circle-ir 3.3.1 → 3.3.3

package/dist/browser/circle-ir.js

@@ -3998,6 +3998,7 @@ var parserInitializing = null;
 var loadedLanguages = /* @__PURE__ */ new Map();
 var loadingLanguages = /* @__PURE__ */ new Map();
 var configuredLanguagePaths = {};
+var configuredLanguageModules = {};
 async function initParser(options = {}) {
   if (parserInitialized) {
     return;
@@ -4005,14 +4006,28 @@ async function initParser(options = {}) {
   if (parserInitializing) {
     return parserInitializing;
   }
-  const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
   if (options.languagePaths) {
     configuredLanguagePaths = options.languagePaths;
   }
+  if (options.languageModules) {
+    configuredLanguageModules = options.languageModules;
+  }
   parserInitializing = (async () => {
-    await Parser.init({
-      locateFile: () => wasmPath
-    });
+    if (options.wasmModule) {
+      await Parser.init({
+        locateFile: () => "web-tree-sitter.wasm",
+        instantiateWasm(imports, callback) {
+          const instance2 = new WebAssembly.Instance(options.wasmModule, imports);
+          callback(instance2, options.wasmModule);
+          return instance2.exports;
+        }
+      });
+    } else {
+      const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
+      await Parser.init({
+        locateFile: () => wasmPath
+      });
+    }
     parserInitialized = true;
     parserInitializing = null;
   })();
@@ -4030,6 +4045,17 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
+  const grammarName = language === "typescript" ? "javascript" : language;
+  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  if (wasmModule) {
+    const loadPromise2 = (async () => {
+      const lang = await Language.load(wasmModule);
+      loadedLanguages.set(language, lang);
+      return lang;
+    })();
+    loadingLanguages.set(language, loadPromise2);
+    return loadPromise2;
+  }
   const path = wasmPath ?? configuredLanguagePaths[language] ?? await getDefaultLanguagePath(language);
   const loadPromise = (async () => {
     const lang = await Language.load(path);
@@ -10904,7 +10930,12 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
     existing.push(san);
     sanitizersByLine.set(san.line, existing);
   }
-  const initialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const rawInitialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const initialTaint = rawInitialTaint.filter((tv) => {
+    if (tv.line === tv.sourceLine) return true;
+    const sanCheck = checkSanitized(tv.sourceLine, tv.line, tv.sourceType, sanitizersByLine);
+    return !sanCheck.sanitized;
+  });
   taintedVars.push(...initialTaint);
   const propagatedTaint = propagateThroughChains(
     initialTaint,
@@ -11046,7 +11077,36 @@ function propagateThroughChains(initialTaint, chains, defById, sanitizersByLine)
   }
   return propagated;
 }
-function checkSanitized(_fromLine, _toLine, _sinkType, _sanitizersByLine) {
+var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
+  "sql_injection",
+  "xss",
+  "path_traversal",
+  "command_injection",
+  "ssrf",
+  "ldap_injection",
+  "xpath_injection",
+  "log_injection",
+  "xxe",
+  "deserialization",
+  "code_injection"
+]);
+function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
+  const sanitizersAtTarget = sanitizersByLine.get(toLine);
+  if (!sanitizersAtTarget || sanitizersAtTarget.length === 0) {
+    return { sanitized: false };
+  }
+  const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
+  for (const san of sanitizersAtTarget) {
+    if (isKnownSinkType) {
+      if (san.sanitizes.includes(sinkType)) {
+        return { sanitized: true, sanitizer: san };
+      }
+    } else {
+      if (san.sanitizes.length > 0) {
+        return { sanitized: true, sanitizer: san };
+      }
+    }
+  }
   return { sanitized: false };
 }
 function buildTaintFlow(source, sink, taintInfo, dfg, defById) {
@@ -11131,6 +11191,37 @@ function analyzeInterprocedural(types, calls, dfg, sources, sinks, sanitizers, o
     "clone",
     "clear"
   ]);
+  const safeUtilityMethods = /* @__PURE__ */ new Set([
+    // Path validation and normalization
+    "normalizePath",
+    "normalizeLineEndings",
+    "isPathWithin",
