circle-ir 3.3.3 → 3.6.0

package/dist/browser/circle-ir.js

@@ -5470,6 +5470,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "bash") {
+    return extractBashCalls(tree, cache);
+  }
   if (isRust) {
     return extractRustCalls(tree, cache);
   }
@@ -6159,6 +6162,88 @@ function inferTypeFromReceiverName(receiver) {
   const lowerReceiver = receiver.toLowerCase();
   return patterns[lowerReceiver] ?? null;
 }
+function extractBashCalls(tree, cache) {
+  const calls = [];
+  const commands = getNodesFromCache(tree.rootNode, "command", cache);
+  for (const cmd of commands) {
+    const callInfo = extractBashCommandInfo(cmd);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractBashCommandInfo(node) {
+  const nameNode = node.childForFieldName("name");
+  if (!nameNode) return null;
+  const commandName = getNodeText(nameNode);
+  if (!commandName) return null;
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (!child) continue;
+    if (child === nameNode) continue;
+    if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
+      continue;
+    }
+    const expression = getNodeText(child);
+    if (!expression.trim()) continue;
+    const variable = extractBashVariableRef(child);
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal: null
+    });
+  }
+  const inMethod = findBashEnclosingFunction(node);
+  return {
+    method_name: commandName,
+    receiver: null,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractBashVariableRef(node) {
+  const type = node.type;
+  if (type === "simple_expansion" || type === "expansion") {
+    return getNodeText(node).replace(/^\$\{?/, "").replace(/\}$/, "");
+  }
+  if (type === "string" || type === "concatenation") {
+    for (let i2 = 0; i2 < node.childCount; i2++) {
+      const child = node.child(i2);
+      if (!child) continue;
+      if (child.type === "simple_expansion" || child.type === "expansion") {
+        return getNodeText(child).replace(/^\$\{?/, "").replace(/\}$/, "");
+      }
+    }
+  }
+  if (type === "word") {
+    const text = getNodeText(node);
+    if (text.startsWith("$")) {
+      return text.slice(1).replace(/^\{/, "").replace(/\}$/, "");
+    }
+  }
+  return null;
+}
+function findBashEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_definition") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 function extractPythonCalls(tree, cache) {
   const calls = [];
   const context = buildPythonResolutionContext(tree, cache);
@@ -13896,6 +13981,9 @@ function getLanguageRegistry() {
 function registerLanguage(plugin) {
   getLanguageRegistry().register(plugin);
 }
+function getLanguagePlugin(language) {
+  return getLanguageRegistry().get(language);
+}
 
 // src/languages/plugins/base.ts
 var BaseLanguagePlugin = class {
@@ -14497,6 +14585,80 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
         confidence: 0.85,
         returnTainted: true
       },
+      // Fastify-specific sources (request object)
+      {
+        method: "raw",
+        class: "request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "hostname",
+        class: "request",
+        type: "http_header",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      // Koa context sources (ctx.* and ctx.request.*)
+      {
+        method: "header",
+        class: "ctx",
+        type: "http_header",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "headers",
+        class: "ctx",
+        type: "http_header",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "host",
+        class: "ctx",
+        type: "http_header",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "hostname",
+        class: "ctx",
+        type: "http_header",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "path",
+        class: "ctx",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "url",
+        class: "ctx",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "querystring",
+        class: "ctx",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.85,
+        returnTainted: true
+      },
       // DOM sources (for browser code)
       {
         method: "location",
@@ -14839,6 +15001,21 @@ var JavaScriptPlugin = class extends BaseLanguagePlugin {
         severity: "critical",
         argPositions: [0]
       },
+      // Prisma ORM - unsafe raw query methods ($executeRaw/$queryRaw with template literals are safe/parameterized)
+      {
+        method: "$executeRawUnsafe",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: "$queryRawUnsafe",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [0]
+      },
       // SSRF
       {
         method: "fetch",
@@ -15944,12 +16121,241 @@ var RustPlugin = class extends BaseLanguagePlugin {
   }
 };
 
