circle-ir 3.29.0 → 3.31.0

package/dist/analysis/constant-propagation/patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,eAAO,MAAM,cAAc,UAgE1B,CAAC;AAGF,eAAO,MAAM,mBAAmB,QAE/B,CAAC;AAMF,eAAO,MAAM,iBAAiB,aAwC5B,CAAC;AAOH,eAAO,MAAM,sBAAsB,aAoBjC,CAAC;AAOH,eAAO,MAAM,kBAAkB,aAsB7B,CAAC"}
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,eAAO,MAAM,cAAc,UAgE1B,CAAC;AAGF,eAAO,MAAM,mBAAmB,QAE/B,CAAC;AAMF,eAAO,MAAM,iBAAiB,aAwC5B,CAAC;AAOH,eAAO,MAAM,sBAAsB,aA4BjC,CAAC;AAOH,eAAO,MAAM,kBAAkB,aA8B7B,CAAC"}

package/dist/analysis/constant-propagation/patterns.js

@@ -118,6 +118,13 @@ export const ANTI_SANITIZER_METHODS = new Set([
     'unescapeEcmaScript',
     'unescapeJson',
     'unescapeJava',
+    // Apache Shiro WebUtils helpers (CVE-2023-34478, CVE-2023-46749 — issue #8).
+    // These internally call URLDecoder.decode, so a value that passed a
+    // string-level path sanitizer (e.g. Paths.normalize) becomes tainted again
+    // after Shiro re-decodes %2e%2e → "..".
+    'getPathWithinApplication',
+    'getRequestUri',
+    'decodeRequestString',
     // General decoders
     'unescape',
     'decompress',
@@ -145,5 +152,12 @@ export const PROPAGATOR_METHODS = new Set([
     'concat', // String.concat(other)
     // Object utilities
     'requireNonNull', // Objects.requireNonNull(obj)
+    // Apache Shiro WebUtils — propagate taint from string arg through the wrapper
+    // back into the return value (e.g. `WebUtils.decodeRequestString(req, tainted)`).
+    // Also covered by ANTI_SANITIZER_METHODS for sanitized-arg re-tainting and by
+    // configs/sources/http_sources.yaml for the request-bound overloads. Issue #8.
+    'getPathWithinApplication',
+    'getRequestUri',
+    'decodeRequestString',
 ]);
 //# sourceMappingURL=patterns.js.map