+    "isPathWithinAllowedDirectories",
+    "isPathAllowed",
+    "validatePath",
+    "resolvePath",
+    "resolve",
+    "relative",
+    "join",
+    // File utilities (reading/processing, not writing)
+    "tailFile",
+    "headFile",
+    "readFileContent",
+    "readFile",
+    "read",
+    // Pattern matching (used in validation)
+    "minimatch",
+    "match",
+    "test",
+    "includes",
+    "startsWith",
+    "endsWith",
+    // General validation
+    "validate",
+    "validateInput",
+    "check",
+    "verify"
+  ]);
   const sanitizerMethods = /* @__PURE__ */ new Set();
   for (const san of sanitizers) {
     sanitizerMethods.add(san.method);
@@ -11155,7 +11246,7 @@ function analyzeInterprocedural(types, calls, dfg, sources, sinks, sanitizers, o
     }
     const targetMethod = getMethodNode(methodNodes, call.method_name);
     if (!targetMethod) {
-      if (taintedArgPositions.length > 0 && !collectionMethods.has(call.method_name) && !sanitizerMethods.has(call.method_name)) {
+      if (taintedArgPositions.length > 0 && !collectionMethods.has(call.method_name) && !sanitizerMethods.has(call.method_name) && !safeUtilityMethods.has(call.method_name)) {
         const sink = {
           type: "external_taint_escape",
           cwe: "CWE-668",
@@ -11839,13 +11930,33 @@ var SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "getCanonicalPath",
   "normalize",
   "toRealPath",
+  // JavaScript/TypeScript URL Encoding
+  "encodeURIComponent",
+  "encodeURI",
+  // JavaScript/TypeScript String Validation
+  "match",
+  "test",
+  "startsWith",
+  "includes",
+  // Path Validation and Normalization
+  "normalizePath",
+  "normalizeLineEndings",
+  "isPathWithin",
+  "isPathWithinAllowedDirectories",
+  "isPathAllowed",
+  "relative",
+  "join",
   // General
   "sanitize",
   "encode",
   "escape",
   "clean",
   "filter",
-  "validate"
+  "validate",
+  "validatePath",
+  "validateCityName",
+  "validateInput",
+  "sanitizeInput"
 ]);
 var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   // URL decoding (reverses URL encoding)
@@ -16070,7 +16181,9 @@ async function initAnalyzer(options = {}) {
   registerBuiltinPlugins();
   await initParser({
     wasmPath: options.wasmPath,
-    languagePaths: options.languagePaths
+    wasmModule: options.wasmModule,
+    languagePaths: options.languagePaths,
+    languageModules: options.languageModules
   });
   initialized = true;
 }
@@ -16576,7 +16689,17 @@ async function analyzeForAPI(code, filePath, language, options = {}) {
   const constPropResult = analyzeConstantPropagation(tree, code);
   const config = options.taintConfig ?? getDefaultConfig();
   const taint = analyzeTaint(calls, types, config);
-  const filteredSinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
+  let filteredSinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
+  filteredSinks = filterCleanVariableSinks(
+    filteredSinks,
+    calls,
+    constPropResult.tainted,
+    constPropResult.symbols,
+    void 0,
+    constPropResult.sanitizedVars,
+    constPropResult.synchronizedLines
+  );
+  filteredSinks = filterSanitizedSinks(filteredSinks, taint.sanitizers ?? [], calls);
   const vulnerabilities = findVulnerabilities(taint.sources, filteredSinks, calls, constPropResult);
   const analysisTime = performance.now() - analysisStart;
   const totalTime = performance.now() - startTime;
@@ -16780,6 +16903,12 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
           }
           allArgsAreClean = false;
         } else {
+          if (arg.literal != null) {
+            continue;
+          }
+          if (arg.expression && !arg.variable && isStringLiteralExpression(arg.expression)) {
+            continue;
+          }
           allArgsAreClean = false;
         }
       }
@@ -16790,6 +16919,10 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
     return true;
   });
 }
+function isStringLiteralExpression(expr) {
+  const trimmed = expr.trim();
+  return trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'");
+}
 function filterSanitizedSinks(sinks, sanitizers, calls) {
   if (!sanitizers || sanitizers.length === 0) {
     return sinks;
@@ -17024,10 +17157,28 @@ function isAnalyzerInitialized() {
 
