circle-ir 3.19.5 → 3.21.0

package/dist/browser/circle-ir.js

@@ -7450,6 +7450,9 @@ function buildCFG(tree, language) {
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
+  if (effectiveLanguage === "bash") {
+    return buildBashCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -7805,6 +7808,81 @@ function processSwitchStatement(stmt, startId, blocks, edges, isJavaScript) {
     nextId: currentId
   };
 }
+function buildBashCFG(tree, startId) {
+  const allBlocks = [];
+  const allEdges = [];
+  let blockIdCounter = startId;
+  const functions = findNodes(tree.rootNode, "function_definition");
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2) continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const topLevelStatements = [];
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (child && child.type !== "function_definition" && isBashStatement(child)) {
+      topLevelStatements.push(child);
+    }
+  }
+  if (topLevelStatements.length > 0) {
+    const entryBlock = {
+      id: blockIdCounter++,
+      type: "entry",
+      start_line: topLevelStatements[0].startPosition.row + 1,
+      end_line: topLevelStatements[0].startPosition.row + 1
+    };
+    allBlocks.push(entryBlock);
+    let lastExitIds = [];
+    let firstBlockId = -1;
+    for (const stmt of topLevelStatements) {
+      const result = processStatement(stmt, blockIdCounter, allBlocks, allEdges, false);
+      blockIdCounter = result.nextId;
+      if (firstBlockId === -1) {
+        firstBlockId = result.entryId;
+      } else {
+        for (const exitId of lastExitIds) {
+          allEdges.push({ from: exitId, to: result.entryId, type: "sequential" });
+        }
+      }
+      lastExitIds = result.exitIds;
+    }
+    if (firstBlockId !== -1) {
+      allEdges.push({ from: entryBlock.id, to: firstBlockId, type: "sequential" });
+    }
+    const exitBlock = {
+      id: blockIdCounter++,
+      type: "exit",
+      start_line: topLevelStatements[topLevelStatements.length - 1].endPosition.row + 1,
+      end_line: topLevelStatements[topLevelStatements.length - 1].endPosition.row + 1
+    };
+    allBlocks.push(exitBlock);
+    for (const exitId of lastExitIds) {
+      allEdges.push({ from: exitId, to: exitBlock.id, type: "sequential" });
+    }
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isBashStatement(node) {
+  const bashStatementTypes = /* @__PURE__ */ new Set([
+    "command",
+    "variable_assignment",
+    "if_statement",
+    "for_statement",
+    "while_statement",
+    "case_statement",
+    "pipeline",
+    "list",
+    "redirected_statement",
+    "compound_statement",
+    "subshell",
+    "declaration_command"
+  ]);
+  return bashStatementTypes.has(node.type);
+}
 function isStatement(node, isJavaScript) {
   const javaStatementTypes = /* @__PURE__ */ new Set([
     "local_variable_declaration",
@@ -7895,6 +7973,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "rust") {
     return buildRustDFG(tree, cache);
   }
+  if (effectiveLanguage === "bash") {
+    return buildBashDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -8621,6 +8702,101 @@ function computeChains(defs, uses) {
   chains.sort((a, b) => a.from_def - b.from_def || a.to_def - b.to_def);
   return chains;
 }
+function buildBashDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const positionalParams = ["1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "*"];
+  for (const p of positionalParams) {
+    const def = {
+      id: defIdCounter++,
+      variable: p,
+      line: 0,
+      kind: "param"
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(p, def.id);
+  }
+  walkTree(tree.rootNode, (node) => {
+    if (node.type === "variable_assignment") {
+      const nameNode = node.childForFieldName("name");
+      if (nameNode) {
+        const varName = getNodeText(nameNode);
+        const def = {
+          id: defIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          kind: "local"
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    } else if (node.type === "command") {
+      const nameNode = node.childForFieldName("name");
+      if (nameNode && getNodeText(nameNode) === "read") {
+        for (let i2 = 0; i2 < node.namedChildCount; i2++) {
+          const arg = node.namedChild(i2);
+          if (!arg || arg === nameNode) continue;
+          if (arg.type === "word") {
+            const text = getNodeText(arg);
+            if (text.startsWith("-")) continue;
+            const def = {
+              id: defIdCounter++,
+              variable: text,
+              line: node.startPosition.row + 1,
+              kind: "local"
+            };
+            defs.push(def);
+            currentScope(scopeStack).set(text, def.id);
+          }
+        }
+      }
+    } else if (node.type === "for_statement") {
+      const varNode = node.childForFieldName("variable");
+      if (varNode) {
