circle-ir 3.18.6 → 3.18.8

package/dist/browser/circle-ir.js

@@ -9107,6 +9107,7 @@ var DEFAULT_SOURCES = [
   { method: "lines", class: "BufReader", type: "file_input", severity: "medium", return_tainted: true },
   { method: "read_to_string", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "read_line", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
+  { method: "lines", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "recv", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read_to_end", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
@@ -9618,6 +9619,38 @@ var DEFAULT_SINKS = [
   { method: "processRequest", class: "Broker", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // DolphinScheduler
   { method: "execute", class: "TaskExecuteThread", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Commons JEXL (JEXL expression injection)
+  { method: "createExpression", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createScript", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "JexlExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "execute", class: "JexlScript", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Janino expression evaluator (Calcite/Flink/Drill)
+  { method: "createFastEvaluator", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ScriptEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ClassBodyEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "SimpleCompiler", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Camel Simple language (CVE-2018-8041 and similar)
+  { method: "createExpression", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createPredicate", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Thymeleaf StandardExpression (CVE-2023-38286 and similar)
+  { method: "parseExpression", class: "StandardExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "getValue", class: "StandardExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // FreeMarker direct template construction (CVE-2022-26336 and similar)
+  { method: "Template", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // new Template(name, tainted)
+  { method: "getTemplate", class: "Configuration", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Jinjava (Java Jinja template engine)
+  { method: "render", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  { method: "renderForResult", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Spring Cloud Function RoutingFunction (CVE-2022-22963)
+  { method: "getRequestedBeanName", class: "RoutingFunction", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Kotlin reflection (RCE via reflective construction)
+  { method: "createInstance", class: "KClass", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [] },
+  { method: "callBy", class: "KFunction", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Struts 2 deep injection (CVE-2017-5638 and descendants)
+  { method: "translateVariables", class: "TextParseUtil", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "StrutsResultSupport", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // Deserialization (CWE-502)
   { method: "readObject", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "readUnshared", class: "ObjectInputStream", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
@@ -9627,9 +9660,8 @@ var DEFAULT_SINKS = [
   { method: "load", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAll", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAs", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  // JSON deserialization
+  // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
   { method: "parseObject", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "parse", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "parseObject", class: "JSONObject", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "fromJson", class: "Gson", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
   // XMLDecoder
@@ -9662,8 +9694,8 @@ var DEFAULT_SINKS = [
   { method: "sendRedirect", type: "ssrf", cwe: "CWE-601", severity: "high", arg_positions: [0] },
   { method: "openConnection", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "openStream", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
-  { method: "URL", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "URI", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // NOTE: URL/URI constructors removed — constructing a URL object doesn't make a network
+  // request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
   { method: "execute", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "send", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "getForObject", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -10140,6 +10172,17 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForHTML", removes: ["xss"] },
   { method: "escapeXml", removes: ["xss"] },
   { method: "htmlEscape", removes: ["xss"] },