package/dist/analysis/constant-propagation/patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,6BAA6B;IAC7B,sBAAsB;IACtB,mBAAmB;IACnB,oBAAoB;IACpB,oBAAoB;IACpB,wBAAwB;IACxB,wBAAwB;IACxB,qBAAqB;IACrB,uBAAuB;IACvB,yBAAyB;IACzB,mBAAmB;IACnB,gBAAgB;IAChB,sBAAsB;IACtB,mBAAmB;IACnB,aAAa;IACb,cAAc;IACd,YAAY,EAAG,oBAAoB;IACnC,cAAc;IACd,aAAa;IAEb,0DAA0D;IAC1D,sBAAsB;IACtB,oBAAoB;IACpB,eAAe;IAEf,cAAc;IACd,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,QAAQ;IACR,gBAAgB;IAChB,gBAAgB;IAChB,qBAAqB;IACrB,eAAe;IAEf,kBAAkB;IAClB,wBAAwB;IACxB,cAAc;IAEd,mBAAmB;IACnB,aAAa;IACb,aAAa;IAEb,eAAe;IACf,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IAErB,mCAAmC;IACnC,eAAe;IACf,iBAAiB;IACjB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,uBAAuB;IACvB,yBAAyB;CAC1B,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,MAAM,CAC3C,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAC5E,CAAC;AAEF,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IACvC,QAAQ;IACR,eAAe,EAAE,wBAAwB,EAAE,qBAAqB;IAChE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,uBAAuB;IACvE,eAAe,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc;IAChE,aAAa,EAAE,iBAAiB,EAAE,cAAc;IAEhD,qBAAqB;IACrB,SAAS,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,0BAA0B;IAC3E,eAAe,EAAE,oBAAoB,EAAE,wBAAwB;IAC/D,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB;IAC/E,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU;IAEzE,iBAAiB;IACjB,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa;IACrF,kBAAkB,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW;IAExE,mBAAmB;IACnB,YAAY,EAAE,mBAAmB,EAAE,eAAe;IAElD,oBAAoB;IACpB,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY;IACvE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe;IAEnE,4BAA4B;IAC5B,kBAAkB,EAAE,WAAW,EAAE,YAAY;IAE7C,qCAAqC;IACrC,oBAAoB,EAAE,WAAW;IAEjC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU;IAEzC,oCAAoC;IACpC,eAAe,EAAE,sBAAsB,EAAE,cAAc,EAAE,gCAAgC;IACzF,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM;IAE9C,UAAU;IACV,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc;IAC7E,kBAAkB,EAAE,eAAe,EAAE,eAAe;CACrD,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,+FAA+F;AAC/F,gFAAgF;AAEhF,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IAC5C,uCAAuC;IACvC,QAAQ,EAAY,sBAAsB;IAC1C,oBAAoB;IACpB,WAAW;IAEX,6CAA6C;IAC7C,cAAc;IACd,QAAQ,EAAY,+BAA+B;IAEnD,2CAA2C;IAC3C,cAAc,EAAE,eAAe,EAAE,eAAe;IAChD,aAAa;IACb,oBAAoB;IACpB,cAAc;IACd,cAAc;IAEd,mBAAmB;IACnB,UAAU;IACV,YAAY;CACb,CAAC,CAAC;AAEH,gFAAgF;AAChF,qBAAqB;AACrB,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,yBAAyB;IACzB,KAAK,EAAa,qCAAqC;IACvD,IAAI,EAAc,wBAAwB;IAC1C,SAAS,EAAS,sBAAsB;IACxC,gBAAgB,EAAE,6BAA6B;IAC/C,YAAY,EAAM,yBAAyB;IAE3C,UAAU;IACV,QAAQ,EAAU,qBAAqB;IACvC,OAAO,EAAW,eAAe;IACjC,OAAO,EAAW,cAAc;IAChC,QAAQ,EAAU,8BAA8B;IAEhD,mBAAmB;IACnB,SAAS,EAAS,oBAAoB;IACtC,QAAQ,EAAU,qBAAqB;IACvC,MAAM,EAAY,mBAAmB;IACrC,QAAQ,EAAU,uBAAuB;IAEzC,mBAAmB;IACnB,gBAAgB,EAAE,8BAA8B;CACjD,CAAC,CAAC"}
