circle-ir 3.18.7 → 3.19.0

package/dist/analysis/config-loader.d.ts

@@ -3,7 +3,7 @@
  *
  * Loads YAML configs from configs/sources/ and configs/sinks/
  */
-import type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern } from '../types/config.js';
+import type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern, HeaderRule } from '../types/config.js';
 /**
  * Parse YAML/JSON configuration content.
  * Uses JSON since the config files are actually JSON despite .yaml extension.
@@ -35,3 +35,13 @@ export declare const DEFAULT_SANITIZERS: SanitizerPattern[];
  * Get the default taint configuration.
  */
 export declare function getDefaultConfig(): TaintConfig;
+/**
+ * Default rule table for HTTP response security headers. Each rule is
+ * evaluated against setHeader/addHeader calls and (for kind='missing')
+ * against the absence of any such call on handler files.
+ *
+ * Covers clickjacking (CWE-1021) and CORS misconfiguration (CWE-346 /
+ * CWE-942). Adding a new rule here is enough to surface a finding — no
+ * pass code changes required.
+ */
+export declare const DEFAULT_HEADER_RULES: HeaderRule[];

package/dist/analysis/config-loader.js

@@ -919,6 +919,37 @@ export const DEFAULT_SINKS = [
     { method: 'processRequest', class: 'Broker', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     // DolphinScheduler
     { method: 'execute', class: 'TaskExecuteThread', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    // Apache Commons JEXL (JEXL expression injection)
+    { method: 'createExpression', class: 'JexlEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'createScript', class: 'JexlEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'evaluate', class: 'JexlExpression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'execute', class: 'JexlScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // Janino expression evaluator (Calcite/Flink/Drill)
+    { method: 'createFastEvaluator', class: 'ExpressionEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'cook', class: 'ExpressionEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'cook', class: 'ScriptEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'cook', class: 'ClassBodyEvaluator', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'cook', class: 'SimpleCompiler', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    // Apache Camel Simple language (CVE-2018-8041 and similar)
+    { method: 'createExpression', class: 'SimpleLanguage', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'createPredicate', class: 'SimpleLanguage', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    // Thymeleaf StandardExpression (CVE-2023-38286 and similar)
+    { method: 'parseExpression', class: 'StandardExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
+    { method: 'getValue', class: 'StandardExpression', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // FreeMarker direct template construction (CVE-2022-26336 and similar)
+    { method: 'Template', class: 'Template', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] }, // new Template(name, tainted)
+    { method: 'getTemplate', class: 'Configuration', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
+    // Jinjava (Java Jinja template engine)
+    { method: 'render', class: 'Jinjava', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
+    { method: 'renderForResult', class: 'Jinjava', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
+    // Spring Cloud Function RoutingFunction (CVE-2022-22963)
+    { method: 'getRequestedBeanName', class: 'RoutingFunction', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // Kotlin reflection (RCE via reflective construction)
+    { method: 'createInstance', class: 'KClass', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [] },
+    { method: 'callBy', class: 'KFunction', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },
+    // Struts 2 deep injection (CVE-2017-5638 and descendants)
+    { method: 'translateVariables', class: 'TextParseUtil', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'evaluate', class: 'StrutsResultSupport', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     // Deserialization (CWE-502)
     { method: 'readObject', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
     { method: 'readUnshared', class: 'ObjectInputStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
@@ -1440,12 +1471,24 @@ export const DEFAULT_SANITIZERS = [
     { method: 'encodeForHTML', removes: ['xss'] },
     { method: 'escapeXml', removes: ['xss'] },
     { method: 'htmlEscape', removes: ['xss'] },
+    { method: 'escapeHtml4', removes: ['xss'] }, // Apache Commons StringEscapeUtils
+    { method: 'escapeHtml3', removes: ['xss'] }, // Apache Commons StringEscapeUtils
+    { method: 'htmlSpecialChars', removes: ['xss'] }, // PHP-style / common wrapper
+    { method: 'forHtml', class: 'Encode', removes: ['xss'] }, // OWASP Java Encoder
+    { method: 'forHtmlContent', class: 'Encode', removes: ['xss'] },
+    { method: 'forHtmlAttribute', class: 'Encode', removes: ['xss'] },
+    { method: 'forJavaScript', class: 'Encode', removes: ['xss'] },
     { method: 'encode_text', removes: ['xss'] }, // Rust html_escape crate
