circle-ir 3.4.0 → 3.8.0

package/dist/analyzer.js

@@ -6,7 +6,7 @@
  */
 import { initParser, parse, extractMeta, extractTypes, extractCalls, extractImports, extractExports, buildCFG, buildDFG, collectAllNodes, } from './core/index.js';
 import { analyzeTaint, getDefaultConfig, detectUnresolved, propagateTaint, analyzeInterprocedural, findTaintBridges, analyzeConstantPropagation, isFalsePositive, isCorrelatedPredicateFP } from './analysis/index.js';
-import { registerBuiltinPlugins } from './languages/index.js';
+import { registerBuiltinPlugins, getLanguagePlugin } from './languages/index.js';
 import { logger } from './utils/logger.js';
 /**
  * Find getter methods that return tainted fields from constructor assignments.
@@ -119,6 +119,34 @@ const JS_TAINTED_PATTERNS = [
     { pattern: /\bdocument\.querySelector\b/, type: 'dom_input' },
     { pattern: /\.value\b/, type: 'dom_input' },
 ];
+/**
+ * Python/Flask/Django tainted request access patterns.
+ * Used to detect sources in assignments like: user_id = request.args.get('id')
+ * Also covers subscript access: user_id = request.args['id']
+ */
+const PYTHON_TAINTED_PATTERNS = [
+    { pattern: /\brequest\.args\b/, type: 'http_param' },
+    { pattern: /\brequest\.form\b/, type: 'http_body' },
+    { pattern: /\brequest\.json\b/, type: 'http_body' },
+    { pattern: /\brequest\.data\b/, type: 'http_body' },
+    { pattern: /\brequest\.files?\b/, type: 'file_input' },
+    { pattern: /\brequest\.headers?\b/, type: 'http_header' },
+    { pattern: /\brequest\.cookies\b/, type: 'http_cookie' },
+    { pattern: /\brequest\.GET\b/, type: 'http_param' },
+    { pattern: /\brequest\.POST\b/, type: 'http_body' },
+    { pattern: /\brequest\.META\b/, type: 'http_header' },
+    { pattern: /\brequest\.FILES\b/, type: 'file_input' },
+    { pattern: /\brequest\.query_params\b/, type: 'http_param' },
+    { pattern: /\brequest\.path_params\b/, type: 'http_param' },
+    // Flask raw query/body strings
+    { pattern: /\brequest\.query_string\b/, type: 'http_param' },
+    { pattern: /\brequest\.get_data\s*\(/, type: 'http_body' },
+    // Request wrapper helper methods (common in OWASP-style benchmarks and real wrappers)
+    { pattern: /\bget_form_parameter\s*\(/, type: 'http_body' },
+    { pattern: /\bget_query_parameter\s*\(/, type: 'http_param' },
+    { pattern: /\bget_header_value\s*\(/, type: 'http_header' },
+    { pattern: /\bget_cookie_value\s*\(/, type: 'http_cookie' },
+];
 /**
  * Find JavaScript taint sources from variable assignments.
  * Detects patterns like: var userId = req.query.id
@@ -161,6 +189,227 @@ function findJavaScriptAssignmentSources(sourceCode, language) {
     }
     return sources;
 }
+/**
+ * Find Python taint sources from variable assignments and subscript access.
+ * Detects patterns like: user_id = request.args.get('id') or request.args['id']
+ */
+function findPythonAssignmentSources(sourceCode, language) {
+    const sources = [];
+    if (language !== 'python') {
+        return sources;
+    }
+    const lines = sourceCode.split('\n');
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        const lineNumber = lineNum + 1;
+        // Skip comment lines
+        if (line.trimStart().startsWith('#'))
+            continue;
+        // Look for assignments: x = ... or x: type = ...
