circle-ir 3.29.0 → 3.31.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/configs/sources/http_sources.yaml +24 -0
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +42 -0
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/constant-propagation/patterns.d.ts.map +1 -1
- package/dist/analysis/constant-propagation/patterns.js +14 -0
- package/dist/analysis/constant-propagation/patterns.js.map +1 -1
- package/dist/browser/circle-ir.js +57 -1
- package/dist/core/circle-ir-core.cjs +57 -1
- package/dist/core/circle-ir-core.js +57 -1
- package/package.json +1 -1
|
@@ -64,6 +64,30 @@
|
|
|
64
64
|
"return_tainted": true,
|
|
65
65
|
"note": "Extra path information"
|
|
66
66
|
},
|
|
67
|
+
{
|
|
68
|
+
"method": "getPathWithinApplication",
|
|
69
|
+
"class": "WebUtils",
|
|
70
|
+
"type": "http_path",
|
|
71
|
+
"severity": "high",
|
|
72
|
+
"return_tainted": true,
|
|
73
|
+
"note": "Apache Shiro path extractor - internally URL-decodes request URI via decodeRequestString → URLDecoder.decode. Tainted because the decoded form can re-introduce path-traversal sequences (%2e%2e → ..) after auth-time normalization. CVE-2023-34478, CVE-2023-46749 (#8)."
|
|
74
|
+
},
|
|
75
|
+
{
|
|
76
|
+
"method": "getRequestUri",
|
|
77
|
+
"class": "WebUtils",
|
|
78
|
+
"type": "http_path",
|
|
79
|
+
"severity": "high",
|
|
80
|
+
"return_tainted": true,
|
|
81
|
+
"note": "Apache Shiro URL-decoded request URI helper. Lowercase 'Uri' differentiates from HttpServletRequest.getRequestURI."
|
|
82
|
+
},
|
|
83
|
+
{
|
|
84
|
+
"method": "decodeRequestString",
|
|
85
|
+
"class": "WebUtils",
|
|
86
|
+
"type": "http_path",
|
|
87
|
+
"severity": "high",
|
|
88
|
+
"return_tainted": true,
|
|
89
|
+
"note": "Apache Shiro URLDecoder wrapper - explicit single-pass decode of an attacker-controlled string."
|
|
90
|
+
},
|
|
67
91
|
{
|
|
68
92
|
"method": "getCookies",
|
|
69
93
|
"class": "HttpServletRequest",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAwpCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -79,6 +79,13 @@ export const DEFAULT_SOURCES = [
|
|
|
79
79
|
{ method: 'getContextPath', class: 'HttpServletRequest', type: 'http_path', severity: 'medium', return_tainted: true },
|
|
80
80
|
{ method: 'getRemoteHost', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
81
81
|
{ method: 'getRemoteAddr', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
82
|
+
// Apache Shiro WebUtils helpers — return URL-decoded request data. The internal
|
|
83
|
+
// decodeRequestString → URLDecoder.decode chain can re-introduce ../ from
|
|
84
|
+
// %2e%2e payloads that bypassed auth-time normalization. CVE-2023-34478,
|
|
85
|
+
// CVE-2023-46749 (issue #8).
|
|
86
|
+
{ method: 'getPathWithinApplication', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
87
|
+
{ method: 'getRequestUri', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
88
|
+
{ method: 'decodeRequestString', class: 'WebUtils', type: 'http_path', severity: 'high', return_tainted: true },
|
|
82
89
|
// Additional HTTP request methods that can be attacker-controlled
|
|
83
90
|
{ method: 'getProtocol', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
84
91
|
{ method: 'getScheme', class: 'HttpServletRequest', type: 'http_header', severity: 'medium', return_tainted: true },
|
|
@@ -220,6 +227,14 @@ export const DEFAULT_SOURCES = [
|
|
|
220
227
|
{ method: 'getContent', class: 'Block', type: 'io_input', severity: 'high', return_tainted: true },
|
|
221
228
|
{ method: 'getParameters', class: 'Block', type: 'io_input', severity: 'high', return_tainted: true },
|
|
222
229
|
{ method: 'getRawContent', type: 'io_input', severity: 'high', return_tainted: true },
|
|
230
|
+
// XWiki request-bound sources (issue #10, CVE-2022-24897 / 2023-29201 / 2023-29528 /
|
|
231
|
+
// 2023-36471 / 2023-37908). XWikiRequest.get(name) / .getParameter(name) /
|
|
232
|
+
// XWikiContext.getRequest().get(...) all return URL/form data unchanged.
