circle-ir 3.39.0 → 3.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/dist/analysis/config-loader.d.ts.map +1 -1
  2. package/dist/analysis/config-loader.js +21 -13
  3. package/dist/analysis/config-loader.js.map +1 -1
  4. package/dist/analysis/index.d.ts +1 -1
  5. package/dist/analysis/index.d.ts.map +1 -1
  6. package/dist/analysis/index.js +1 -1
  7. package/dist/analysis/index.js.map +1 -1
  8. package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
  9. package/dist/analysis/passes/language-sources-pass.js +5 -0
  10. package/dist/analysis/passes/language-sources-pass.js.map +1 -1
  11. package/dist/analysis/passes/taint-matcher-pass.js +2 -2
  12. package/dist/analysis/passes/taint-matcher-pass.js.map +1 -1
  13. package/dist/analysis/taint-matcher.d.ts +13 -2
  14. package/dist/analysis/taint-matcher.d.ts.map +1 -1
  15. package/dist/analysis/taint-matcher.js +74 -7
  16. package/dist/analysis/taint-matcher.js.map +1 -1
  17. package/dist/analyzer.js +1 -1
  18. package/dist/analyzer.js.map +1 -1
  19. package/dist/browser/circle-ir.js +69 -23
  20. package/dist/core/circle-ir-core.cjs +66 -20
  21. package/dist/core/circle-ir-core.d.ts +1 -1
  22. package/dist/core/circle-ir-core.js +66 -20
  23. package/dist/core-lib.d.ts +1 -1
  24. package/dist/core-lib.d.ts.map +1 -1
  25. package/dist/core-lib.js +1 -1
  26. package/dist/core-lib.js.map +1 -1
  27. package/dist/index.d.ts +1 -1
  28. package/dist/index.d.ts.map +1 -1
  29. package/dist/index.js +1 -1
  30. package/dist/index.js.map +1 -1
  31. package/dist/types/config.d.ts +11 -0
  32. package/dist/types/config.d.ts.map +1 -1
  33. package/dist/types/index.d.ts +2 -0
  34. package/dist/types/index.d.ts.map +1 -1
  35. package/package.json +1 -1
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAkrCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA0rCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -1011,15 +1011,22 @@ export const DEFAULT_SINKS = [
1011
1011
  { method: 'readObject', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1012
1012
  { method: 'readUnshared', class: 'ObjectInputStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1013
1013
  { method: 'fromXML', class: 'XStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1014
- { method: 'readValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1015
- // YAML deserialization
1016
- { method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1014
+ // Jackson ObjectMapper the 1-arg `readValue(json)` form is polymorphic and
1015
+ // can deserialize attacker-controlled types (default-typing gadget chains).
1016
+ // The 2-arg typed form `readValue(json, User.class)` is safe because the
1017
+ // deserialized type is fixed at compile time; suppressed via
1018
+ // safe_if_class_literal_at. The `readValue(json, Class.forName(x))` shape
1019
+ // is NOT a class literal and remains a sink.
1020
+ { method: 'readValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1021
+ // YAML deserialization — `Yaml.load(InputStream, Class<T>)` typed overload
1022
+ // is safe; `Yaml.load(InputStream)` and dynamic-class forms are not.
1023
+ { method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], safe_if_class_literal_at: 1 },
1017
1024
  { method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1018
- { method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1025
+ { method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], safe_if_class_literal_at: 1 },
1019
1026
  // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
1020
- { method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1021
- { method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1022
- { method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
1027
+ { method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1028
+ { method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1029
+ { method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0], safe_if_class_literal_at: 1 },
1023
1030
  // XMLDecoder
1024
1031
  { method: 'readObject', class: 'XMLDecoder', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1025
1032
  // Java serialization constructors
@@ -1303,12 +1310,13 @@ export const DEFAULT_SINKS = [
1303
1310
  { method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
1304
1311
  { method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1305
1312
  { method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1306
- // Python Deserialization
1307
- { method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1308
- { method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1309
- { method: 'loads', class: 'marshal', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1310
- { method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1311
- { method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1313
+ // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
1314
+ // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
1315
+ { method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1316
+ { method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1317
+ { method: 'loads', class: 'marshal', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1318
+ { method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1319
+ { method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1312
1320
  // Python SQL Injection
1313
1321
  // Language-scoped: classless `execute`/`raw` collide with Java util.concurrent
1314
1322
  // (Executor.execute, ThreadPool.execute) and other languages. See issue #14.