+        const assignmentMatch = line.match(/^(\s*\w[\w.]*)\s*(?::\s*\w[\w\[\], .]*)?\s*=\s*(.+)/);
+        if (assignmentMatch) {
+            const rhs = assignmentMatch[2];
+            for (const { pattern, type } of PYTHON_TAINTED_PATTERNS) {
+                if (pattern.test(rhs)) {
+                    const varMatch = line.match(/^\s*(\w+)\s*/);
+                    const varName = varMatch ? varMatch[1] : 'unknown';
+                    const alreadyExists = sources.some(s => s.line === lineNumber && s.type === type);
+                    if (!alreadyExists) {
+                        sources.push({
+                            type,
+                            location: `${varName} = ${rhs.trim().substring(0, 50)}${rhs.length > 50 ? '...' : ''}`,
+                            severity: 'high',
+                            line: lineNumber,
+                            confidence: 0.95,
+                            variable: varName,
+                        });
+                    }
+                    break;
+                }
+            }
+        }
+    }
+    return sources;
+}
+/**
+ * Build a map of tainted variable names → source line via simple forward
+ * line-by-line taint propagation for Python.
+ *
+ * Seeds from PYTHON_TAINTED_PATTERNS; propagates through assignments where the
+ * RHS contains a tainted variable. Uses per-key container taint to distinguish
+ * map['tainted_key'] from map['safe_key'] and conf.get(s,tainted_k) vs conf.get(s,safe_k).
+ */
+function buildPythonTaintedVars(sourceCode) {
+    const tainted = new Map();
+    // Per-key container taint: "map['key']" or "conf['section']['key']" → line number
+    const containerTainted = new Map();
+    const lines = sourceCode.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith('#'))
+            continue;
+        // Subscript assignment: container['key'] = value
+        // Tracks taint per-key so map['keyA']='safe' and map['keyB']=param are distinguished.
+        const subscriptAssign = line.match(/^\s*(\w+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/);
+        if (subscriptAssign) {
+            const [, container, , key, rhs2] = subscriptAssign;
+            const isTaintedRhs = [...tainted.keys()].some(v => new RegExp(`\\b${v}\\b`).test(rhs2));
+            if (isTaintedRhs) {
+                containerTainted.set(`${container}['${key}']`, i + 1);
+            }
+            continue; // subscript assignments don't match simple variable regex below
+        }
+        // ConfigParser set: obj.set('section', 'key', value)
+        // Tracks per (section, key) so conf.get('s','keyA') and conf.get('s','keyB') are distinct.
+        const setCallMatch = line.match(/^\s*(\w+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/);
+        if (setCallMatch) {
+            const [, obj, , section, , key, rhs2] = setCallMatch;
+            const isTaintedRhs = [...tainted.keys()].some(v => new RegExp(`\\b${v}\\b`).test(rhs2));
+            if (isTaintedRhs) {
+                containerTainted.set(`${obj}['${section}']['${key}']`, i + 1);
+            }
+            continue;
+        }
+        // Augmented assignment: var += expr — taint if either side is tainted
+        const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
+        if (augAssign) {
+            const [, augLhs, augRhs] = augAssign;
+            const rhsTainted = [...tainted.keys()].some(v => new RegExp(`\\b${v}\\b`).test(augRhs));
+            if (rhsTainted || tainted.has(augLhs)) {
+                tainted.set(augLhs, tainted.get(augLhs) ?? (i + 1));
+            }
+            continue;
+        }
+        // For loop: for var in tainted_source — seed loop variable as tainted
+        const forLoopMatch = line.match(/^\s*for\s+(\w+)\s+in\s+(.+?)(?:\s*:\s*)?$/);