+  { method: "escapeHtml4", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "escapeHtml3", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "htmlSpecialChars", removes: ["xss"] },
+  // PHP-style / common wrapper
+  { method: "forHtml", class: "Encode", removes: ["xss"] },
+  // OWASP Java Encoder
+  { method: "forHtmlContent", class: "Encode", removes: ["xss"] },
+  { method: "forHtmlAttribute", class: "Encode", removes: ["xss"] },
+  { method: "forJavaScript", class: "Encode", removes: ["xss"] },
   { method: "encode_text", removes: ["xss"] },
   // Rust html_escape crate
   { method: "encode_safe", removes: ["xss"] },
@@ -10149,6 +10192,11 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForJavaScript", removes: ["xss"] },
   { method: "encodeForCSS", removes: ["xss"] },
   { method: "encodeForURL", removes: ["xss", "ssrf"] },
+  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
+  { method: "encodeURL", removes: ["xss", "ssrf"] },
+  { method: "urlEncode", removes: ["xss", "ssrf"] },
+  { method: "escapeUrl", removes: ["xss", "ssrf"] },
+  { method: "escapeURL", removes: ["xss", "ssrf"] },
   // Path Traversal
   { method: "normalize", class: "Path", removes: ["path_traversal"] },
   { method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
@@ -10266,11 +10314,11 @@ var DEFAULT_SANITIZERS = [
   { method: "canonicalize", removes: ["path_traversal"] },
   // Resolves symlinks, validates path exists
   // Rust Command Injection - allowlist validation
-  { method: "contains", removes: ["command_injection", "ssrf"] },
+  { method: "contains", removes: ["command_injection", "ssrf", "open_redirect"] },
   // Used for allowlist checks
-  { method: "starts_with", removes: ["path_traversal", "ssrf"] },
+  { method: "starts_with", removes: ["path_traversal", "ssrf", "open_redirect"] },
   // Path/URL prefix validation
-  { method: "ends_with", removes: ["path_traversal"] },
+  { method: "ends_with", removes: ["path_traversal", "open_redirect"] },
   // Rust XSS - HTML escaping
   { method: "escape", class: "html_escape", removes: ["xss"] },
   { method: "encode_text", class: "html_escape", removes: ["xss"] },
@@ -10345,6 +10393,26 @@ function findSources(calls, types, patterns) {
       }
     }
   }
+  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  for (const type of types) {
+    for (const method of type.methods) {
+      for (const param of method.parameters) {
+        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
+          const paramLine = param.line ?? method.start_line;
+          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
+          if (!alreadyExists) {
+            sources.push({
+              type: "http_body",
+              location: `${param.type} ${param.name} in ${method.name}`,
+              severity: "high",
+              line: paramLine,
+              confidence: 1
+            });
+          }
+        }
+      }
+    }
+  }
   for (const type of types) {
     for (const method of type.methods) {
       if (method.modifiers.includes("private")) continue;
@@ -10722,7 +10790,8 @@ function receiverMightBeClass(receiver, className) {
         "prepareStatement": ["PreparedStatement"],
         "getRuntime": ["Runtime"],
         "builder": ["Response", "ResponseBuilder", "HttpResponseBuilder"],
-        "stdin": ["stdin", "Stdin", "BufReader"]
+        "stdin": ["stdin", "Stdin", "BufReader"],
+        "lock": ["stdin", "Stdin", "StdinLock", "BufReader"]
       };
       const expectedTypes = returnTypeMappings[methodName];
       if (Array.isArray(expectedTypes) && expectedTypes.includes(className)) {
@@ -16463,15 +16532,8 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
       // =========================================================
       // Data Exposure Sinks (React Native)
       // =========================================================
-      {
-        // Logging sensitive data
-        method: "log",
-        class: "console",
-        type: "information_exposure",
-        cwe: "CWE-532",
-        severity: "low",
-        argPositions: [0]
-      },
+      // NOTE: console.log removed as a sink — too noisy for general-purpose analysis.
+      // console.log is ubiquitous and rarely a true vulnerability outside mobile contexts.
       {
         // Storing sensitive data insecurely
         method: "setItem",
@@ -18394,7 +18456,14 @@ var JS_TAINTED_PATTERNS = [
   { pattern: /\bwindow\.name\b/, type: "dom_input" },
   { pattern: /\bdocument\.URL\b/, type: "http_path" },
   { pattern: /\bdocument\.documentURI\b/, type: "http_path" },
-  { pattern: /\blocation\.pathname\b/, type: "http_path" }
+  { pattern: /\blocation\.pathname\b/, type: "http_path" },
+  // DOM propagation globals - deprecated/obscure but still exploitable as taint conduits.
+  // Writing attacker-controlled data here and reading it back preserves taint (DOMPropagation pattern).