 // src/browser.ts
 async function init2(options) {
-  await initAnalyzer({
-    wasmPath: options.wasmUrl,
+  const initOptions = {
     taintConfig: options.taintConfig
-  });
+  };
+  if (typeof options.wasmUrl === "string") {
+    initOptions.wasmPath = options.wasmUrl;
+  } else {
+    initOptions.wasmModule = options.wasmUrl;
+  }
+  if (options.languageUrls) {
+    const paths = {};
+    const modules = {};
+    for (const [lang, value] of Object.entries(options.languageUrls)) {
+      if (typeof value === "string") {
+        paths[lang] = value;
+      } else if (value) {
+        modules[lang] = value;
+      }
+    }
+    if (Object.keys(paths).length > 0) initOptions.languagePaths = paths;
+    if (Object.keys(modules).length > 0) initOptions.languageModules = modules;
+  }
+  await initAnalyzer(initOptions);
 }
 async function analyzeCode(code, options = {}) {
   const filePath = options.filePath ?? "input.java";

package/dist/browser.d.ts

@@ -8,17 +8,18 @@ import type { CircleIR, AnalysisResponse } from './types/index.js';
 import type { SupportedLanguage } from './core/index.js';
 export interface BrowserAnalyzerOptions extends AnalyzerOptions {
     /**
-     * URL to the tree-sitter.wasm file.
-     * Required for browser usage.
+     * URL to the tree-sitter.wasm file, or a pre-compiled WebAssembly.Module.
+     * String URL for browser usage, WebAssembly.Module for Cloudflare Workers.
      */
-    wasmUrl: string;
+    wasmUrl: string | WebAssembly.Module;
     /**
-     * URLs to language grammar WASM files.
+     * URLs to language grammar WASM files, or pre-compiled WebAssembly.Modules.
+     * String URLs for browser usage, WebAssembly.Modules for Cloudflare Workers.
      */
-    languageUrls?: Partial<Record<SupportedLanguage, string>>;
+    languageUrls?: Partial<Record<SupportedLanguage, string | WebAssembly.Module>>;
 }
 /**
- * Initialize the analyzer for browser usage.
+ * Initialize the analyzer for browser/worker usage.
  */
 export declare function init(options: BrowserAnalyzerOptions): Promise<void>;
 /**

package/dist/browser.js

@@ -5,13 +5,35 @@
  */
 import { initAnalyzer, analyze, analyzeForAPI, isAnalyzerInitialized, } from './analyzer.js';
 /**
- * Initialize the analyzer for browser usage.
+ * Initialize the analyzer for browser/worker usage.
  */
 export async function init(options) {
-    await initAnalyzer({
-        wasmPath: options.wasmUrl,
+    const initOptions = {
         taintConfig: options.taintConfig,
-    });
+    };
+    if (typeof options.wasmUrl === 'string') {
+        initOptions.wasmPath = options.wasmUrl;
+    }
+    else {
+        initOptions.wasmModule = options.wasmUrl;
+    }
+    if (options.languageUrls) {
+        const paths = {};
+        const modules = {};
+        for (const [lang, value] of Object.entries(options.languageUrls)) {
+            if (typeof value === 'string') {
+                paths[lang] = value;
+            }
+            else if (value) {
+                modules[lang] = value;
+            }
+        }
+        if (Object.keys(paths).length > 0)
+            initOptions.languagePaths = paths;
+        if (Object.keys(modules).length > 0)
+            initOptions.languageModules = modules;
+    }
+    await initAnalyzer(initOptions);
 }
 /**
  * Analyze source code and return full Circle-IR output.

