circle-ir 3.18.8 → 3.19.0

package/dist/browser/circle-ir.js

@@ -10335,6 +10335,93 @@ function getDefaultConfig() {
     sanitizers: DEFAULT_SANITIZERS
   };
 }
+var DEFAULT_HEADER_RULES = [
+  // -------------------------------------------------------------------------
+  // Clickjacking (CWE-1021)
+  // -------------------------------------------------------------------------
+  {
+    rule_id: "missing-x-frame-options",
+    cwe: "CWE-1021",
+    level: "warning",
+    severity: "medium",
+    header: "X-Frame-Options",
+    kind: "missing",
+    requiresHandler: true,
+    message: "HTTP handler does not set X-Frame-Options \u2014 vulnerable to clickjacking",
+    fix: "Set response.setHeader('X-Frame-Options', 'DENY') or use a CSP frame-ancestors directive",
+    note: "Defense against UI redress / clickjacking attacks"
+  },
+  {
+    rule_id: "x-frame-options-allow-from",
+    cwe: "CWE-1021",
+    level: "warning",
+    severity: "medium",
+    header: "X-Frame-Options",
+    kind: "weak-value",
+    valuePattern: /^allow-from\b/i,
+    message: "X-Frame-Options: ALLOW-FROM is deprecated and unsupported by modern browsers",
+    fix: "Use CSP frame-ancestors directive instead: Content-Security-Policy: frame-ancestors 'self'"
+  },
+  {
+    rule_id: "missing-csp-frame-ancestors",
+    cwe: "CWE-1021",
+    level: "note",
+    severity: "low",
+    header: "Content-Security-Policy",
+    kind: "missing",
+    requiresHandler: true,
+    message: "HTTP handler does not set Content-Security-Policy \u2014 frame-ancestors unset",
+    fix: "Set Content-Security-Policy: frame-ancestors 'self' for defense-in-depth clickjacking protection",
+    note: "Informational; paired with missing-x-frame-options"
+  },
+  // -------------------------------------------------------------------------
+  // CORS Misconfiguration (CWE-346, CWE-942)
+  // -------------------------------------------------------------------------
+  {
+    rule_id: "cors-wildcard-origin",
+    cwe: "CWE-942",
+    level: "error",
+    severity: "high",
+    header: "Access-Control-Allow-Origin",
+    kind: "weak-value",
+    valuePattern: /^\*$/,
+    message: "Access-Control-Allow-Origin: '*' permits cross-origin requests from any site",
+    fix: "Restrict to a specific trusted origin or use an allowlist"
+  },
+  {
+    rule_id: "cors-null-origin",
+    cwe: "CWE-346",
+    level: "error",
+    severity: "high",
+    header: "Access-Control-Allow-Origin",
+    kind: "weak-value",
+    valuePattern: /^null$/i,
+    message: "Access-Control-Allow-Origin: 'null' is exploitable via sandboxed iframes and data: URIs",
+    fix: "Restrict to a specific trusted origin"
+  },
+  {
+    rule_id: "cors-http-origin",
+    cwe: "CWE-346",
+    level: "warning",
+    severity: "medium",
+    header: "Access-Control-Allow-Origin",
+    kind: "weak-value",
+    valuePattern: /^http:\/\//i,
+    message: "Access-Control-Allow-Origin uses insecure http:// scheme",
+    fix: "Use https:// for the allowed origin"
+  },
+  {
+    rule_id: "cors-reflected-origin",
+    cwe: "CWE-346",
+    level: "error",
+    severity: "high",
+    header: "Access-Control-Allow-Origin",
+    kind: "unsafe-value",
+    message: "Access-Control-Allow-Origin set to a dynamic value \u2014 possible origin reflection",
+    fix: "Validate the Origin request header against an allowlist before echoing it back",
+    note: "Fires when the value is not a string literal (likely reflected from request)"
+  }
+];
 
 // src/analysis/taint-matcher.ts
 var PYTHON_TAINTED_PATTERNS = [
@@ -22804,6 +22891,154 @@ var NamingConventionPass = class {
   }
 };
 