+  { pattern: /\bwindow\.status\b/, type: "dom_input" },
+  { pattern: /\bdocument\.title\b/, type: "dom_input" },
+  { pattern: /\bhistory\.state\b/, type: "dom_input" },
+  { pattern: /\blocalStorage\.getItem\b/, type: "dom_input" },
+  { pattern: /\bsessionStorage\.getItem\b/, type: "dom_input" }
 ];
 var PYTHON_TAINTED_PATTERNS2 = [
   { pattern: /\brequest\.args\b/, type: "http_param" },
@@ -18823,7 +18892,8 @@ var SinkFilterPass = class {
       constProp.symbols,
       dfg,
       constProp.sanitizedVars,
-      constProp.synchronizedLines
+      constProp.synchronizedLines,
+      language
     );
     filtered = filterSanitizedSinks(filtered, sanitizers, calls);
     if (language === "python") {
@@ -18881,6 +18951,16 @@ var SinkFilterPass = class {
           if (/^`[^`]*`$/.test(rhs) && !rhs.includes("${")) return false;
           if (rhs === '""' || rhs === "''" || rhs === "``") return false;
         }
+        if (/\.href\s*=|location\s*=/.test(sinkLineText)) {
+          const guardPatterns = /\b(?:includes|startsWith|endsWith|indexOf|test|match)\s*\(/;
+          const startLine = Math.max(0, sink.line - 6);
+          for (let i2 = startLine; i2 < sink.line - 1; i2++) {
+            const line = sourceLines[i2] ?? "";
+            if (/\bif\s*\(/.test(line) && guardPatterns.test(line)) {
+              return false;
+            }
+          }
+        }
         if (jsTaintedVars.size > 0) {
           if ([...jsTaintedVars.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(sinkLineText))) return true;
           if (JS_TAINTED_PATTERNS.some((p) => p.pattern.test(sinkLineText))) return true;
@@ -19013,7 +19093,7 @@ function filterCleanArraySinks(sinks, calls, taintedArrayElements, symbols) {
     return true;
   });
 }
-function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanitizedVars, synchronizedLines) {
+function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanitizedVars, synchronizedLines, language) {
   const fieldNames = /* @__PURE__ */ new Set();
   if (dfg) {
     for (const def of dfg.defs) {
@@ -19034,7 +19114,7 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
       let allArgsAreClean = true;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
-        if (arg.expression === call.method_name && !arg.variable && arg.literal == null) continue;
+        if (language === "bash" && arg.expression === call.method_name && !arg.variable && arg.literal == null) continue;
         if (arg.variable && !arg.expression?.includes("[")) {
           const varName = arg.variable;
           const scopedName = methodName ? `${methodName}:${varName}` : varName;

package/dist/core/circle-ir-core.cjs

@@ -9220,6 +9220,7 @@ var DEFAULT_SOURCES = [
   { method: "lines", class: "BufReader", type: "file_input", severity: "medium", return_tainted: true },
   { method: "read_to_string", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "read_line", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
+  { method: "lines", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "recv", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read_to_end", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
@@ -9731,6 +9732,38 @@ var DEFAULT_SINKS = [
   { method: "processRequest", class: "Broker", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // DolphinScheduler
   { method: "execute", class: "TaskExecuteThread", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Commons JEXL (JEXL expression injection)
+  { method: "createExpression", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createScript", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "JexlExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "execute", class: "JexlScript", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Janino expression evaluator (Calcite/Flink/Drill)
+  { method: "createFastEvaluator", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ScriptEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ClassBodyEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "SimpleCompiler", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Camel Simple language (CVE-2018-8041 and similar)
+  { method: "createExpression", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createPredicate", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Thymeleaf StandardExpression (CVE-2023-38286 and similar)
+  { method: "parseExpression", class: "StandardExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "getValue", class: "StandardExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // FreeMarker direct template construction (CVE-2022-26336 and similar)
+  { method: "Template", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // new Template(name, tainted)
+  { method: "getTemplate", class: "Configuration", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Jinjava (Java Jinja template engine)
+  { method: "render", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  { method: "renderForResult", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Spring Cloud Function RoutingFunction (CVE-2022-22963)
+  { method: "getRequestedBeanName", class: "RoutingFunction", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Kotlin reflection (RCE via reflective construction)
+  { method: "createInstance", class: "KClass", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [] },