package/dist/browser.js.map

@@ -1 +1 @@
-{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,YAAY,EACZ,OAAO,EACP,aAAa,EACb,qBAAqB,GAEtB,MAAM,eAAe,CAAC;AAiBvB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAA+B;IACxD,MAAM,YAAY,CAAC;QACjB,QAAQ,EAAE,OAAO,CAAC,OAAO;QACzB,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,UAGI,EAAE;IAEN,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAE5C,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,IAAY,EACZ,UAGI,EAAE;IAEN,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAE5C,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC"}
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,YAAY,EACZ,OAAO,EACP,aAAa,EACb,qBAAqB,GAEtB,MAAM,eAAe,CAAC;AAkBvB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAA+B;IACxD,MAAM,WAAW,GAAuC;QACtD,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;IAEF,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxC,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,WAAW,CAAC,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC;IAC3C,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,KAAK,GAA+C,EAAE,CAAC;QAC7D,MAAM,OAAO,GAA2D,EAAE,CAAC;QAE3E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACjE,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,KAAK,CAAC,IAAyB,CAAC,GAAG,KAAK,CAAC;YAC3C,CAAC;iBAAM,IAAI,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAyB,CAAC,GAAG,KAAK,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,WAAW,CAAC,aAAa,GAAG,KAAK,CAAC;QACrE,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,WAAW,CAAC,eAAe,GAAG,OAAO,CAAC;IAC7E,CAAC;IAED,MAAM,YAAY,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,UAGI,EAAE;IAEN,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAE5C,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,IAAY,EACZ,UAGI,EAAE;IAEN,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAE5C,IAAI,CAAC,qBAAqB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC"}

package/dist/core/circle-ir-core.cjs

@@ -4063,6 +4063,7 @@ var parserInitializing = null;
 var loadedLanguages = /* @__PURE__ */ new Map();
 var loadingLanguages = /* @__PURE__ */ new Map();
 var configuredLanguagePaths = {};
+var configuredLanguageModules = {};
 async function initParser(options = {}) {
   if (parserInitialized) {
     return;
@@ -4070,14 +4071,28 @@ async function initParser(options = {}) {
   if (parserInitializing) {
     return parserInitializing;
   }
-  const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
   if (options.languagePaths) {
     configuredLanguagePaths = options.languagePaths;
   }
+  if (options.languageModules) {
+    configuredLanguageModules = options.languageModules;
+  }
   parserInitializing = (async () => {
-    await Parser.init({
-      locateFile: () => wasmPath
-    });
+    if (options.wasmModule) {
+      await Parser.init({
+        locateFile: () => "web-tree-sitter.wasm",
+        instantiateWasm(imports, callback) {
+          const instance2 = new WebAssembly.Instance(options.wasmModule, imports);
+          callback(instance2, options.wasmModule);
+          return instance2.exports;
+        }
+      });
+    } else {
+      const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
+      await Parser.init({
+        locateFile: () => wasmPath
+      });
+    }
     parserInitialized = true;