+        if (forLoopMatch) {
+            const [, iterVar, iterExpr] = forLoopMatch;
+            const isDirectSource = PYTHON_TAINTED_PATTERNS.some(p => p.pattern.test(iterExpr));
+            const isPropagated = [...tainted.keys()].some(v => new RegExp(`\\b${v}\\b`).test(iterExpr));
+            if (isDirectSource || isPropagated) {
+                tainted.set(iterVar, i + 1);
+            }
+            continue;
+        }
+        // Regular assignment: var = expr
+        const assignMatch = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+        if (!assignMatch)
+            continue;
+        const [, lhs, rhs] = assignMatch;
+        const isDirectSource = PYTHON_TAINTED_PATTERNS.some(p => p.pattern.test(rhs));
+        let propagatedFrom;
+        // Per-key dict access: bar = container['key']
+        const dictAccessMatch = rhs.trim().match(/^(\w+)\[(['"])([^'"]+)\2\]$/);
+        if (dictAccessMatch) {
+            const [, container, , key] = dictAccessMatch;
+            if (containerTainted.has(`${container}['${key}']`)) {
+                propagatedFrom = `${container}['${key}']`;
+            }
+        }
+        // Per-key configparser get: bar = conf.get('section', 'key')
+        if (!propagatedFrom) {
+            const confGetMatch = rhs.trim().match(/^(\w+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/);
+            if (confGetMatch) {
+                const [, obj, , section, , key] = confGetMatch;
+                if (containerTainted.has(`${obj}['${section}']['${key}']`)) {
+                    propagatedFrom = `${obj}['${section}']['${key}']`;
+                }
+            }
+        }
+        // Standard variable propagation (skip os.environ/os.getenv — safe env reads)
+        if (!propagatedFrom) {
+            const isSafeEnvRead = /\bos\.environ\.get\s*\(/.test(rhs) || /\bos\.getenv\s*\(/.test(rhs);
+            if (!isSafeEnvRead) {
+                propagatedFrom = [...tainted.keys()].find(v => new RegExp(`\\b${v}\\b`).test(rhs));
+            }
+        }
+        if (isDirectSource) {
+            tainted.set(lhs, i + 1);
+        }
+        else if (propagatedFrom !== undefined) {
+            tainted.set(lhs, i + 1);
+        }
+        else if (tainted.has(lhs)) {
+            // Variable overwritten — preserve taint for null-guard patterns like:
+            //   if not param:
+            //       param = ""
+            const prevNonBlank = lines.slice(0, i).reverse().find(l => l.trim() && !l.trimStart().startsWith('#'));
+            const isNullGuard = prevNonBlank !== undefined && (new RegExp(`^\\s*if\\s+not\\s+${lhs}\\s*:`).test(prevNonBlank) ||
+                new RegExp(`^\\s*if\\s+${lhs}\\s+is\\s+None\\s*:`).test(prevNonBlank));
+            if (!isNullGuard) {
+                tainted.delete(lhs);
+            }
+        }
+    }
+    return tainted;
+}
+/**
+ * Detect Python apostrophe-check sanitizer guards, e.g.:
+ *   if "'" in bar:
+ *       return  # or raise / abort
+ * Returns the set of variable names that are guarded this way.
+ */
+function findPythonQuoteSanitizedVars(sourceCode) {
+    const sanitized = new Set();
+    const lines = sourceCode.split('\n');
+    for (let i = 0; i < lines.length - 1; i++) {
+        // Match any apostrophe/quote check: if "'" in var:, if '\'' in var:, if '"' in var:
+        // Uses full quoted-string pattern to handle Python's various literal forms.
+        const m = lines[i].match(/^\s*if\s+(?:'(?:[^'\\]|\\.)*'|"(?:[^"\\]|\\.)*")\s+in\s+(\w+)\s*:/);
+        if (!m)
+            continue;
+        // Look ahead up to 5 lines for a return/raise/abort/continue/break
+        // The guard body may be multi-line (e.g. RESPONSE += (...) \n return).
+        // Stop early if we encounter a line at the same or lesser indentation as the if (block exit).