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,6BAA6B;IAC7B,sBAAsB;IACtB,mBAAmB;IACnB,oBAAoB;IACpB,oBAAoB;IACpB,wBAAwB;IACxB,wBAAwB;IACxB,qBAAqB;IACrB,uBAAuB;IACvB,yBAAyB;IACzB,mBAAmB;IACnB,gBAAgB;IAChB,sBAAsB;IACtB,mBAAmB;IACnB,aAAa;IACb,cAAc;IACd,YAAY,EAAG,oBAAoB;IACnC,cAAc;IACd,aAAa;IAEb,0DAA0D;IAC1D,sBAAsB;IACtB,oBAAoB;IACpB,eAAe;IAEf,cAAc;IACd,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,QAAQ;IACR,gBAAgB;IAChB,gBAAgB;IAChB,qBAAqB;IACrB,eAAe;IAEf,kBAAkB;IAClB,wBAAwB;IACxB,cAAc;IAEd,mBAAmB;IACnB,aAAa;IACb,aAAa;IAEb,eAAe;IACf,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IAErB,mCAAmC;IACnC,eAAe;IACf,iBAAiB;IACjB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,uBAAuB;IACvB,yBAAyB;CAC1B,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,MAAM,CAC3C,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAC5E,CAAC;AAEF,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IACvC,QAAQ;IACR,eAAe,EAAE,wBAAwB,EAAE,qBAAqB;IAChE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,uBAAuB;IACvE,eAAe,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc;IAChE,aAAa,EAAE,iBAAiB,EAAE,cAAc;IAEhD,qBAAqB;IACrB,SAAS,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,0BAA0B;IAC3E,eAAe,EAAE,oBAAoB,EAAE,wBAAwB;IAC/D,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB;IAC/E,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU;IAEzE,iBAAiB;IACjB,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa;IACrF,kBAAkB,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW;IAExE,mBAAmB;IACnB,YAAY,EAAE,mBAAmB,EAAE,eAAe;IAElD,oBAAoB;IACpB,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY;IACvE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe;IAEnE,4BAA4B;IAC5B,kBAAkB,EAAE,WAAW,EAAE,YAAY;IAE7C,qCAAqC;IACrC,oBAAoB,EAAE,WAAW;IAEjC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU;IAEzC,oCAAoC;IACpC,eAAe,EAAE,sBAAsB,EAAE,cAAc,EAAE,gCAAgC;IACzF,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM;IAE9C,UAAU;IACV,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc;IAC7E,kBAAkB,EAAE,eAAe,EAAE,eAAe;CACrD,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,+FAA+F;AAC/F,gFAAgF;AAEhF,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IAC5C,uCAAuC;IACvC,QAAQ,EAAY,sBAAsB;IAC1C,oBAAoB;IACpB,WAAW;IAEX,6CAA6C;IAC7C,cAAc;IACd,QAAQ,EAAY,+BAA+B;IAEnD,2CAA2C;IAC3C,cAAc,EAAE,eAAe,EAAE,eAAe;IAChD,aAAa;IACb,oBAAoB;IACpB,cAAc;IACd,cAAc;IAEd,6EAA6E;IAC7E,oEAAoE;IACpE,2EAA2E;IAC3E,wCAAwC;IACxC,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;IAErB,mBAAmB;IACnB,UAAU;IACV,YAAY;CACb,CAAC,CAAC;AAEH,gFAAgF;AAChF,qBAAqB;AACrB,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,yBAAyB;IACzB,KAAK,EAAa,qCAAqC;IACvD,IAAI,EAAc,wBAAwB;IAC1C,SAAS,EAAS,sBAAsB;IACxC,gBAAgB,EAAE,6BAA6B;IAC/C,YAAY,EAAM,yBAAyB;IAE3C,UAAU;IACV,QAAQ,EAAU,qBAAqB;IACvC,OAAO,EAAW,eAAe;IACjC,OAAO,EAAW,cAAc;IAChC,QAAQ,EAAU,8BAA8B;IAEhD,mBAAmB;IACnB,SAAS,EAAS,oBAAoB;IACtC,QAAQ,EAAU,qBAAqB;IACvC,MAAM,EAAY,mBAAmB;IACrC,QAAQ,EAAU,uBAAuB;IAEzC,mBAAmB;IACnB,gBAAgB,EAAE,8BAA8B;IAEhD,8EAA8E;IAC9E,kFAAkF;IAClF,8EAA8E;IAC9E,+EAA+E;IAC/E,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;CACtB,CAAC,CAAC"}

