circle-ir 3.41.0 → 3.43.0

package/dist/core/circle-ir-core.cjs

@@ -6096,11 +6096,22 @@ function inferJSTypeFromReceiver(receiver) {
 function buildResolutionContext(tree, cache) {
   const context = {
     className: null,
+    packageName: null,
     methodNames: /* @__PURE__ */ new Set(),
     fieldTypes: /* @__PURE__ */ new Map(),
     localVarTypes: /* @__PURE__ */ new Map(),
-    imports: /* @__PURE__ */ new Set()
+    paramTypes: /* @__PURE__ */ new Map(),
+    imports: /* @__PURE__ */ new Map(),
+    wildcardImports: []
   };
+  const packages = getNodesFromCache(tree.rootNode, "package_declaration", cache);
+  if (packages.length > 0) {
+    const text = getNodeText(packages[0]);
+    const match = text.match(/package\s+([a-zA-Z0-9_.]+)/);
+    if (match) {
+      context.packageName = match[1];
+    }
+  }
   const classes = getNodesFromCache(tree.rootNode, "class_declaration", cache);
   if (classes.length > 0) {
     const nameNode = classes[0].childForFieldName("name");
@@ -6114,6 +6125,17 @@ function buildResolutionContext(tree, cache) {
     if (nameNode) {
       context.methodNames.add(getNodeText(nameNode));
     }
+    const paramsNode = method.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
+  }
+  const constructors = getNodesFromCache(tree.rootNode, "constructor_declaration", cache);
+  for (const ctor of constructors) {
+    const paramsNode = ctor.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
   }
   const fields = getNodesFromCache(tree.rootNode, "field_declaration", cache);
   for (const field of fields) {
@@ -6146,14 +6168,106 @@ function buildResolutionContext(tree, cache) {
   const imports = getNodesFromCache(tree.rootNode, "import_declaration", cache);
   for (const imp of imports) {
     const text = getNodeText(imp);
-    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)/);
-    if (match) {
-      const parts2 = match[1].split(".");
-      context.imports.add(parts2[parts2.length - 1]);
+    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)(\.\*)?/);
+    if (!match) continue;
+    const fqn = match[1];
+    const isWildcard = match[2] === ".*";
+    if (isWildcard) {
+      context.wildcardImports.push(fqn);
+    } else {
+      const parts2 = fqn.split(".");
+      const simple = parts2[parts2.length - 1];
+      context.imports.set(simple, fqn);
     }
   }
   return context;
 }
+function collectParameterTypes(paramsNode, out2) {
+  for (let i2 = 0; i2 < paramsNode.childCount; i2++) {
+    const child = paramsNode.child(i2);
+    if (!child) continue;
+    if (child.type !== "formal_parameter" && child.type !== "spread_parameter") {
+      continue;
+    }
+    const typeNode = child.childForFieldName("type");
+    const nameNode = child.childForFieldName("name");
+    if (typeNode && nameNode) {
+      out2.set(getNodeText(nameNode), getNodeText(typeNode));
+    }
+  }
+}
+function stripGenerics(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx === -1 ? type : type.substring(0, ltIdx);
+}
+function resolveReceiverType(receiver, context) {
+  if (!receiver) return { simpleName: null, fqn: null };
+  if (receiver === "this") {
+    return resolveFqn(context.className, context);
+  }
+  if (receiver.startsWith("this.")) {
+    const fieldName = receiver.substring("this.".length);
+    const fieldType = context.fieldTypes.get(fieldName);
+    if (fieldType) return resolveFqn(stripGenerics(fieldType), context);
+    return { simpleName: null, fqn: null };
+  }
+  if (receiver === "super") return { simpleName: null, fqn: null };
+  const declaredType = context.localVarTypes.get(receiver) ?? context.paramTypes.get(receiver) ?? context.fieldTypes.get(receiver);
+  if (declaredType) {
+    return resolveFqn(stripGenerics(declaredType), context);
+  }
+  if (/^[A-Z]/.test(receiver)) {
+    const simple = receiver.includes(".") ? receiver.substring(receiver.lastIndexOf(".") + 1) : receiver;
+    if (/^[A-Z][A-Za-z0-9_]*$/.test(simple)) {
+      return resolveFqn(simple, context);
+    }
+  }
+  return { simpleName: null, fqn: null };
+}
+function resolveFqn(simpleName, context) {
+  if (!simpleName) return { simpleName: null, fqn: null };
+  const importedFqn = context.imports.get(simpleName);
+  if (importedFqn) {
+    return { simpleName, fqn: importedFqn };
+  }
+  if (context.className === simpleName && context.packageName) {
+    return { simpleName, fqn: `${context.packageName}.${simpleName}` };
+  }
+  if (JAVA_LANG_TYPES.has(simpleName)) {
+    return { simpleName, fqn: `java.lang.${simpleName}` };
+  }
+  return { simpleName, fqn: null };
+}
+var JAVA_LANG_TYPES = /* @__PURE__ */ new Set([
+  "String",
+  "StringBuilder",
+  "StringBuffer",
+  "Object",
+  "Class",
+  "Integer",
+  "Long",
+  "Double",
+  "Float",
+  "Boolean",
+  "Character",
+  "Byte",
+  "Short",
+  "Number",
+  "Math",
+  "System",
+  "Thread",
+  "Runnable",
+  "Throwable",
+  "Exception",
+  "RuntimeException",
+  "Error",
+  "Process",
+  "ProcessBuilder",
+  "Iterable",
+  "Comparable",
+  "CharSequence",
+  "Enum"
+]);
 function extractCallInfo(node, context) {
   const nameNode = node.childForFieldName("name");
   const methodName = nameNode ? getNodeText(nameNode) : "unknown";
@@ -6163,9 +6277,12 @@ function extractCallInfo(node, context) {
   const args2 = argsNode ? extractArguments(argsNode) : [];
   const enclosingMethod = findEnclosingMethod(node);
   const { resolved, resolution } = resolveMethodCall(methodName, receiver, context);
+  const { simpleName, fqn } = resolveReceiverType(receiver, context);
   return {
     method_name: methodName,
     receiver,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -6187,10 +6304,14 @@ function extractObjectCreation(node, context) {
     status: "resolved",
     target: `${typeName}.<init>`
   };
+  const simpleType = stripGenerics(typeName);
+  const { simpleName, fqn } = resolveFqn(simpleType, context);
   return {
     method_name: typeName,
     // Constructor name is the class name
     receiver: null,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -10123,6 +10244,23 @@ var DEFAULT_SINKS = [
   { method: "queryForObject", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForList", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForLong", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // MyBatis mapper-interface methods (CWE-89, classified as mybatis_mapper_call)
+  // The actual SQL lives in the mapper's XML or @Select/@Update annotation —
+  // exploitability depends on whether the binding uses ${...} interpolation
+  // vs #{...} parameter binding. Surface as a distinct sink type so consumers
+  // can resolve the binding before reporting. See cognium-dev#24.
+  // The `class: '*Mapper'` suffix wildcard matches userMapper, OrderMapper, …
+  { method: "insert", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "insertSelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "update", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKeySelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "delete", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "deleteByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectOne", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectList", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByExample", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
   // Command Injection (CWE-78)
   { method: "exec", class: "Runtime", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
   { method: "start", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
@@ -12017,6 +12155,14 @@ function matchesAnnotation(annotations, targetAnnotation) {
   return false;
 }
 function receiverMightBeClass(receiver, className) {
+  if (className.startsWith("*") && className.length > 1) {
+    const suffix = className.slice(1).toLowerCase();
+    let simpleReceiver = receiver;
+    if (simpleReceiver.includes(".") && !simpleReceiver.endsWith(")")) {
+      simpleReceiver = simpleReceiver.substring(simpleReceiver.lastIndexOf(".") + 1);
+    }
+    return simpleReceiver.toLowerCase().endsWith(suffix);
+  }
   if (receiver === className) {
     return true;
   }
@@ -12790,7 +12936,8 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "log_injection",
   "xxe",
   "deserialization",
-  "code_injection"
+  "code_injection",
+  "mybatis_mapper_call"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);