+        const ifIndent = (lines[i].match(/^(\s*)/) ?? ['', ''])[1].length;
+        let foundExit = false;
+        for (let j = i + 1; j <= Math.min(i + 5, lines.length - 1); j++) {
+            const jLine = lines[j] ?? '';
+            if (!jLine.trim())
+                continue; // skip blank lines
+            const jIndent = (jLine.match(/^(\s*)/) ?? ['', ''])[1].length;
+            if (jIndent <= ifIndent)
+                break; // left the if-block
+            if (/^(return|raise|abort|continue|break)\b/.test(jLine.trim())) {
+                foundExit = true;
+                break;
+            }
+        }
+        if (foundExit) {
+            sanitized.add(m[1]);
+        }
+    }
+    return sanitized;
+}
+/**
+ * Detect Python trust boundary violations:
+ *   flask.session[key] = value  (or session[key] = value)
+ * where key or value references a tainted variable.
+ */
+function findPythonTrustBoundaryViolations(sourceCode, language, taintedVars) {
+    if (language !== 'python' || taintedVars.size === 0)
+        return [];
+    const violations = [];
+    const lines = sourceCode.split('\n');
+    const SESSION_WRITE = /(?:flask\.)?session\[([^\]]+)\]\s*=\s*(.+)$/;
+    const taintedKeys = [...taintedVars.keys()];
+    const earliestSourceLine = Math.min(...[...taintedVars.values()]);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith('#'))
+            continue;
+        const m = line.match(SESSION_WRITE);
+        if (!m)
+            continue;
+        const [, keyExpr, valueExpr] = m;
+        const keyTainted = taintedKeys.some(v => new RegExp(`\\b${v}\\b`).test(keyExpr));
+        const valueTainted = taintedKeys.some(v => new RegExp(`\\b${v}\\b`).test(valueExpr));
+        if (keyTainted || valueTainted) {
+            violations.push({ sourceLine: earliestSourceLine, sinkLine: i + 1 });
+        }
+    }
+    return violations;
+}
 /**
  * Find DOM XSS sinks from property assignments in JavaScript.
  * Detects patterns like: element.innerHTML = userInput
@@ -346,6 +595,19 @@ export async function analyze(code, filePath, language, options = {}) {
             'assignment_expression',
         ]);
     }
+    else if (language === 'bash') {
+        nodeTypesToCollect = new Set([
+            // Bash AST nodes
+            'command',
+            'function_definition',
+            'variable_assignment',
+            'declaration_command',
+            'if_statement',
+            'for_statement',
+            'c_style_for_statement',
+            'while_statement',
+        ]);
+    }
     else {
         nodeTypesToCollect = new Set([
             // Java AST nodes
@@ -380,7 +642,44 @@ export async function analyze(code, filePath, language, options = {}) {
     }
     // First, do a preliminary taint analysis to find inter-procedural parameter sources
     // These need to be passed to constant propagation so it can track taint from method parameters
-    const baseConfig = options.taintConfig ?? getDefaultConfig();
+    let baseConfig = options.taintConfig ?? getDefaultConfig();
+    // Merge language plugin built-in sources/sinks into the config.
+    // This handles languages (e.g. Bash) whose patterns are defined on the plugin
+    // rather than in YAML config files loaded by getDefaultConfig().
+    if (!options.taintConfig) {
+        const plugin = getLanguagePlugin(language);
+        if (plugin) {
+            const pluginSources = plugin.getBuiltinSources();
+            const pluginSinks = plugin.getBuiltinSinks();
+            if (pluginSources.length > 0 || pluginSinks.length > 0) {
+                baseConfig = {
+                    ...baseConfig,
+                    sources: [
+                        ...baseConfig.sources,
+                        ...pluginSources.map(s => ({
+                            method: s.method,
+                            class: s.class,
+                            annotation: s.annotation,
+                            type: s.type,
+                            severity: s.severity,
+                            return_tainted: s.returnTainted ?? false,
+                        })),
+                    ],
+                    sinks: [
+                        ...baseConfig.sinks,
+                        ...pluginSinks.map(s => ({
+                            method: s.method,
+                            class: s.class,
+                            type: s.type,
+                            cwe: s.cwe,
+                            severity: s.severity,
+                            arg_positions: s.argPositions,
+                        })),
+                    ],
+                };
+            }
+        }
+    }
     const preliminaryTaint = analyzeTaint(calls, types, baseConfig);
     // Extract inter-procedural parameter sources
     const taintedParameters = [];
@@ -409,6 +708,9 @@ export async function analyze(code, filePath, language, options = {}) {
     // Add sources for JavaScript variable assignments with tainted patterns
     const jsAssignmentSources = findJavaScriptAssignmentSources(code, language);
     taint.sources.push(...jsAssignmentSources);
+    // Add sources for Python variable assignments with tainted request patterns
+    const pythonAssignmentSources = findPythonAssignmentSources(code, language);
+    taint.sources.push(...pythonAssignmentSources);
     // Add sinks for JavaScript DOM XSS patterns (innerHTML, document.write, etc.)