+  { method: "callBy", class: "KFunction", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Struts 2 deep injection (CVE-2017-5638 and descendants)
+  { method: "translateVariables", class: "TextParseUtil", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "StrutsResultSupport", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // Deserialization (CWE-502)
   { method: "readObject", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "readUnshared", class: "ObjectInputStream", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
@@ -9740,9 +9773,8 @@ var DEFAULT_SINKS = [
   { method: "load", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAll", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAs", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  // JSON deserialization
+  // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
   { method: "parseObject", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "parse", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "parseObject", class: "JSONObject", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "fromJson", class: "Gson", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
   // XMLDecoder
@@ -9775,8 +9807,8 @@ var DEFAULT_SINKS = [
   { method: "sendRedirect", type: "ssrf", cwe: "CWE-601", severity: "high", arg_positions: [0] },
   { method: "openConnection", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "openStream", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
-  { method: "URL", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "URI", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // NOTE: URL/URI constructors removed — constructing a URL object doesn't make a network
+  // request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
   { method: "execute", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "send", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "getForObject", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -10253,6 +10285,17 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForHTML", removes: ["xss"] },
   { method: "escapeXml", removes: ["xss"] },
   { method: "htmlEscape", removes: ["xss"] },
+  { method: "escapeHtml4", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "escapeHtml3", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "htmlSpecialChars", removes: ["xss"] },
+  // PHP-style / common wrapper
+  { method: "forHtml", class: "Encode", removes: ["xss"] },
+  // OWASP Java Encoder
+  { method: "forHtmlContent", class: "Encode", removes: ["xss"] },
+  { method: "forHtmlAttribute", class: "Encode", removes: ["xss"] },
+  { method: "forJavaScript", class: "Encode", removes: ["xss"] },
   { method: "encode_text", removes: ["xss"] },
   // Rust html_escape crate
   { method: "encode_safe", removes: ["xss"] },
@@ -10262,6 +10305,11 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForJavaScript", removes: ["xss"] },
   { method: "encodeForCSS", removes: ["xss"] },
   { method: "encodeForURL", removes: ["xss", "ssrf"] },
+  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
+  { method: "encodeURL", removes: ["xss", "ssrf"] },
+  { method: "urlEncode", removes: ["xss", "ssrf"] },
+  { method: "escapeUrl", removes: ["xss", "ssrf"] },
+  { method: "escapeURL", removes: ["xss", "ssrf"] },
   // Path Traversal
   { method: "normalize", class: "Path", removes: ["path_traversal"] },
   { method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
@@ -10379,11 +10427,11 @@ var DEFAULT_SANITIZERS = [
   { method: "canonicalize", removes: ["path_traversal"] },
   // Resolves symlinks, validates path exists
   // Rust Command Injection - allowlist validation
-  { method: "contains", removes: ["command_injection", "ssrf"] },
+  { method: "contains", removes: ["command_injection", "ssrf", "open_redirect"] },
   // Used for allowlist checks
-  { method: "starts_with", removes: ["path_traversal", "ssrf"] },
+  { method: "starts_with", removes: ["path_traversal", "ssrf", "open_redirect"] },
   // Path/URL prefix validation
-  { method: "ends_with", removes: ["path_traversal"] },
+  { method: "ends_with", removes: ["path_traversal", "open_redirect"] },
   // Rust XSS - HTML escaping
   { method: "escape", class: "html_escape", removes: ["xss"] },
   { method: "encode_text", class: "html_escape", removes: ["xss"] },
@@ -10458,6 +10506,26 @@ function findSources(calls, types, patterns) {
       }
     }
   }
+  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  for (const type of types) {
+    for (const method of type.methods) {
+      for (const param of method.parameters) {
+        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
+          const paramLine = param.line ?? method.start_line;
+          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
+          if (!alreadyExists) {
+            sources.push({
+              type: "http_body",
+              location: `${param.type} ${param.name} in ${method.name}`,
+              severity: "high",
+              line: paramLine,
+              confidence: 1
+            });
+          }
+        }
+      }
+    }
+  }
   for (const type of types) {
     for (const method of type.methods) {
       if (method.modifiers.includes("private")) continue;
@@ -10835,7 +10903,8 @@ function receiverMightBeClass(receiver, className) {