package/dist/browser/circle-ir.js

@@ -9626,6 +9626,13 @@ var DEFAULT_SOURCES = [
   { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
   { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Apache Shiro WebUtils helpers — return URL-decoded request data. The internal
+  // decodeRequestString → URLDecoder.decode chain can re-introduce ../ from
+  // %2e%2e payloads that bypassed auth-time normalization. CVE-2023-34478,
+  // CVE-2023-46749 (issue #8).
+  { method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
   // Additional HTTP request methods that can be attacker-controlled
   { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
@@ -9767,6 +9774,14 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  // XWiki request-bound sources (issue #10, CVE-2022-24897 / 2023-29201 / 2023-29528 /
+  // 2023-36471 / 2023-37908). XWikiRequest.get(name) / .getParameter(name) /
+  // XWikiContext.getRequest().get(...) all return URL/form data unchanged.
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   // SAX/XML parsing sources (data from parsed XML)
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -10394,6 +10409,12 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // Apache NiFi Expression Language (CVE-2023-36542, issue #11).
+  // PropertyValue.evaluateAttributeExpressions(...) runs NiFi EL against
+  // user-controlled property values — if the property is attacker-influenced
+  // the EL evaluation is a code-injection sink.
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   // Groovy script execution
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -10608,6 +10629,27 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // XWiki rendering output sinks (issue #10, CVE-2022-24897 / 2023-29201 /
+  // 2023-29528 / 2023-36471 / 2023-37908). WikiPrinter is the base output
+  // interface; DefaultWikiPrinter and AnnotatedXHTMLWikiPrinter are the
+  // concrete renderers that emit HTML into the response stream.
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // Block renderers — `render(block, printer)` writes the block content out.
+  // The block argument carries the parsed (possibly tainted) wiki content.
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XHTML renderer chains
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -14533,6 +14575,13 @@ var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "unescapeEcmaScript",
   "unescapeJson",
   "unescapeJava",
+  // Apache Shiro WebUtils helpers (CVE-2023-34478, CVE-2023-46749 — issue #8).
+  // These internally call URLDecoder.decode, so a value that passed a
+  // string-level path sanitizer (e.g. Paths.normalize) becomes tainted again
+  // after Shiro re-decodes %2e%2e → "..".
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString",
   // General decoders
   "unescape",
   "decompress"
@@ -14568,8 +14617,15 @@ var PROPAGATOR_METHODS = /* @__PURE__ */ new Set([
   "concat",
   // String.concat(other)
   // Object utilities
-  "requireNonNull"
+  "requireNonNull",
   // Objects.requireNonNull(obj)
+  // Apache Shiro WebUtils — propagate taint from string arg through the wrapper
+  // back into the return value (e.g. `WebUtils.decodeRequestString(req, tainted)`).
+  // Also covered by ANTI_SANITIZER_METHODS for sanitized-arg re-tainting and by
+  // configs/sources/http_sources.yaml for the request-bound overloads. Issue #8.
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString"
 ]);
 
 // src/analysis/constant-propagation/propagator.ts

package/dist/core/circle-ir-core.cjs

@@ -9742,6 +9742,13 @@ var DEFAULT_SOURCES = [
   { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
   { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Apache Shiro WebUtils helpers — return URL-decoded request data. The internal
+  // decodeRequestString → URLDecoder.decode chain can re-introduce ../ from
+  // %2e%2e payloads that bypassed auth-time normalization. CVE-2023-34478,
+  // CVE-2023-46749 (issue #8).
+  { method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
   // Additional HTTP request methods that can be attacker-controlled
   { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
@@ -9883,6 +9890,14 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  // XWiki request-bound sources (issue #10, CVE-2022-24897 / 2023-29201 / 2023-29528 /
+  // 2023-36471 / 2023-37908). XWikiRequest.get(name) / .getParameter(name) /
+  // XWikiContext.getRequest().get(...) all return URL/form data unchanged.
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   // SAX/XML parsing sources (data from parsed XML)
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -10510,6 +10525,12 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // Apache NiFi Expression Language (CVE-2023-36542, issue #11).
+  // PropertyValue.evaluateAttributeExpressions(...) runs NiFi EL against
+  // user-controlled property values — if the property is attacker-influenced
+  // the EL evaluation is a code-injection sink.
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   // Groovy script execution
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -10724,6 +10745,27 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // XWiki rendering output sinks (issue #10, CVE-2022-24897 / 2023-29201 /
+  // 2023-29528 / 2023-36471 / 2023-37908). WikiPrinter is the base output
+  // interface; DefaultWikiPrinter and AnnotatedXHTMLWikiPrinter are the
+  // concrete renderers that emit HTML into the response stream.
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // Block renderers — `render(block, printer)` writes the block content out.
+  // The block argument carries the parsed (possibly tainted) wiki content.
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XHTML renderer chains
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -13207,6 +13249,13 @@ var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "unescapeEcmaScript",
   "unescapeJson",
   "unescapeJava",
+  // Apache Shiro WebUtils helpers (CVE-2023-34478, CVE-2023-46749 — issue #8).
+  // These internally call URLDecoder.decode, so a value that passed a
+  // string-level path sanitizer (e.g. Paths.normalize) becomes tainted again
+  // after Shiro re-decodes %2e%2e → "..".
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString",
   // General decoders
   "unescape",
   "decompress"
@@ -13242,8 +13291,15 @@ var PROPAGATOR_METHODS = /* @__PURE__ */ new Set([
   "concat",
   // String.concat(other)
   // Object utilities
-  "requireNonNull"
+  "requireNonNull",
   // Objects.requireNonNull(obj)
+  // Apache Shiro WebUtils — propagate taint from string arg through the wrapper
+  // back into the return value (e.g. `WebUtils.decodeRequestString(req, tainted)`).
+  // Also covered by ANTI_SANITIZER_METHODS for sanitized-arg re-tainting and by
+  // configs/sources/http_sources.yaml for the request-bound overloads. Issue #8.
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString"
 ]);
 
