circle-ir 3.18.8 → 3.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts +11 -1
- package/dist/analysis/config-loader.js +99 -0
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/security-headers-pass.d.ts +46 -0
- package/dist/analysis/passes/security-headers-pass.js +256 -0
- package/dist/analysis/passes/security-headers-pass.js.map +1 -0
- package/dist/analyzer.d.ts +3 -0
- package/dist/analyzer.js +3 -0
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +245 -0
- package/dist/types/config.d.ts +45 -1
- package/package.json +1 -1
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Loads YAML configs from configs/sources/ and configs/sinks/
|
|
5
5
|
*/
|
|
6
|
-
import type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern } from '../types/config.js';
|
|
6
|
+
import type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern, HeaderRule } from '../types/config.js';
|
|
7
7
|
/**
|
|
8
8
|
* Parse YAML/JSON configuration content.
|
|
9
9
|
* Uses JSON since the config files are actually JSON despite .yaml extension.
|
|
@@ -35,3 +35,13 @@ export declare const DEFAULT_SANITIZERS: SanitizerPattern[];
|
|
|
35
35
|
* Get the default taint configuration.
|
|
36
36
|
*/
|
|
37
37
|
export declare function getDefaultConfig(): TaintConfig;
|
|
38
|
+
/**
|
|
39
|
+
* Default rule table for HTTP response security headers. Each rule is
|
|
40
|
+
* evaluated against setHeader/addHeader calls and (for kind='missing')
|
|
41
|
+
* against the absence of any such call on handler files.
|
|
42
|
+
*
|
|
43
|
+
* Covers clickjacking (CWE-1021) and CORS misconfiguration (CWE-346 /
|
|
44
|
+
* CWE-942). Adding a new rule here is enough to surface a finding — no
|
|
45
|
+
* pass code changes required.
|
|
46
|
+
*/
|
|
47
|
+
export declare const DEFAULT_HEADER_RULES: HeaderRule[];
|
|
@@ -1623,4 +1623,103 @@ export function getDefaultConfig() {
|
|
|
1623
1623
|
sanitizers: DEFAULT_SANITIZERS,
|
|
1624
1624
|
};
|
|
1625
1625
|
}
|
|
1626
|
+
// ============================================================================
|
|
1627
|
+
// Security Headers Rules (consumed by SecurityHeadersPass)
|
|
1628
|
+
// ============================================================================
|
|
1629
|
+
/**
|
|
1630
|
+
* Default rule table for HTTP response security headers. Each rule is
|
|
1631
|
+
* evaluated against setHeader/addHeader calls and (for kind='missing')
|
|
1632
|
+
* against the absence of any such call on handler files.
|
|
1633
|
+
*
|
|
1634
|
+
* Covers clickjacking (CWE-1021) and CORS misconfiguration (CWE-346 /
|
|
1635
|
+
* CWE-942). Adding a new rule here is enough to surface a finding — no
|
|
1636
|
+
* pass code changes required.
|
|
1637
|
+
*/
|
|
1638
|
+
export const DEFAULT_HEADER_RULES = [
|
|
1639
|
+
// -------------------------------------------------------------------------
|
|
1640
|
+
// Clickjacking (CWE-1021)
|
|
1641
|
+
// -------------------------------------------------------------------------
|
|
1642
|
+
{
|
|
1643
|
+
rule_id: 'missing-x-frame-options',
|
|
1644
|
+
cwe: 'CWE-1021',
|
|
1645
|
+
level: 'warning',
|
|
1646
|
+
severity: 'medium',
|
|
1647
|
+
header: 'X-Frame-Options',
|
|
1648
|
+
kind: 'missing',
|
|
1649
|
+
requiresHandler: true,
|
|
1650
|
+
message: 'HTTP handler does not set X-Frame-Options — vulnerable to clickjacking',
|
|
1651
|
+
fix: "Set response.setHeader('X-Frame-Options', 'DENY') or use a CSP frame-ancestors directive",