+        const varName = getNodeText(varNode);
+        const def = {
+          id: defIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          kind: "local"
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    } else if (node.type === "simple_expansion") {
+      const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
+      if (varNameNode) {
+        const varName = getNodeText(varNameNode);
+        if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
+          const reachingDef = findReachingDef(varName, scopeStack);
+          uses.push({
+            id: useIdCounter++,
+            variable: varName,
+            line: node.startPosition.row + 1,
+            def_id: reachingDef
+          });
+        }
+      }
+    } else if (node.type === "expansion") {
+      const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
+      if (varNameNode && varNameNode.type === "variable_name") {
+        const varName = getNodeText(varNameNode);
+        const reachingDef = findReachingDef(varName, scopeStack);
+        uses.push({
+          id: useIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          def_id: reachingDef
+        });
+      }
+    }
+  });
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
 function buildRustDFG(tree, cache) {
   const defs = [];
   const uses = [];
@@ -18706,6 +18882,13 @@ var LanguageSourcesPass = class {
       }
     }
     const jsTaintedVars = buildJavaScriptTaintedVars(code, language);
+    if (language === "bash") {
+      additionalSources.push(...findBashTaintSources(code, graph.ir.dfg));
+      const bashFindings = findBashPatternFindings(code, graph.ir.meta.file);
+      for (const finding of bashFindings) {
+        ctx.addFinding(finding);
+      }
+    }
     return { additionalSources, additionalSinks, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
 };
@@ -19008,6 +19191,184 @@ function buildJavaScriptTaintedVars(sourceCode, language) {
   }
   return tainted;
 }
+var BASH_UNTRUSTED_ENV_PATTERNS = [
+  /^USER_INPUT$/i,
+  /^QUERY_STRING$/i,
+  /^REQUEST_/i,
+  /^HTTP_/i,
+  /^REMOTE_/i,
+  /^CONTENT_TYPE$/i,
+  /^CONTENT_LENGTH$/i,
+  /^PATH_INFO$/i,
+  /^SCRIPT_NAME$/i,
+  /^SERVER_NAME$/i
+];
+var BASH_NETWORK_COMMANDS = /* @__PURE__ */ new Set(["curl", "wget", "nc", "ncat"]);
+var BASH_FILE_COMMANDS = /* @__PURE__ */ new Set(["cat", "head", "tail", "less", "more", "awk", "sed", "cut", "grep"]);
+function findBashTaintSources(sourceCode, dfg) {
+  const sources = [];
+  const lines = sourceCode.split("\n");
+  const definedVars = new Set(dfg.defs.filter((d) => d.kind === "local").map((d) => d.variable));
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const line = lines[i2];
+    const trimmed = line.trim();
+    const lineNumber = i2 + 1;
+    if (trimmed.startsWith("#")) continue;
+    const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
+    let m;
+    while ((m = positionalRe.exec(line)) !== null) {
+      const param = m[1] ?? m[2];
+      const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
+      if (!alreadyExists) {
+        sources.push({
+          type: "io_input",
+          location: `positional parameter $${param}`,
+          severity: "high",
+          line: lineNumber,
+          confidence: 1,
+          variable: param
+        });
+      }
+    }
+    const cmdSubAssign = trimmed.match(/^(\w+)=\$\((\w+)\s/);
+    const cmdSubBacktick = trimmed.match(/^(\w+)=`(\w+)\s/);
+    const csMatch = cmdSubAssign ?? cmdSubBacktick;
+    if (csMatch) {
+      const [, varName, cmd] = csMatch;
+      if (BASH_NETWORK_COMMANDS.has(cmd)) {
+        sources.push({
+          type: "network_input",
+          location: `${varName}=$(${cmd} ...) \u2014 network command output`,
+          severity: "high",
+          line: lineNumber,
+          confidence: 0.9,
+          variable: varName
+        });
+      } else if (BASH_FILE_COMMANDS.has(cmd)) {
+        sources.push({
+          type: "file_input",
+          location: `${varName}=$(${cmd} ...) \u2014 file command output`,
+          severity: "medium",
+          line: lineNumber,
+          confidence: 0.7,
+          variable: varName
+        });
+      }
+    }
+    const envRe = /\$([A-Z][A-Z0-9_]{2,})|\$\{([A-Z][A-Z0-9_]{2,})\}/g;
+    let em;
+    while ((em = envRe.exec(line)) !== null) {
+      const envVar = em[1] ?? em[2];
+      if (!definedVars.has(envVar) && BASH_UNTRUSTED_ENV_PATTERNS.some((p) => p.test(envVar))) {
+        const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === envVar);
+        if (!alreadyExists) {
+          sources.push({
+            type: "env_input",
+            location: `environment variable $${envVar}`,
+            severity: "medium",
+            line: lineNumber,
+            confidence: 0.8,
+            variable: envVar
+          });
+        }
+      }
+    }
+  }
+  return sources;
+}
