circle-ir 3.22.0 → 3.22.1

package/dist/core/circle-ir-core.cjs

@@ -6424,7 +6424,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -10096,9 +10096,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10782,7 +10781,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10979,8 +10979,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -11495,15 +11495,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -11629,9 +11638,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11737,11 +11867,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11762,8 +11904,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11853,12 +11997,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {

package/dist/core/circle-ir-core.js

@@ -6359,7 +6359,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -10031,9 +10031,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10717,7 +10716,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10914,8 +10914,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -11430,15 +11430,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -11564,9 +11573,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11672,11 +11802,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11697,8 +11839,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11788,12 +11932,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {

package/dist/core/extractors/calls.js

@@ -954,7 +954,7 @@ function extractBashCommandInfo(node) {
         const child = node.child(i);
         if (!child)
             continue;
-        if (child === nameNode)
+        if (child === nameNode || child.id === nameNode.id)
             continue;
         // Skip I/O redirects and heredoc operators
         if (child.type.includes('redirect') ||