+// src/analysis/passes/security-headers-pass.ts
+var HEADER_WRITE_METHODS = /* @__PURE__ */ new Set([
+  "setHeader",
+  "addHeader",
+  // Java + Node
+  "set",
+  "header",
+  // Express res.set / res.header
+  "insert_header",
+  // Actix Web HttpResponse
+  "insert"
+  // Rust HeaderMap.insert (best-effort)
+]);
+var HANDLER_ANNOTATION_RE = /\b(Controller|RestController|RequestMapping|GetMapping|PostMapping|PutMapping|DeleteMapping|PatchMapping|RequestBody|RequestParam|PathVariable|route|blueprint|api_view|get|post|put|delete|patch|head|options)\b/i;
+var JS_ROUTER_RECEIVERS = /* @__PURE__ */ new Set(["app", "router", "server", "route"]);
+var JS_ROUTE_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "delete",
+  "patch",
+  "all",
+  "use",
+  "head",
+  "options"
+]);
+var SecurityHeadersPass = class {
+  name = "security-headers";
+  category = "security";
+  rules;
+  constructor(options = {}) {
+    this.rules = options.rules ?? DEFAULT_HEADER_RULES;
+  }
+  run(ctx) {
+    const { graph } = ctx;
+    const file = graph.ir.meta.file;
+    const calls = graph.ir.calls;
+    const writtenHeaders = /* @__PURE__ */ new Map();
+    for (const call of calls) {
+      if (!HEADER_WRITE_METHODS.has(call.method_name)) continue;
+      if (call.arguments.length < 1) continue;
+      const nameLiteral = literalOf(call.arguments[0]);
+      if (nameLiteral === null) continue;
+      const key = nameLiteral.toLowerCase();
+      let list = writtenHeaders.get(key);
+      if (!list) {
+        list = [];
+        writtenHeaders.set(key, list);
+      }
+      list.push(call);
+    }
+    const hasHandler = detectHandler(graph, calls);
+    for (const rule of this.rules) {
+      const headerKey = rule.header.toLowerCase();
+      const writes = writtenHeaders.get(headerKey) ?? [];
+      if (rule.kind === "missing") {
+        if (writes.length > 0) continue;
+        if (rule.requiresHandler !== false && !hasHandler) continue;
+        ctx.addFinding({
+          id: `${rule.rule_id}-${file}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: rule.rule_id,
+          cwe: rule.cwe,
+          severity: rule.severity,
+          level: rule.level,
+          message: rule.message,
+          file,
+          line: 1,
+          fix: rule.fix
+        });
+        continue;
+      }
+      for (const call of writes) {
+        const valueArg = call.arguments[1];
+        if (!valueArg) continue;
+        const valueLiteral = literalOf(valueArg);
+        if (rule.kind === "weak-value") {
+          if (valueLiteral === null) continue;
+          if (!rule.valuePattern) continue;
+          if (!rule.valuePattern.test(valueLiteral)) continue;
+        } else {
+          if (valueLiteral !== null) continue;
+        }
+        ctx.addFinding({
+          id: `${rule.rule_id}-${file}-${call.location.line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: rule.rule_id,
+          cwe: rule.cwe,
+          severity: rule.severity,
+          level: rule.level,
+          message: rule.message,
+          file,
+          line: call.location.line,
+          fix: rule.fix,
+          snippet: valueLiteral !== null ? `${rule.header}: ${valueLiteral}` : `${rule.header}: ${valueArg.expression}`,
+          evidence: {
+            header: rule.header,
+            value: valueLiteral,
+            expression: valueArg.expression,
+            kind: rule.kind
+          }
+        });
+      }
+    }
+    return { hasHandler, writtenHeaders };
+  }
+};
+function literalOf(arg) {
+  if (arg.literal !== null && arg.literal !== void 0 && arg.literal !== "") {
+    return stripQuotes2(arg.literal);
+  }
+  const expr = arg.expression.trim();
+  if (expr.startsWith('"') && expr.endsWith('"') || expr.startsWith("'") && expr.endsWith("'") || expr.startsWith("`") && expr.endsWith("`")) {
+    if (expr.startsWith("`") && expr.includes("${")) return null;
+    return expr.slice(1, -1);
+  }
+  return null;
+}
+function stripQuotes2(s) {
+  if (s.length < 2) return s;
+  const first = s[0];
+  const last = s[s.length - 1];
+  if (first === '"' && last === '"' || first === "'" && last === "'" || first === "`" && last === "`") {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function detectHandler(graph, calls) {
+  for (const type of graph.ir.types) {
+    if (type.annotations.some((a) => HANDLER_ANNOTATION_RE.test(a))) return true;
+    for (const method of type.methods) {
+      if (method.annotations.some((a) => HANDLER_ANNOTATION_RE.test(a))) return true;
+    }
+  }
+  for (const call of calls) {
+    if (!JS_ROUTE_METHODS.has(call.method_name)) continue;
+    if (!call.receiver) continue;
+    if (!JS_ROUTER_RECEIVERS.has(call.receiver)) continue;
+    const first = call.arguments[0];
+    if (!first) continue;
+    const literal = literalOf(first);
+    if (literal !== null && literal.startsWith("/")) return true;
+  }
+  return false;
+}
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -23662,6 +23897,7 @@ async function analyze(code, filePath, language, options = {}) {
   if (!disabledPasses.has("missing-stream")) pipeline.add(new MissingStreamPass());
   if (!disabledPasses.has("god-class")) pipeline.add(new GodClassPass());
   if (!disabledPasses.has("naming-convention")) pipeline.add(new NamingConventionPass(passOpts.namingConvention));
+  if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
   const { results, findings } = pipeline.run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");