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const domSink of jsDOMSinks) {
@@ -440,6 +742,64 @@ export async function analyze(code, filePath, language, options = {}) {
     taint.sinks = filterCleanVariableSinks(taint.sinks, calls, constPropResult.tainted, constPropResult.symbols, dfg, constPropResult.sanitizedVars, constPropResult.synchronizedLines);
     // Filter sinks that are wrapped by sanitizers on the same line
     taint.sinks = filterSanitizedSinks(taint.sinks, taint.sanitizers ?? [], calls);
+    // Python: reduce XPath false-positives using forward taint propagation +
+    // apostrophe-guard sanitizer detection; also detect trust boundary violations
+    // (flask.session[key] = value) which are subscript assignments, not call nodes.
+    if (language === 'python') {
+        const pyTaintedVars = buildPythonTaintedVars(code);
+        const pySanitizedVars = findPythonQuoteSanitizedVars(code);
+        // Propagate sanitization: if bar is sanitized and query = f"...{bar}...", query is also sanitized
+        for (const line of code.split('\n')) {
+            const am = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+            if (!am)
+                continue;
+            const [, lhs, rhs] = am;
+            if ([...pySanitizedVars].some(v => new RegExp(`\\b${v}\\b`).test(rhs))) {
+                pySanitizedVars.add(lhs);
+            }
+        }
+        // Detect inline .replace() sanitizers: query = f"...{bar.replace('\'', '&apos;')}..."
+        // The tainted var appears with .replace() in the rhs — treat lhs as XPath-safe
+        for (const line of code.split('\n')) {
+            const am = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+            if (!am)
+                continue;
+            const [, lhs, rhs] = am;
+            const hasReplaceOnTainted = [...pyTaintedVars.keys()].some(v => new RegExp(`\\b${v}\\.replace\\s*\\(`).test(rhs));
+            if (hasReplaceOnTainted)
+                pySanitizedVars.add(lhs);
+        }
+        const pySourceLines = code.split('\n');
+        // Filter XPath sinks: keep only if a tainted var is used at the sink line
+        taint.sinks = taint.sinks.filter(sink => {
+            if (sink.type !== 'xpath_injection')
+                return true;
+            const sinkLineText = pySourceLines[sink.line - 1] ?? '';
+            const taintedVarOnLine = [...pyTaintedVars.keys()].find(v => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+            if (!taintedVarOnLine)
+                return false;
+            if (pySanitizedVars.has(taintedVarOnLine))
+                return false;
+            // Suppress parameterized XPath: root.xpath(query, name=bar) where bar is a keyword arg
+            if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText))
+                return false;
+            return true;
+        });
+        // Add trust boundary sinks from session subscript assignments
+        const trustViolations = findPythonTrustBoundaryViolations(code, language, pyTaintedVars);
+        for (const v of trustViolations) {
+            const alreadyExists = taint.sinks.some(s => s.line === v.sinkLine && s.type === 'trust_boundary');
+            if (!alreadyExists) {
+                taint.sinks.push({
+                    type: 'trust_boundary',
+                    cwe: 'CWE-501',
+                    line: v.sinkLine,
+                    location: `session write at line ${v.sinkLine}`,
+                    confidence: 0.85,
+                });
+            }
+        }
+    }
     // Propagate taint through dataflow to find verified flows
     if (taint.sources.length > 0 && taint.sinks.length > 0) {
         const propagationResult = propagateTaint(dfg, calls, taint.sources, taint.sinks, taint.sanitizers ?? []);
@@ -755,8 +1115,70 @@ export async function analyzeForAPI(code, filePath, language, options = {}) {
     filteredSinks = filterCleanVariableSinks(filteredSinks, calls, constPropResult.tainted, constPropResult.symbols, undefined, constPropResult.sanitizedVars, constPropResult.synchronizedLines);
     // Filter sinks wrapped by sanitizers on the same line
     filteredSinks = filterSanitizedSinks(filteredSinks, taint.sanitizers ?? [], calls);
+    // Python: reduce XPath false-positives using forward taint propagation +
+    // apostrophe-guard sanitizer detection.