     parserInitializing = null;
   })();
@@ -4095,6 +4110,17 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
+  const grammarName = language === "typescript" ? "javascript" : language;
+  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  if (wasmModule) {
+    const loadPromise2 = (async () => {
+      const lang = await Language.load(wasmModule);
+      loadedLanguages.set(language, lang);
+      return lang;
+    })();
+    loadingLanguages.set(language, loadPromise2);
+    return loadPromise2;
+  }
   const path = wasmPath ?? configuredLanguagePaths[language] ?? await getDefaultLanguagePath(language);
   const loadPromise = (async () => {
     const lang = await Language.load(path);
@@ -10844,7 +10870,12 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
     existing.push(san);
     sanitizersByLine.set(san.line, existing);
   }
-  const initialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const rawInitialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const initialTaint = rawInitialTaint.filter((tv) => {
+    if (tv.line === tv.sourceLine) return true;
+    const sanCheck = checkSanitized(tv.sourceLine, tv.line, tv.sourceType, sanitizersByLine);
+    return !sanCheck.sanitized;
+  });
   taintedVars.push(...initialTaint);
   const propagatedTaint = propagateThroughChains(
     initialTaint,
@@ -10986,7 +11017,36 @@ function propagateThroughChains(initialTaint, chains, defById, sanitizersByLine)
   }
   return propagated;
 }
-function checkSanitized(_fromLine, _toLine, _sinkType, _sanitizersByLine) {
+var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
+  "sql_injection",
+  "xss",
+  "path_traversal",
+  "command_injection",
+  "ssrf",
+  "ldap_injection",
+  "xpath_injection",
+  "log_injection",
+  "xxe",
+  "deserialization",
+  "code_injection"
+]);
+function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
+  const sanitizersAtTarget = sanitizersByLine.get(toLine);
+  if (!sanitizersAtTarget || sanitizersAtTarget.length === 0) {
+    return { sanitized: false };
+  }
+  const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
+  for (const san of sanitizersAtTarget) {
+    if (isKnownSinkType) {
+      if (san.sanitizes.includes(sinkType)) {
+        return { sanitized: true, sanitizer: san };
+      }
+    } else {
+      if (san.sanitizes.length > 0) {
+        return { sanitized: true, sanitizer: san };
+      }
+    }
+  }
   return { sanitized: false };
 }
 function buildTaintFlow(source, sink, taintInfo, dfg, defById) {
@@ -11435,13 +11495,33 @@ var SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "getCanonicalPath",
   "normalize",
   "toRealPath",
+  // JavaScript/TypeScript URL Encoding
+  "encodeURIComponent",
+  "encodeURI",
+  // JavaScript/TypeScript String Validation
+  "match",
+  "test",
+  "startsWith",
+  "includes",
+  // Path Validation and Normalization
+  "normalizePath",
+  "normalizeLineEndings",
+  "isPathWithin",
+  "isPathWithinAllowedDirectories",
+  "isPathAllowed",
+  "relative",
+  "join",
   // General
   "sanitize",
   "encode",
   "escape",
   "clean",
   "filter",
-  "validate"
+  "validate",
+  "validatePath",
+  "validateCityName",
+  "validateInput",
+  "sanitizeInput"
 ]);
 var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   // URL decoding (reverses URL encoding)