 // src/analysis/constant-propagation/propagator.ts

package/dist/core/circle-ir-core.js

@@ -9677,6 +9677,13 @@ var DEFAULT_SOURCES = [
   { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
   { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Apache Shiro WebUtils helpers — return URL-decoded request data. The internal
+  // decodeRequestString → URLDecoder.decode chain can re-introduce ../ from
+  // %2e%2e payloads that bypassed auth-time normalization. CVE-2023-34478,
+  // CVE-2023-46749 (issue #8).
+  { method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
   // Additional HTTP request methods that can be attacker-controlled
   { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
@@ -9818,6 +9825,14 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  // XWiki request-bound sources (issue #10, CVE-2022-24897 / 2023-29201 / 2023-29528 /
+  // 2023-36471 / 2023-37908). XWikiRequest.get(name) / .getParameter(name) /
+  // XWikiContext.getRequest().get(...) all return URL/form data unchanged.
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   // SAX/XML parsing sources (data from parsed XML)
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -10445,6 +10460,12 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  // Apache NiFi Expression Language (CVE-2023-36542, issue #11).
+  // PropertyValue.evaluateAttributeExpressions(...) runs NiFi EL against
+  // user-controlled property values — if the property is attacker-influenced
+  // the EL evaluation is a code-injection sink.
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   // Groovy script execution
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -10659,6 +10680,27 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // XWiki rendering output sinks (issue #10, CVE-2022-24897 / 2023-29201 /
+  // 2023-29528 / 2023-36471 / 2023-37908). WikiPrinter is the base output
+  // interface; DefaultWikiPrinter and AnnotatedXHTMLWikiPrinter are the
+  // concrete renderers that emit HTML into the response stream.
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  // Block renderers — `render(block, printer)` writes the block content out.
+  // The block argument carries the parsed (possibly tainted) wiki content.
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XHTML renderer chains
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -13142,6 +13184,13 @@ var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "unescapeEcmaScript",
   "unescapeJson",
   "unescapeJava",
+  // Apache Shiro WebUtils helpers (CVE-2023-34478, CVE-2023-46749 — issue #8).
+  // These internally call URLDecoder.decode, so a value that passed a
+  // string-level path sanitizer (e.g. Paths.normalize) becomes tainted again
+  // after Shiro re-decodes %2e%2e → "..".
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString",
   // General decoders
   "unescape",
   "decompress"
@@ -13177,8 +13226,15 @@ var PROPAGATOR_METHODS = /* @__PURE__ */ new Set([
   "concat",
   // String.concat(other)
   // Object utilities
-  "requireNonNull"
+  "requireNonNull",
   // Objects.requireNonNull(obj)
+  // Apache Shiro WebUtils — propagate taint from string arg through the wrapper
+  // back into the return value (e.g. `WebUtils.decodeRequestString(req, tainted)`).
+  // Also covered by ANTI_SANITIZER_METHODS for sanitized-arg re-tainting and by
+  // configs/sources/http_sources.yaml for the request-bound overloads. Issue #8.
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString"
 ]);
 
 // src/analysis/constant-propagation/propagator.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.29.0",
+  "version": "3.31.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",