+// src/languages/plugins/bash.ts
+var BashPlugin = class extends BaseLanguagePlugin {
+  id = "bash";
+  name = "Bash/Shell";
+  extensions = [".sh", ".bash", ".zsh", ".ksh"];
+  wasmPath = "tree-sitter-bash.wasm";
+  nodeTypes = {
+    // Type declarations — shell has no OOP types
+    classDeclaration: [],
+    interfaceDeclaration: [],
+    enumDeclaration: [],
+    functionDeclaration: ["function_definition"],
+    methodDeclaration: ["function_definition"],
+    // Expressions — commands are treated as calls
+    methodCall: ["command"],
+    functionCall: ["command"],
+    assignment: ["variable_assignment"],
+    variableDeclaration: ["variable_assignment", "declaration_command"],
+    // Parameters and arguments — positional args are child words
+    parameter: [],
+    argument: [],
+    // Annotations/decorators — none in shell
+    annotation: [],
+    decorator: [],
+    // Imports — shell uses `source` / `.` but no formal import system
+    importStatement: [],
+    // Control flow
+    ifStatement: ["if_statement"],
+    forStatement: ["for_statement", "c_style_for_statement"],
+    whileStatement: ["while_statement"],
+    tryStatement: [],
+    returnStatement: []
+  };
+  /**
+   * Shell scripts don't have a formal framework concept.
+   */
+  detectFramework(_context) {
+    return void 0;
+  }
+  /**
+   * Bash taint source patterns.
+   * In shell, tainted data enters via `read` (stdin).
+   * curl/wget are excluded as sources (see comment in implementation).
+   */
+  getBuiltinSources() {
+    return [
+      // read built-in reads user input from stdin.
+      // curl/wget are intentionally excluded: they're also registered as sinks (SSRF),
+      // and without DFG tracking of $() command substitution, including them as sources
+      // would generate false positives for safe curl calls.
+      {
+        method: "read",
+        type: "io_input",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      }
+    ];
+  }
+  /**
+   * Bash taint sink patterns.
+   * Key sinks: eval (CWE-94), bash/sh -c (CWE-78), DB clients (CWE-89),
+   * file operations (CWE-22), SSRF via curl/wget (CWE-918).
+   */
+  getBuiltinSinks() {
+    return [
+      // Code / command injection via eval
+      {
+        method: "eval",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "critical",
+        argPositions: [0]
+      },
+      // Command injection: spawning a sub-shell with -c flag
+      {
+        method: "bash",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "sh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "zsh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "ksh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // SQL injection via DB CLI clients (first arg is query/expression)
+      {
+        method: "mysql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "psql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "sqlite3",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path traversal via file operations (first arg is path)
+      {
+        method: "cat",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "rm",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "cp",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "mv",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "chmod",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      {
+        method: "chown",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      // SSRF — curl/wget with externally-controlled URL
+      {
+        method: "curl",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "wget",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      }
+    ];
+  }
+  /**
+   * Shell has no OOP receiver types.
+   */
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  /**
+   * Bash string literals: quoted strings and raw ($'...') strings.
+   */
+  isStringLiteral(node) {
+    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+  }
+  /**
+   * Extract string value from bash string literal, stripping quotes.
+   */
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (node.type === "raw_string") {
+      return text.slice(1, -1);
+    }
+    if (node.type === "ansi_c_string") {
+      return text.slice(2, -1);
+    }
+    const match = text.match(/^"(.*)"$/s);
+    if (match) return match[1];
+    return text;
+  }
+  // Extraction methods — delegate to base extractors via generic walker
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
 // src/languages/plugins/index.ts
 function registerBuiltinPlugins() {
   registerLanguage(new JavaPlugin());
   registerLanguage(new JavaScriptPlugin());
   registerLanguage(new PythonPlugin());
   registerLanguage(new RustPlugin());
+  registerLanguage(new BashPlugin());
 }
 
 // src/utils/logger.ts
@@ -16278,6 +16684,18 @@ async function analyze(code, filePath, language, options = {}) {
       "member_expression",
       "assignment_expression"
     ]);
+  } else if (language === "bash") {
+    nodeTypesToCollect = /* @__PURE__ */ new Set([
+      // Bash AST nodes
+      "command",
+      "function_definition",
+      "variable_assignment",
+      "declaration_command",
+      "if_statement",
+      "for_statement",
+      "c_style_for_statement",
+      "while_statement"
+    ]);
   } else {
     nodeTypesToCollect = /* @__PURE__ */ new Set([
       // Java AST nodes
@@ -16308,7 +16726,41 @@ async function analyze(code, filePath, language, options = {}) {
       }
     }
   }
-  const baseConfig = options.taintConfig ?? getDefaultConfig();
+  let baseConfig = options.taintConfig ?? getDefaultConfig();
+  if (!options.taintConfig) {
+    const plugin = getLanguagePlugin(language);
+    if (plugin) {
+      const pluginSources = plugin.getBuiltinSources();
+      const pluginSinks = plugin.getBuiltinSinks();
+      if (pluginSources.length > 0 || pluginSinks.length > 0) {
+        baseConfig = {
+          ...baseConfig,
+          sources: [
+            ...baseConfig.sources,
+            ...pluginSources.map((s) => ({
+              method: s.method,
+              class: s.class,
+              annotation: s.annotation,
+              type: s.type,
+              severity: s.severity,
+              return_tainted: s.returnTainted ?? false
+            }))
+          ],
+          sinks: [
+            ...baseConfig.sinks,
+            ...pluginSinks.map((s) => ({
+              method: s.method,
+              class: s.class,
+              type: s.type,
+              cwe: s.cwe,
+              severity: s.severity,
+              arg_positions: s.argPositions
+            }))
+          ]
+        };
+      }
+    }
+  }
   const preliminaryTaint = analyzeTaint(calls, types, baseConfig);
   const taintedParameters = [];
   for (const source of preliminaryTaint.sources) {