     { method: 'encode_safe', removes: ['xss'] }, // Rust html_escape crate
     { method: 'render', class: 'Template', removes: ['xss'] }, // Rust askama auto-escapes
     { method: 'encodeForJavaScript', removes: ['xss'] },
     { method: 'encodeForCSS', removes: ['xss'] },
     { method: 'encodeForURL', removes: ['xss', 'ssrf'] },
+    // URL encoding wrapper aliases (common patterns in benchmarks and real-world code)
+    { method: 'encodeURL', removes: ['xss', 'ssrf'] },
+    { method: 'urlEncode', removes: ['xss', 'ssrf'] },
+    { method: 'escapeUrl', removes: ['xss', 'ssrf'] },
+    { method: 'escapeURL', removes: ['xss', 'ssrf'] },
     // Path Traversal
     { method: 'normalize', class: 'Path', removes: ['path_traversal'] },
     { method: 'getCanonicalPath', class: 'File', removes: ['path_traversal'] },
@@ -1580,4 +1623,103 @@ export function getDefaultConfig() {
         sanitizers: DEFAULT_SANITIZERS,
     };
 }
+// ============================================================================
+// Security Headers Rules (consumed by SecurityHeadersPass)
+// ============================================================================
+/**
+ * Default rule table for HTTP response security headers. Each rule is
+ * evaluated against setHeader/addHeader calls and (for kind='missing')
+ * against the absence of any such call on handler files.
+ *
+ * Covers clickjacking (CWE-1021) and CORS misconfiguration (CWE-346 /
+ * CWE-942). Adding a new rule here is enough to surface a finding — no
+ * pass code changes required.
+ */
+export const DEFAULT_HEADER_RULES = [
+    // -------------------------------------------------------------------------
+    // Clickjacking (CWE-1021)
+    // -------------------------------------------------------------------------
+    {
+        rule_id: 'missing-x-frame-options',
+        cwe: 'CWE-1021',
+        level: 'warning',
+        severity: 'medium',
+        header: 'X-Frame-Options',
+        kind: 'missing',
+        requiresHandler: true,
+        message: 'HTTP handler does not set X-Frame-Options — vulnerable to clickjacking',
+        fix: "Set response.setHeader('X-Frame-Options', 'DENY') or use a CSP frame-ancestors directive",
+        note: 'Defense against UI redress / clickjacking attacks',
+    },
+    {
+        rule_id: 'x-frame-options-allow-from',
+        cwe: 'CWE-1021',
+        level: 'warning',
+        severity: 'medium',
+        header: 'X-Frame-Options',
+        kind: 'weak-value',
+        valuePattern: /^allow-from\b/i,
+        message: 'X-Frame-Options: ALLOW-FROM is deprecated and unsupported by modern browsers',
+        fix: "Use CSP frame-ancestors directive instead: Content-Security-Policy: frame-ancestors 'self'",
+    },
+    {
+        rule_id: 'missing-csp-frame-ancestors',
+        cwe: 'CWE-1021',
+        level: 'note',
+        severity: 'low',
+        header: 'Content-Security-Policy',
+        kind: 'missing',
+        requiresHandler: true,
+        message: 'HTTP handler does not set Content-Security-Policy — frame-ancestors unset',
+        fix: "Set Content-Security-Policy: frame-ancestors 'self' for defense-in-depth clickjacking protection",
+        note: 'Informational; paired with missing-x-frame-options',
+    },
+    // -------------------------------------------------------------------------
+    // CORS Misconfiguration (CWE-346, CWE-942)
+    // -------------------------------------------------------------------------
+    {
+        rule_id: 'cors-wildcard-origin',
+        cwe: 'CWE-942',
+        level: 'error',
+        severity: 'high',
+        header: 'Access-Control-Allow-Origin',
+        kind: 'weak-value',
+        valuePattern: /^\*$/,
+        message: "Access-Control-Allow-Origin: '*' permits cross-origin requests from any site",
+        fix: 'Restrict to a specific trusted origin or use an allowlist',
+    },
+    {
+        rule_id: 'cors-null-origin',
+        cwe: 'CWE-346',
+        level: 'error',
+        severity: 'high',
+        header: 'Access-Control-Allow-Origin',
+        kind: 'weak-value',
+        valuePattern: /^null$/i,
+        message: "Access-Control-Allow-Origin: 'null' is exploitable via sandboxed iframes and data: URIs",
+        fix: 'Restrict to a specific trusted origin',
+    },
+    {
+        rule_id: 'cors-http-origin',
+        cwe: 'CWE-346',
+        level: 'warning',
+        severity: 'medium',
+        header: 'Access-Control-Allow-Origin',
+        kind: 'weak-value',
+        valuePattern: /^http:\/\//i,
+        message: 'Access-Control-Allow-Origin uses insecure http:// scheme',
+        fix: 'Use https:// for the allowed origin',
+    },
+    {
+        rule_id: 'cors-reflected-origin',
+        cwe: 'CWE-346',
+        level: 'error',
+        severity: 'high',
+        header: 'Access-Control-Allow-Origin',
+        kind: 'unsafe-value',
+        message: 'Access-Control-Allow-Origin set to a dynamic value — possible origin reflection',
+        fix: 'Validate the Origin request header against an allowlist before echoing it back',
+        note: 'Fires when the value is not a string literal (likely reflected from request)',
+    },
+];
 //# sourceMappingURL=config-loader.js.map