package/dist/core/circle-ir-core.js

@@ -3998,6 +3998,7 @@ var parserInitializing = null;
 var loadedLanguages = /* @__PURE__ */ new Map();
 var loadingLanguages = /* @__PURE__ */ new Map();
 var configuredLanguagePaths = {};
+var configuredLanguageModules = {};
 async function initParser(options = {}) {
   if (parserInitialized) {
     return;
@@ -4005,14 +4006,28 @@ async function initParser(options = {}) {
   if (parserInitializing) {
     return parserInitializing;
   }
-  const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
   if (options.languagePaths) {
     configuredLanguagePaths = options.languagePaths;
   }
+  if (options.languageModules) {
+    configuredLanguageModules = options.languageModules;
+  }
   parserInitializing = (async () => {
-    await Parser.init({
-      locateFile: () => wasmPath
-    });
+    if (options.wasmModule) {
+      await Parser.init({
+        locateFile: () => "web-tree-sitter.wasm",
+        instantiateWasm(imports, callback) {
+          const instance2 = new WebAssembly.Instance(options.wasmModule, imports);
+          callback(instance2, options.wasmModule);
+          return instance2.exports;
+        }
+      });
+    } else {
+      const wasmPath = options.wasmPath ?? await getDefaultWasmPath();
+      await Parser.init({
+        locateFile: () => wasmPath
+      });
+    }
     parserInitialized = true;
     parserInitializing = null;
   })();
@@ -4030,6 +4045,17 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
+  const grammarName = language === "typescript" ? "javascript" : language;
+  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  if (wasmModule) {
+    const loadPromise2 = (async () => {
+      const lang = await Language.load(wasmModule);
+      loadedLanguages.set(language, lang);
+      return lang;
+    })();
+    loadingLanguages.set(language, loadPromise2);
+    return loadPromise2;
+  }
   const path = wasmPath ?? configuredLanguagePaths[language] ?? await getDefaultLanguagePath(language);
   const loadPromise = (async () => {
     const lang = await Language.load(path);
@@ -10779,7 +10805,12 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
     existing.push(san);
     sanitizersByLine.set(san.line, existing);
   }
-  const initialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const rawInitialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  const initialTaint = rawInitialTaint.filter((tv) => {
+    if (tv.line === tv.sourceLine) return true;
+    const sanCheck = checkSanitized(tv.sourceLine, tv.line, tv.sourceType, sanitizersByLine);
+    return !sanCheck.sanitized;
+  });
   taintedVars.push(...initialTaint);
   const propagatedTaint = propagateThroughChains(
     initialTaint,
@@ -10921,7 +10952,36 @@ function propagateThroughChains(initialTaint, chains, defById, sanitizersByLine)
   }
   return propagated;
 }
-function checkSanitized(_fromLine, _toLine, _sinkType, _sanitizersByLine) {
+var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
+  "sql_injection",
+  "xss",
+  "path_traversal",
+  "command_injection",
+  "ssrf",
+  "ldap_injection",
+  "xpath_injection",
+  "log_injection",
+  "xxe",
+  "deserialization",
+  "code_injection"
+]);
+function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
+  const sanitizersAtTarget = sanitizersByLine.get(toLine);
+  if (!sanitizersAtTarget || sanitizersAtTarget.length === 0) {
+    return { sanitized: false };
+  }
+  const isKnownSinkType = KNOWN_SINK_TYPES.has(sinkType);
+  for (const san of sanitizersAtTarget) {
+    if (isKnownSinkType) {
+      if (san.sanitizes.includes(sinkType)) {
+        return { sanitized: true, sanitizer: san };
+      }
+    } else {
+      if (san.sanitizes.length > 0) {
+        return { sanitized: true, sanitizer: san };
+      }
+    }
+  }
   return { sanitized: false };
 }
 function buildTaintFlow(source, sink, taintInfo, dfg, defById) {
@@ -11370,13 +11430,33 @@ var SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "getCanonicalPath",
   "normalize",
   "toRealPath",
+  // JavaScript/TypeScript URL Encoding
+  "encodeURIComponent",
+  "encodeURI",
+  // JavaScript/TypeScript String Validation
+  "match",
+  "test",
+  "startsWith",
+  "includes",
+  // Path Validation and Normalization
+  "normalizePath",
+  "normalizeLineEndings",
+  "isPathWithin",
+  "isPathWithinAllowedDirectories",
+  "isPathAllowed",
+  "relative",
+  "join",
   // General
   "sanitize",
   "encode",
   "escape",
   "clean",
   "filter",
-  "validate"
+  "validate",
+  "validatePath",
+  "validateCityName",
+  "validateInput",
+  "sanitizeInput"
 ]);
 var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   // URL decoding (reverses URL encoding)

package/dist/core/parser.d.ts

@@ -15,11 +15,23 @@ interface ParserOptions {
      * In browsers/workers, must be provided.
      */
     wasmPath?: string;
+    /**
+     * Pre-compiled WebAssembly.Module for tree-sitter.wasm.
+     * Use this for Cloudflare Workers where dynamic WASM compilation is blocked.
+     * Takes precedence over wasmPath when provided.
+     */
+    wasmModule?: WebAssembly.Module;
     /**
      * Custom paths/URLs to language grammar WASM files.
      * Key is the language name, value is the path/URL.
      */
     languagePaths?: Partial<Record<SupportedLanguage, string>>;
+    /**
+     * Pre-compiled WebAssembly.Module for language grammars.
+     * Use this for Cloudflare Workers where dynamic WASM compilation is blocked.
+     * Takes precedence over languagePaths when provided.
+     */
+    languageModules?: Partial<Record<SupportedLanguage, WebAssembly.Module>>;
 }
 /**
  * Initialize the Tree-sitter parser runtime.