|
|
233
|
+
{ method: 'get', class: 'XWikiRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
234
|
+
{ method: 'getParameter', class: 'XWikiRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
235
|
+
{ method: 'getParameterValues', class: 'XWikiRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
236
|
+
{ method: 'getParameterMap', class: 'XWikiRequest', type: 'http_param', severity: 'high', return_tainted: true },
|
|
237
|
+
{ method: 'getHeader', class: 'XWikiRequest', type: 'http_header', severity: 'high', return_tainted: true },
|
|
223
238
|
// SAX/XML parsing sources (data from parsed XML)
|
|
224
239
|
{ method: 'getAttributes', class: 'XMLReader', type: 'io_input', severity: 'high', return_tainted: true },
|
|
225
240
|
{ method: 'getValue', class: 'Attributes', type: 'io_input', severity: 'high', return_tainted: true },
|
|
@@ -847,6 +862,12 @@ export const DEFAULT_SINKS = [
|
|
|
847
862
|
{ method: 'eval', class: 'MVEL', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
848
863
|
{ method: 'createValueExpression', class: 'ExpressionFactory', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
|
|
849
864
|
{ method: 'createMethodExpression', class: 'ExpressionFactory', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [1] },
|
|
865
|
+
// Apache NiFi Expression Language (CVE-2023-36542, issue #11).
|
|
866
|
+
// PropertyValue.evaluateAttributeExpressions(...) runs NiFi EL against
|
|
867
|
+
// user-controlled property values — if the property is attacker-influenced
|
|
868
|
+
// the EL evaluation is a code-injection sink.
|
|
869
|
+
{ method: 'evaluateAttributeExpressions', class: 'PropertyValue', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
870
|
+
{ method: 'evaluateAttributeExpressions', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
|
|
850
871
|
// Groovy script execution
|
|
851
872
|
{ method: 'evaluate', class: 'GroovyShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
852
873
|
{ method: 'parse', class: 'GroovyShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
@@ -1060,6 +1081,27 @@ export const DEFAULT_SINKS = [
|
|
|
1060
1081
|
{ method: 'cleanAttributes', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1061
1082
|
{ method: 'printXMLElement', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1062
1083
|
{ method: 'printXMLStartElement', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1084
|
+
// XWiki rendering output sinks (issue #10, CVE-2022-24897 / 2023-29201 /
|
|
1085
|
+
// 2023-29528 / 2023-36471 / 2023-37908). WikiPrinter is the base output
|
|
1086
|
+
// interface; DefaultWikiPrinter and AnnotatedXHTMLWikiPrinter are the
|
|
1087
|
+
// concrete renderers that emit HTML into the response stream.
|
|
1088
|
+
{ method: 'print', class: 'WikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1089
|
+
{ method: 'println', class: 'WikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1090
|
+
{ method: 'print', class: 'DefaultWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1091
|
+
{ method: 'println', class: 'DefaultWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1092
|
+
{ method: 'print', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1093
|
+
{ method: 'println', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1094
|
+
{ method: 'printXML', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1095
|
+
{ method: 'printXMLComment', class: 'XHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1096
|
+
{ method: 'print', class: 'AnnotatedXHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1097
|
+
{ method: 'println', class: 'AnnotatedXHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1098
|
+
{ method: 'printXMLElement', class: 'AnnotatedXHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1099
|
+
{ method: 'printXMLStartElement', class: 'AnnotatedXHTMLWikiPrinter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1100
|
+
// Block renderers — `render(block, printer)` writes the block content out.
|
|
1101
|
+
// The block argument carries the parsed (possibly tainted) wiki content.
|
|
1102
|
+
{ method: 'render', class: 'BlockRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1103
|
+
{ method: 'render', class: 'AbstractBlockRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1104
|
+
{ method: 'render', class: 'DefaultBlockRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1063
1105
|
// XHTML renderer chains
|
|
1064
1106
|
{ method: 'initialize', class: 'HTML5Renderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1065
1107
|
{ method: 'initialize', class: 'XHTMLRenderer', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|