package/dist/core/circle-ir-core.cjs

@@ -5546,6 +5546,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "bash") {
+    return extractBashCalls(tree, cache);
+  }
   if (isRust) {
     return extractRustCalls(tree, cache);
   }
@@ -6235,6 +6238,88 @@ function inferTypeFromReceiverName(receiver) {
   const lowerReceiver = receiver.toLowerCase();
   return patterns[lowerReceiver] ?? null;
 }
+function extractBashCalls(tree, cache) {
+  const calls = [];
+  const commands = getNodesFromCache(tree.rootNode, "command", cache);
+  for (const cmd of commands) {
+    const callInfo = extractBashCommandInfo(cmd);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractBashCommandInfo(node) {
+  const nameNode = node.childForFieldName("name");
+  if (!nameNode) return null;
+  const commandName = getNodeText(nameNode);
+  if (!commandName) return null;
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (!child) continue;
+    if (child === nameNode) continue;
+    if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
+      continue;
+    }
+    const expression = getNodeText(child);
+    if (!expression.trim()) continue;
+    const variable = extractBashVariableRef(child);
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal: null
+    });
+  }
+  const inMethod = findBashEnclosingFunction(node);
+  return {
+    method_name: commandName,
+    receiver: null,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractBashVariableRef(node) {
+  const type = node.type;
+  if (type === "simple_expansion" || type === "expansion") {
+    return getNodeText(node).replace(/^\$\{?/, "").replace(/\}$/, "");
+  }
+  if (type === "string" || type === "concatenation") {
+    for (let i2 = 0; i2 < node.childCount; i2++) {
+      const child = node.child(i2);
+      if (!child) continue;
+      if (child.type === "simple_expansion" || child.type === "expansion") {
+        return getNodeText(child).replace(/^\$\{?/, "").replace(/\}$/, "");
+      }
+    }
+  }
+  if (type === "word") {
+    const text = getNodeText(node);
+    if (text.startsWith("$")) {
+      return text.slice(1).replace(/^\{/, "").replace(/\}$/, "");
+    }
+  }
+  return null;
+}
+function findBashEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_definition") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 function extractPythonCalls(tree, cache) {
   const calls = [];
   const context = buildPythonResolutionContext(tree, cache);

package/dist/core/circle-ir-core.js

@@ -5481,6 +5481,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "bash") {
+    return extractBashCalls(tree, cache);
+  }
   if (isRust) {
     return extractRustCalls(tree, cache);
   }
@@ -6170,6 +6173,88 @@ function inferTypeFromReceiverName(receiver) {
   const lowerReceiver = receiver.toLowerCase();
   return patterns[lowerReceiver] ?? null;
 }
+function extractBashCalls(tree, cache) {
+  const calls = [];
+  const commands = getNodesFromCache(tree.rootNode, "command", cache);
+  for (const cmd of commands) {
+    const callInfo = extractBashCommandInfo(cmd);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractBashCommandInfo(node) {
+  const nameNode = node.childForFieldName("name");
+  if (!nameNode) return null;
+  const commandName = getNodeText(nameNode);
+  if (!commandName) return null;
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (!child) continue;
+    if (child === nameNode) continue;
+    if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
+      continue;
+    }
+    const expression = getNodeText(child);
+    if (!expression.trim()) continue;
+    const variable = extractBashVariableRef(child);
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal: null
+    });
+  }
+  const inMethod = findBashEnclosingFunction(node);
+  return {
+    method_name: commandName,
+    receiver: null,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractBashVariableRef(node) {
+  const type = node.type;
+  if (type === "simple_expansion" || type === "expansion") {
+    return getNodeText(node).replace(/^\$\{?/, "").replace(/\}$/, "");
+  }
+  if (type === "string" || type === "concatenation") {
+    for (let i2 = 0; i2 < node.childCount; i2++) {
+      const child = node.child(i2);
+      if (!child) continue;
+      if (child.type === "simple_expansion" || child.type === "expansion") {
+        return getNodeText(child).replace(/^\$\{?/, "").replace(/\}$/, "");
+      }
+    }
+  }
+  if (type === "word") {
+    const text = getNodeText(node);
+    if (text.startsWith("$")) {
+      return text.slice(1).replace(/^\{/, "").replace(/\}$/, "");
+    }
+  }
+  return null;
+}
+function findBashEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_definition") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 function extractPythonCalls(tree, cache) {
   const calls = [];
   const context = buildPythonResolutionContext(tree, cache);