         "prepareStatement": ["PreparedStatement"],
         "getRuntime": ["Runtime"],
         "builder": ["Response", "ResponseBuilder", "HttpResponseBuilder"],
-        "stdin": ["stdin", "Stdin", "BufReader"]
+        "stdin": ["stdin", "Stdin", "BufReader"],
+        "lock": ["stdin", "Stdin", "StdinLock", "BufReader"]
       };
       const expectedTypes = returnTypeMappings[methodName];
       if (Array.isArray(expectedTypes) && expectedTypes.includes(className)) {

package/dist/core/circle-ir-core.js

@@ -9155,6 +9155,7 @@ var DEFAULT_SOURCES = [
   { method: "lines", class: "BufReader", type: "file_input", severity: "medium", return_tainted: true },
   { method: "read_to_string", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "read_line", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
+  { method: "lines", class: "stdin", type: "io_input", severity: "medium", return_tainted: true },
   { method: "recv", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
   { method: "read_to_end", class: "TcpStream", type: "network_input", severity: "high", return_tainted: true },
@@ -9666,6 +9667,38 @@ var DEFAULT_SINKS = [
   { method: "processRequest", class: "Broker", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // DolphinScheduler
   { method: "execute", class: "TaskExecuteThread", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Commons JEXL (JEXL expression injection)
+  { method: "createExpression", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createScript", class: "JexlEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "JexlExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "execute", class: "JexlScript", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Janino expression evaluator (Calcite/Flink/Drill)
+  { method: "createFastEvaluator", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ExpressionEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ScriptEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "ClassBodyEvaluator", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "cook", class: "SimpleCompiler", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Apache Camel Simple language (CVE-2018-8041 and similar)
+  { method: "createExpression", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "createPredicate", class: "SimpleLanguage", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  // Thymeleaf StandardExpression (CVE-2023-38286 and similar)
+  { method: "parseExpression", class: "StandardExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "getValue", class: "StandardExpression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // FreeMarker direct template construction (CVE-2022-26336 and similar)
+  { method: "Template", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // new Template(name, tainted)
+  { method: "getTemplate", class: "Configuration", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Jinjava (Java Jinja template engine)
+  { method: "render", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  { method: "renderForResult", class: "Jinjava", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Spring Cloud Function RoutingFunction (CVE-2022-22963)
+  { method: "getRequestedBeanName", class: "RoutingFunction", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  // Kotlin reflection (RCE via reflective construction)
+  { method: "createInstance", class: "KClass", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [] },
+  { method: "callBy", class: "KFunction", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Struts 2 deep injection (CVE-2017-5638 and descendants)
+  { method: "translateVariables", class: "TextParseUtil", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "StrutsResultSupport", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   // Deserialization (CWE-502)
   { method: "readObject", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "readUnshared", class: "ObjectInputStream", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
@@ -9675,9 +9708,8 @@ var DEFAULT_SINKS = [
   { method: "load", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAll", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loadAs", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  // JSON deserialization
+  // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
   { method: "parseObject", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "parse", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "parseObject", class: "JSONObject", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "fromJson", class: "Gson", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
   // XMLDecoder
@@ -9710,8 +9742,8 @@ var DEFAULT_SINKS = [
   { method: "sendRedirect", type: "ssrf", cwe: "CWE-601", severity: "high", arg_positions: [0] },
   { method: "openConnection", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "openStream", class: "URL", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
-  { method: "URL", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "URI", class: "constructor", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // NOTE: URL/URI constructors removed — constructing a URL object doesn't make a network
+  // request in any language. The real SSRF sinks are openConnection/openStream/execute/etc.