+var BASH_CREDENTIAL_PATTERN = /^(.*?)(password|passwd|secret|api_?key|token|auth_token|private_key|access_key)\s*=\s*["']?([^"'\s$][^"'\s]*)["']?\s*$/i;
+function findBashPatternFindings(sourceCode, file) {
+  const findings = [];
+  const lines = sourceCode.split("\n");
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const line = lines[i2];
+    const trimmed = line.trim();
+    const lineNumber = i2 + 1;
+    if (trimmed.startsWith("#")) continue;
+    const credMatch = trimmed.match(BASH_CREDENTIAL_PATTERN);
+    if (credMatch) {
+      const value = credMatch[3];
+      if (value && !value.startsWith("$") && !value.startsWith("(") && value.length > 1) {
+        findings.push({
+          id: `hardcoded-credential-${file}-${lineNumber}`,
+          pass: "language-sources",
+          category: "security",
+          rule_id: "hardcoded-credential",
+          cwe: "CWE-798",
+          severity: "high",
+          level: "error",
+          message: `Hardcoded credential: ${credMatch[2]} contains a literal value`,
+          file,
+          line: lineNumber,
+          snippet: trimmed.substring(0, 80)
+        });
+      }
+    }
+    if (/\b(curl|wget)\b/.test(trimmed) && /\bhttp:\/\//.test(trimmed)) {
+      findings.push({
+        id: `cleartext-transmission-${file}-${lineNumber}`,
+        pass: "language-sources",
+        category: "security",
+        rule_id: "cleartext-transmission",
+        cwe: "CWE-319",
+        severity: "medium",
+        level: "warning",
+        message: "Cleartext HTTP transmission: use https:// instead of http://",
+        file,
+        line: lineNumber,
+        snippet: trimmed.substring(0, 80)
+      });
+    }
+    const tmpMatch = trimmed.match(/\/tmp\/([^\s"'$]+)/);
+    if (tmpMatch && !/mktemp/.test(trimmed)) {
+      findings.push({
+        id: `predictable-temp-file-${file}-${lineNumber}`,
+        pass: "language-sources",
+        category: "security",
+        rule_id: "predictable-temp-file",
+        cwe: "CWE-377",
+        severity: "medium",
+        level: "warning",
+        message: `Predictable temp file: /tmp/${tmpMatch[1]}. Use mktemp instead`,
+        file,
+        line: lineNumber,
+        snippet: trimmed.substring(0, 80)
+      });
+    }
+    if (/\bchmod\b/.test(trimmed) && /\b(777|666)\b/.test(trimmed)) {
+      const mode = trimmed.match(/\b(777|666)\b/)[1];
+      findings.push({
+        id: `insecure-file-permission-${file}-${lineNumber}`,
+        pass: "language-sources",
+        category: "security",
+        rule_id: "insecure-file-permission",
+        cwe: "CWE-732",
+        severity: "medium",
+        level: "warning",
+        message: `Insecure file permission: chmod ${mode} grants excessive access`,
+        file,
+        line: lineNumber,
+        snippet: trimmed.substring(0, 80)
+      });
+    }
+    if (/\btar\b/.test(trimmed) && /(-x|--extract)/.test(trimmed) && !/--strip-components/.test(trimmed)) {
+      findings.push({
+        id: `unsafe-archive-extraction-${file}-${lineNumber}`,
+        pass: "language-sources",
+        category: "security",
+        rule_id: "unsafe-archive-extraction",
+        cwe: "CWE-22",
+        severity: "medium",
+        level: "warning",
+        message: "Unsafe archive extraction: tar -x without --strip-components may allow path traversal",
+        file,
+        line: lineNumber,
+        snippet: trimmed.substring(0, 80)
+      });
+    }
+  }
+  return findings;
+}
 
 // src/analysis/passes/sink-filter-pass.ts
 var JS_XSS_SANITIZERS = [

package/dist/core/circle-ir-core.cjs

@@ -7526,6 +7526,9 @@ function buildCFG(tree, language) {
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
+  if (effectiveLanguage === "bash") {
+    return buildBashCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -7881,6 +7884,81 @@ function processSwitchStatement(stmt, startId, blocks, edges, isJavaScript) {
     nextId: currentId
   };
 }
+function buildBashCFG(tree, startId) {
+  const allBlocks = [];
+  const allEdges = [];
+  let blockIdCounter = startId;
+  const functions = findNodes(tree.rootNode, "function_definition");
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2) continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const topLevelStatements = [];
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (child && child.type !== "function_definition" && isBashStatement(child)) {
+      topLevelStatements.push(child);
+    }
+  }
+  if (topLevelStatements.length > 0) {
+    const entryBlock = {
+      id: blockIdCounter++,
+      type: "entry",
+      start_line: topLevelStatements[0].startPosition.row + 1,
+      end_line: topLevelStatements[0].startPosition.row + 1
+    };
+    allBlocks.push(entryBlock);
+    let lastExitIds = [];
+    let firstBlockId = -1;
+    for (const stmt of topLevelStatements) {