+    let pythonTaintedVars = new Map();
+    if (language === 'python') {
+        pythonTaintedVars = buildPythonTaintedVars(code);
+        const pythonSanitizedVars = findPythonQuoteSanitizedVars(code);
+        // Propagate sanitization: if bar is sanitized and query = f"...{bar}...", query is also sanitized
+        for (const line of code.split('\n')) {
+            const am = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+            if (!am)
+                continue;
+            const [, lhs, rhs] = am;
+            if ([...pythonSanitizedVars].some(v => new RegExp(`\\b${v}\\b`).test(rhs))) {
+                pythonSanitizedVars.add(lhs);
+            }
+        }
+        // Detect inline .replace() sanitizers: query = f"...{bar.replace('\'', '&apos;')}..."
+        for (const line of code.split('\n')) {
+            const am = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+            if (!am)
+                continue;
+            const [, lhs, rhs] = am;
+            const hasReplaceOnTainted = [...pythonTaintedVars.keys()].some(v => new RegExp(`\\b${v}\\.replace\\s*\\(`).test(rhs));
+            if (hasReplaceOnTainted)
+                pythonSanitizedVars.add(lhs);
+        }
+        const sourceLines = code.split('\n');
+        filteredSinks = filteredSinks.filter(sink => {
+            if (sink.type !== 'xpath_injection')
+                return true;
+            // Keep XPath sink only if a tainted variable is used at the sink line
+            const sinkLineText = sourceLines[sink.line - 1] ?? '';
+            const taintedVarOnLine = [...pythonTaintedVars.keys()].find(v => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+            if (!taintedVarOnLine)
+                return false;
+            // Kill if the variable is protected by an apostrophe guard
+            if (pythonSanitizedVars.has(taintedVarOnLine))
+                return false;
+            // Suppress parameterized XPath: root.xpath(query, name=bar) where bar is a keyword arg
+            if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText))
+                return false;
+            return true;
+        });
+    }
     // Generate vulnerabilities from source-sink pairs
     const vulnerabilities = findVulnerabilities(taint.sources, filteredSinks, calls, constPropResult);
+    // Python: detect trust boundary violations (flask.session[key] = taintedVal)
+    if (language === 'python') {
+        const trustViolations = findPythonTrustBoundaryViolations(code, language, pythonTaintedVars);
+        for (const v of trustViolations) {
+            // Avoid duplicate: only add if no existing vulnerability for same sink line
+            const alreadyReported = vulnerabilities.some(existing => existing.sink.line === v.sinkLine && existing.type === 'trust_boundary');
+            if (!alreadyReported) {
+                vulnerabilities.push({
+                    type: 'trust_boundary',
+                    cwe: 'CWE-501',
+                    severity: 'medium',
+                    source: { line: v.sourceLine, type: 'http_param' },
+                    sink: { line: v.sinkLine, type: 'trust_boundary' },
+                    confidence: 0.85,
+                });
+            }
+        }
+    }
     const analysisTime = performance.now() - analysisStart;
     const totalTime = performance.now() - startTime;
     return {