   { method: "execute", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "send", class: "HttpClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "getForObject", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -10188,6 +10220,17 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForHTML", removes: ["xss"] },
   { method: "escapeXml", removes: ["xss"] },
   { method: "htmlEscape", removes: ["xss"] },
+  { method: "escapeHtml4", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "escapeHtml3", removes: ["xss"] },
+  // Apache Commons StringEscapeUtils
+  { method: "htmlSpecialChars", removes: ["xss"] },
+  // PHP-style / common wrapper
+  { method: "forHtml", class: "Encode", removes: ["xss"] },
+  // OWASP Java Encoder
+  { method: "forHtmlContent", class: "Encode", removes: ["xss"] },
+  { method: "forHtmlAttribute", class: "Encode", removes: ["xss"] },
+  { method: "forJavaScript", class: "Encode", removes: ["xss"] },
   { method: "encode_text", removes: ["xss"] },
   // Rust html_escape crate
   { method: "encode_safe", removes: ["xss"] },
@@ -10197,6 +10240,11 @@ var DEFAULT_SANITIZERS = [
   { method: "encodeForJavaScript", removes: ["xss"] },
   { method: "encodeForCSS", removes: ["xss"] },
   { method: "encodeForURL", removes: ["xss", "ssrf"] },
+  // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
+  { method: "encodeURL", removes: ["xss", "ssrf"] },
+  { method: "urlEncode", removes: ["xss", "ssrf"] },
+  { method: "escapeUrl", removes: ["xss", "ssrf"] },
+  { method: "escapeURL", removes: ["xss", "ssrf"] },
   // Path Traversal
   { method: "normalize", class: "Path", removes: ["path_traversal"] },
   { method: "getCanonicalPath", class: "File", removes: ["path_traversal"] },
@@ -10314,11 +10362,11 @@ var DEFAULT_SANITIZERS = [
   { method: "canonicalize", removes: ["path_traversal"] },
   // Resolves symlinks, validates path exists
   // Rust Command Injection - allowlist validation
-  { method: "contains", removes: ["command_injection", "ssrf"] },
+  { method: "contains", removes: ["command_injection", "ssrf", "open_redirect"] },
   // Used for allowlist checks
-  { method: "starts_with", removes: ["path_traversal", "ssrf"] },
+  { method: "starts_with", removes: ["path_traversal", "ssrf", "open_redirect"] },
   // Path/URL prefix validation
-  { method: "ends_with", removes: ["path_traversal"] },
+  { method: "ends_with", removes: ["path_traversal", "open_redirect"] },
   // Rust XSS - HTML escaping
   { method: "escape", class: "html_escape", removes: ["xss"] },
   { method: "encode_text", class: "html_escape", removes: ["xss"] },
@@ -10393,6 +10441,26 @@ function findSources(calls, types, patterns) {
       }
     }
   }
+  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  for (const type of types) {
+    for (const method of type.methods) {
+      for (const param of method.parameters) {
+        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
+          const paramLine = param.line ?? method.start_line;
+          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
+          if (!alreadyExists) {
+            sources.push({
+              type: "http_body",
+              location: `${param.type} ${param.name} in ${method.name}`,
+              severity: "high",
+              line: paramLine,
+              confidence: 1
+            });
+          }
+        }
+      }
+    }
+  }
   for (const type of types) {
     for (const method of type.methods) {
       if (method.modifiers.includes("private")) continue;
@@ -10770,7 +10838,8 @@ function receiverMightBeClass(receiver, className) {
         "prepareStatement": ["PreparedStatement"],
         "getRuntime": ["Runtime"],
         "builder": ["Response", "ResponseBuilder", "HttpResponseBuilder"],
-        "stdin": ["stdin", "Stdin", "BufReader"]
+        "stdin": ["stdin", "Stdin", "BufReader"],
+        "lock": ["stdin", "Stdin", "StdinLock", "BufReader"]
       };
       const expectedTypes = returnTypeMappings[methodName];
       if (Array.isArray(expectedTypes) && expectedTypes.includes(className)) {

package/dist/languages/plugins/javascript.js

@@ -819,15 +819,8 @@ export class JavaScriptPlugin extends BaseLanguagePlugin {
             // =========================================================
             // Data Exposure Sinks (React Native)
             // =========================================================
-            {
-                // Logging sensitive data
-                method: 'log',
-                class: 'console',
-                type: 'information_exposure',
-                cwe: 'CWE-532',
-                severity: 'low',
-                argPositions: [0],
-            },
+            // NOTE: console.log removed as a sink — too noisy for general-purpose analysis.
+            // console.log is ubiquitous and rarely a true vulnerability outside mobile contexts.
             {
                 // Storing sensitive data insecurely
                 method: 'setItem',