.ts +1 -1
- package/dist/analysis/passes/sink-filter-pass.js +19 -4
- package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.js +23 -0
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/browser/circle-ir.js +101 -21
- package/dist/core/circle-ir-core.cjs +77 -8
- package/dist/core/circle-ir-core.js +77 -8
- package/dist/languages/plugins/javascript.js +2 -9
- package/dist/languages/plugins/javascript.js.map +1 -1
- package/package.json +1 -1
|
@@ -407,6 +407,7 @@ export const DEFAULT_SOURCES = [
|
|
|
407
407
|
{ method: 'lines', class: 'BufReader', type: 'file_input', severity: 'medium', return_tainted: true },
|
|
408
408
|
{ method: 'read_to_string', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
409
409
|
{ method: 'read_line', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
410
|
+
{ method: 'lines', class: 'stdin', type: 'io_input', severity: 'medium', return_tainted: true },
|
|
410
411
|
{ method: 'recv', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
411
412
|
{ method: 'read', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
412
413
|
{ method: 'read_to_end', class: 'TcpStream', type: 'network_input', severity: 'high', return_tainted: true },
|
|
@@ -918,6 +919,37 @@ export const DEFAULT_SINKS = [
|
|
|
918
919
|
{ method: 'processRequest', class: 'Broker', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
919
920
|
// DolphinScheduler
|
|
920
921
|
{ method: 'execute', class: 'TaskExecuteThread', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
922
|
+
// Apache Commons JEXL (JEXL expression injection)
|
|
923
|
+
{ method: 'createExpression', class: 'JexlEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
924
|
+
{ method: 'createScript', class: 'JexlEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
925
|
+
{ method: 'evaluate', class: 'JexlExpression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
926
|
+
{ method: 'execute', class: 'JexlScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
927
|
+
// Janino expression evaluator (Calcite/Flink/Drill)
|
|
928
|
+
{ method: 'createFastEvaluator', class: 'ExpressionEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
929
|
+
{ method: 'cook', class: 'ExpressionEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
930
|
+
{ method: 'cook', class: 'ScriptEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
931
|
+
{ method: 'cook', class: 'ClassBodyEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
932
|
+
{ method: 'cook', class: 'SimpleCompiler', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
933
|
+
// Apache Camel Simple language (CVE-2018-8041 and similar)
|
|
934
|
+
{ method: 'createExpression', class: 'SimpleLanguage', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
935
|
+
{ method: 'createPredicate', class: 'SimpleLanguage', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
936
|
+
// Thymeleaf StandardExpression (CVE-2023-38286 and similar)
|
|
937
|
+
{ method: 'parseExpression', class: 'StandardExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
|
|
938
|
+
{ method: 'getValue', class: 'StandardExpression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
939
|
+
// FreeMarker direct template construction (CVE-2022-26336 and similar)
|
|
940
|
+
{ method: 'Template', class: 'Template', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] }, // new Template(name, tainted)
|
|
941
|
+
{ method: 'getTemplate', class: 'Configuration', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
942
|
+
// Jinjava (Java Jinja template engine)
|
|
943
|
+
{ method: 'render', class: 'Jinjava', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
944
|
+
{ method: 'renderForResult', class: 'Jinjava', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
945
|
+
// Spring Cloud Function RoutingFunction (CVE-2022-22963)
|
|
946
|
+
{ method: 'getRequestedBeanName', class: 'RoutingFunction', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
947
|
+
// Kotlin reflection (RCE via reflective construction)
|
|
948
|
+
{ method: 'createInstance', class: 'KClass', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [] },
|
|
949
|
+
{ method: 'callBy', class: 'KFunction', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
|
|
950
|
+
// Struts 2 deep injection (CVE-2017-5638 and descendants)
|
|
951
|
+
{ method: 'translateVariables', class: 'TextParseUtil', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
952
|
+
{ method: 'evaluate', class: 'StrutsResultSupport', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
921
953
|
// Deserialization (CWE-502)
|
|
922
954
|
{ method: 'readObject', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