package/dist/types/config.d.ts

@@ -1,7 +1,7 @@
 /**
  * Types for YAML configuration files (configs/sources/, configs/sinks/)
  */
-import type { Severity, SinkType, SourceType } from './index.js';
+import type { SarifLevel, Severity, SinkType, SourceType } from './index.js';
 export interface SourceConfig {
     sources: SourcePattern[];
 }
@@ -43,3 +43,47 @@ export interface TaintConfig {
     sinks: SinkPattern[];
     sanitizers: SanitizerPattern[];
 }
+/**
+ * A rule evaluated by SecurityHeadersPass against HTTP response header
+ * writes (setHeader/addHeader) and handler presence. Emits SastFindings
+ * without going through the taint source→sink machinery, since headers
+ * are a call-site literal inspection problem, not a data-flow problem.
+ */
+export interface HeaderRule {
+    /** Rule id (matches docs/PASSES.md rule_id column). */
+    rule_id: string;
+    /** CWE identifier (e.g. 'CWE-1021', 'CWE-346', 'CWE-942'). */
+    cwe: string;
+    /** SARIF level: 'error' | 'warning' | 'note' | 'none'. */
+    level: SarifLevel;
+    /** Severity bucket: 'critical' | 'high' | 'medium' | 'low'. */
+    severity: Severity;
+    /** HTTP response header this rule applies to (case-insensitive). */
+    header: string;
+    /**
+     * Rule kind:
+     *  - 'missing'       → file has an HTTP handler but never writes this header
+     *  - 'weak-value'    → header written with a value matching `matcher`
+     *                      (e.g. 'ALLOW-FROM', 'null', 'http://…')
+     *  - 'unsafe-value'  → value is dynamic / reflected (not a string literal)
+     */
+    kind: 'missing' | 'weak-value' | 'unsafe-value';
+    /**
+     * Value pattern for 'weak-value' rules. Matched against the literal
+     * second argument of setHeader/addHeader (case-insensitive).
+     */
+    valuePattern?: RegExp;
+    /**
+     * If true (the default for kind='missing'), the rule only fires when
+     * the file contains at least one HTTP handler (annotated controller
+     * method, Express/Koa route, Rust extractor, etc.). Prevents noise on
+     * library code, configuration files, and tests.
+     */
+    requiresHandler?: boolean;
+    /** Human-readable message (header name interpolated with ${header}). */
+    message: string;
+    /** Suggested fix rendered into SastFinding.fix. */
+    fix?: string;
+    /** Optional note for PASSES.md / debugging. */
+    note?: string;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.18.8",
+  "version": "3.19.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",