|
|
1652
|
+
note: 'Defense against UI redress / clickjacking attacks',
|
|
1653
|
+
},
|
|
1654
|
+
{
|
|
1655
|
+
rule_id: 'x-frame-options-allow-from',
|
|
1656
|
+
cwe: 'CWE-1021',
|
|
1657
|
+
level: 'warning',
|
|
1658
|
+
severity: 'medium',
|
|
1659
|
+
header: 'X-Frame-Options',
|
|
1660
|
+
kind: 'weak-value',
|
|
1661
|
+
valuePattern: /^allow-from\b/i,
|
|
1662
|
+
message: 'X-Frame-Options: ALLOW-FROM is deprecated and unsupported by modern browsers',
|
|
1663
|
+
fix: "Use CSP frame-ancestors directive instead: Content-Security-Policy: frame-ancestors 'self'",
|
|
1664
|
+
},
|
|
1665
|
+
{
|
|
1666
|
+
rule_id: 'missing-csp-frame-ancestors',
|
|
1667
|
+
cwe: 'CWE-1021',
|
|
1668
|
+
level: 'note',
|
|
1669
|
+
severity: 'low',
|
|
1670
|
+
header: 'Content-Security-Policy',
|
|
1671
|
+
kind: 'missing',
|
|
1672
|
+
requiresHandler: true,
|
|
1673
|
+
message: 'HTTP handler does not set Content-Security-Policy — frame-ancestors unset',
|
|
1674
|
+
fix: "Set Content-Security-Policy: frame-ancestors 'self' for defense-in-depth clickjacking protection",
|
|
1675
|
+
note: 'Informational; paired with missing-x-frame-options',
|
|
1676
|
+
},
|
|
1677
|
+
// -------------------------------------------------------------------------
|
|
1678
|
+
// CORS Misconfiguration (CWE-346, CWE-942)
|
|
1679
|
+
// -------------------------------------------------------------------------
|
|
1680
|
+
{
|
|
1681
|
+
rule_id: 'cors-wildcard-origin',
|
|
1682
|
+
cwe: 'CWE-942',
|
|
1683
|
+
level: 'error',
|
|
1684
|
+
severity: 'high',
|
|
1685
|
+
header: 'Access-Control-Allow-Origin',
|
|
1686
|
+
kind: 'weak-value',
|
|
1687
|
+
valuePattern: /^\*$/,
|
|
1688
|
+
message: "Access-Control-Allow-Origin: '*' permits cross-origin requests from any site",
|
|
1689
|
+
fix: 'Restrict to a specific trusted origin or use an allowlist',
|
|
1690
|
+
},
|
|
1691
|
+
{
|
|
1692
|
+
rule_id: 'cors-null-origin',
|
|
1693
|
+
cwe: 'CWE-346',
|
|
1694
|
+
level: 'error',
|
|
1695
|
+
severity: 'high',
|
|
1696
|
+
header: 'Access-Control-Allow-Origin',
|
|
1697
|
+
kind: 'weak-value',
|
|
1698
|
+
valuePattern: /^null$/i,
|
|
1699
|
+
message: "Access-Control-Allow-Origin: 'null' is exploitable via sandboxed iframes and data: URIs",
|
|
1700
|
+
fix: 'Restrict to a specific trusted origin',
|
|
1701
|
+
},
|
|
1702
|
+
{
|
|
1703
|
+
rule_id: 'cors-http-origin',
|
|
1704
|
+
cwe: 'CWE-346',
|
|
1705
|
+
level: 'warning',
|
|
1706
|
+
severity: 'medium',
|
|
1707
|
+
header: 'Access-Control-Allow-Origin',
|
|
1708
|
+
kind: 'weak-value',
|
|
1709
|
+
valuePattern: /^http:\/\//i,
|
|
1710
|
+
message: 'Access-Control-Allow-Origin uses insecure http:// scheme',
|
|
1711
|
+
fix: 'Use https:// for the allowed origin',
|
|
1712
|
+
},
|
|
1713
|
+
{
|
|
1714
|
+
rule_id: 'cors-reflected-origin',
|
|
1715
|
+
cwe: 'CWE-346',
|
|
1716
|
+
level: 'error',
|
|
1717
|
+
severity: 'high',
|
|
1718
|
+
header: 'Access-Control-Allow-Origin',
|
|
1719
|
+
kind: 'unsafe-value',
|
|
1720
|
+
message: 'Access-Control-Allow-Origin set to a dynamic value — possible origin reflection',
|
|
1721
|
+
fix: 'Validate the Origin request header against an allowlist before echoing it back',
|
|
1722
|
+
note: 'Fires when the value is not a string literal (likely reflected from request)',
|
|
1723
|
+
},
|
|
1724
|
+
];
|
|
1626
1725
|
//# sourceMappingURL=config-loader.js.map
|