+      const result = processStatement(stmt, blockIdCounter, allBlocks, allEdges, false);
+      blockIdCounter = result.nextId;
+      if (firstBlockId === -1) {
+        firstBlockId = result.entryId;
+      } else {
+        for (const exitId of lastExitIds) {
+          allEdges.push({ from: exitId, to: result.entryId, type: "sequential" });
+        }
+      }
+      lastExitIds = result.exitIds;
+    }
+    if (firstBlockId !== -1) {
+      allEdges.push({ from: entryBlock.id, to: firstBlockId, type: "sequential" });
+    }
+    const exitBlock = {
+      id: blockIdCounter++,
+      type: "exit",
+      start_line: topLevelStatements[topLevelStatements.length - 1].endPosition.row + 1,
+      end_line: topLevelStatements[topLevelStatements.length - 1].endPosition.row + 1
+    };
+    allBlocks.push(exitBlock);
+    for (const exitId of lastExitIds) {
+      allEdges.push({ from: exitId, to: exitBlock.id, type: "sequential" });
+    }
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isBashStatement(node) {
+  const bashStatementTypes = /* @__PURE__ */ new Set([
+    "command",
+    "variable_assignment",
+    "if_statement",
+    "for_statement",
+    "while_statement",
+    "case_statement",
+    "pipeline",
+    "list",
+    "redirected_statement",
+    "compound_statement",
+    "subshell",
+    "declaration_command"
+  ]);
+  return bashStatementTypes.has(node.type);
+}
 function isStatement(node, isJavaScript) {
   const javaStatementTypes = /* @__PURE__ */ new Set([
     "local_variable_declaration",
@@ -7971,6 +8049,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "rust") {
     return buildRustDFG(tree, cache);
   }
+  if (effectiveLanguage === "bash") {
+    return buildBashDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -8697,6 +8778,101 @@ function computeChains(defs, uses) {
   chains.sort((a, b) => a.from_def - b.from_def || a.to_def - b.to_def);
   return chains;
 }
+function buildBashDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const positionalParams = ["1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "*"];
+  for (const p of positionalParams) {
+    const def = {
+      id: defIdCounter++,
+      variable: p,
+      line: 0,
+      kind: "param"
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(p, def.id);
+  }
+  walkTree(tree.rootNode, (node) => {
+    if (node.type === "variable_assignment") {
+      const nameNode = node.childForFieldName("name");
+      if (nameNode) {
+        const varName = getNodeText(nameNode);
+        const def = {
+          id: defIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          kind: "local"
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    } else if (node.type === "command") {
+      const nameNode = node.childForFieldName("name");
+      if (nameNode && getNodeText(nameNode) === "read") {
+        for (let i2 = 0; i2 < node.namedChildCount; i2++) {
+          const arg = node.namedChild(i2);
+          if (!arg || arg === nameNode) continue;
+          if (arg.type === "word") {
+            const text = getNodeText(arg);
+            if (text.startsWith("-")) continue;
+            const def = {
+              id: defIdCounter++,
+              variable: text,
+              line: node.startPosition.row + 1,
+              kind: "local"
+            };
+            defs.push(def);
+            currentScope(scopeStack).set(text, def.id);
+          }
+        }
+      }
+    } else if (node.type === "for_statement") {
+      const varNode = node.childForFieldName("variable");
+      if (varNode) {
+        const varName = getNodeText(varNode);
+        const def = {
+          id: defIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          kind: "local"
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    } else if (node.type === "simple_expansion") {
+      const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
+      if (varNameNode) {
+        const varName = getNodeText(varNameNode);
+        if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
+          const reachingDef = findReachingDef(varName, scopeStack);
+          uses.push({
+            id: useIdCounter++,
+            variable: varName,
+            line: node.startPosition.row + 1,
+            def_id: reachingDef
+          });
+        }
+      }
+    } else if (node.type === "expansion") {
+      const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
+      if (varNameNode && varNameNode.type === "variable_name") {
+        const varName = getNodeText(varNameNode);
+        const reachingDef = findReachingDef(varName, scopeStack);
+        uses.push({
+          id: useIdCounter++,
+          variable: varName,
+          line: node.startPosition.row + 1,
+          def_id: reachingDef
+        });
+      }
+    }
+  });
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
 function buildRustDFG(tree, cache) {
   const defs = [];
   const uses = [];