923
955
|
{ method: 'readUnshared', class: 'ObjectInputStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
|
|
@@ -927,9 +959,8 @@ export const DEFAULT_SINKS = [
|
|
|
927
959
|
{ method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
928
960
|
{ method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
929
961
|
{ method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
930
|
-
// JSON deserialization
|
|
962
|
+
// JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
|
|
931
963
|
{ method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
932
|
-
{ method: 'parse', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
933
964
|
{ method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
|
|
934
965
|
{ method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
|
|
935
966
|
// XMLDecoder
|
|
@@ -962,8 +993,8 @@ export const DEFAULT_SINKS = [
|
|
|
962
993
|
{ method: 'sendRedirect', type: 'ssrf', cwe: 'CWE-601', severity: 'high', arg_positions: [0] },
|
|
963
994
|
{ method: 'openConnection', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
964
995
|
{ method: 'openStream', class: 'URL', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
|
|
965
|
-
|
|
966
|
-
|
|
996
|
+
// NOTE: URL/URI constructors removed — constructing a URL object doesn't make a network
|
|
997
|
+
// request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
|
|
967
998
|
{ method: 'execute', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
968
999
|
{ method: 'send', class: 'HttpClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
969
1000
|
{ method: 'getForObject', class: 'RestTemplate', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
@@ -1440,12 +1471,24 @@ export const DEFAULT_SANITIZERS = [
|
|
|
1440
1471
|
{ method: 'encodeForHTML', removes: ['xss'] },
|
|
1441
1472
|
{ method: 'escapeXml', removes: ['xss'] },
|
|
1442
1473
|
{ method: 'htmlEscape', removes: ['xss'] },
|
|
1474
|
+
{ method: 'escapeHtml4', removes: ['xss'] }, // Apache Commons StringEscapeUtils
|
|
1475
|
+
{ method: 'escapeHtml3', removes: ['xss'] }, // Apache Commons StringEscapeUtils
|
|
1476
|
+
{ method: 'htmlSpecialChars', removes: ['xss'] }, // PHP-style / common wrapper
|
|
1477
|
+
{ method: 'forHtml', class: 'Encode', removes: ['xss'] }, // OWASP Java Encoder
|
|
1478
|
+
{ method: 'forHtmlContent', class: 'Encode', removes: ['xss'] },
|
|
1479
|
+
{ method: 'forHtmlAttribute', class: 'Encode', removes: ['xss'] },
|
|
1480
|
+
{ method: 'forJavaScript', class: 'Encode', removes: ['xss'] },
|
|
1443
1481
|
{ method: 'encode_text', removes: ['xss'] }, // Rust html_escape crate
|
|
1444
1482
|
{ method: 'encode_safe', removes: ['xss'] }, // Rust html_escape crate
|
|
1445
1483
|
{ method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
|
|
1446
1484
|
{ method: 'encodeForJavaScript', removes: ['xss'] },
|
|
1447
1485
|
{ method: 'encodeForCSS', removes: ['xss'] },
|
|
1448
1486
|
{ method: 'encodeForURL', removes: ['xss', 'ssrf'] },
|
|
1487
|
+
// URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
|
|
1488
|
+
{ method: 'encodeURL', removes: ['xss', 'ssrf'] },
|
|
1489
|
+
{ method: 'urlEncode', removes: ['xss', 'ssrf'] },
|
|
1490
|
+
{ method: 'escapeUrl', removes: ['xss', 'ssrf'] },
|
|
1491
|
+
{ method: 'escapeURL', removes: ['xss', 'ssrf'] },
|
|
1449
1492
|
// Path Traversal
|
|
1450
1493
|
{ method: 'normalize', class: 'Path', removes: ['path_traversal'] },
|
|
1451
1494
|
{ method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
|
|
@@ -1559,9 +1602,9 @@ export const DEFAULT_SANITIZERS = [
|
|
|
1559
1602
|
{ method: 'extension', removes: ['path_traversal'] },
|
|
1560
1603
|
{ method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks, validates path exists
|
|
1561
1604
|
// Rust Command Injection - allowlist validation
|
|
1562
|
-
{ method: 'contains', removes: ['command_injection', 'ssrf'] }, // Used for allowlist checks
|
|
1563
|
-
{ method: 'starts_with', removes: ['path_traversal', 'ssrf'] }, // Path/URL prefix validation
|
|
1564
|
-
{ method: 'ends_with', removes: ['path_traversal'] },
|
|
1605
|
+
{ method: 'contains', removes: ['command_injection', 'ssrf', 'open_redirect'] }, // Used for allowlist checks
|
|
1606
|
+
{ method: 'starts_with', removes: ['path_traversal', 'ssrf', 'open_redirect'] }, // Path/URL prefix validation
|
|
1607
|
+
{ method: 'ends_with', removes: ['path_traversal', 'open_redirect'] },
|
|
1565
1608
|
// Rust XSS - HTML escaping
|
|
1566
1609
|
{ method: 'escape', class: 'html_escape', removes: ['xss'] },
|
|
1567
1610
|
{ method: 'encode_text', class: 'html_escape', removes: ['xss'] },
|