package/dist/core/circle-ir-core.js

@@ -6030,11 +6030,22 @@ function inferJSTypeFromReceiver(receiver) {
 function buildResolutionContext(tree, cache) {
   const context = {
     className: null,
+    packageName: null,
     methodNames: /* @__PURE__ */ new Set(),
     fieldTypes: /* @__PURE__ */ new Map(),
     localVarTypes: /* @__PURE__ */ new Map(),
-    imports: /* @__PURE__ */ new Set()
+    paramTypes: /* @__PURE__ */ new Map(),
+    imports: /* @__PURE__ */ new Map(),
+    wildcardImports: []
   };
+  const packages = getNodesFromCache(tree.rootNode, "package_declaration", cache);
+  if (packages.length > 0) {
+    const text = getNodeText(packages[0]);
+    const match = text.match(/package\s+([a-zA-Z0-9_.]+)/);
+    if (match) {
+      context.packageName = match[1];
+    }
+  }
   const classes = getNodesFromCache(tree.rootNode, "class_declaration", cache);
   if (classes.length > 0) {
     const nameNode = classes[0].childForFieldName("name");
@@ -6048,6 +6059,17 @@ function buildResolutionContext(tree, cache) {
     if (nameNode) {
       context.methodNames.add(getNodeText(nameNode));
     }
+    const paramsNode = method.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
+  }
+  const constructors = getNodesFromCache(tree.rootNode, "constructor_declaration", cache);
+  for (const ctor of constructors) {
+    const paramsNode = ctor.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
   }
   const fields = getNodesFromCache(tree.rootNode, "field_declaration", cache);
   for (const field of fields) {
@@ -6080,14 +6102,106 @@ function buildResolutionContext(tree, cache) {
   const imports = getNodesFromCache(tree.rootNode, "import_declaration", cache);
   for (const imp of imports) {
     const text = getNodeText(imp);
-    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)/);
-    if (match) {
-      const parts2 = match[1].split(".");
-      context.imports.add(parts2[parts2.length - 1]);
+    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)(\.\*)?/);
+    if (!match) continue;
+    const fqn = match[1];
+    const isWildcard = match[2] === ".*";
+    if (isWildcard) {
+      context.wildcardImports.push(fqn);
+    } else {
+      const parts2 = fqn.split(".");
+      const simple = parts2[parts2.length - 1];
+      context.imports.set(simple, fqn);
     }
   }
   return context;
 }
+function collectParameterTypes(paramsNode, out2) {
+  for (let i2 = 0; i2 < paramsNode.childCount; i2++) {
+    const child = paramsNode.child(i2);
+    if (!child) continue;
+    if (child.type !== "formal_parameter" && child.type !== "spread_parameter") {
+      continue;
+    }
+    const typeNode = child.childForFieldName("type");
+    const nameNode = child.childForFieldName("name");
+    if (typeNode && nameNode) {
+      out2.set(getNodeText(nameNode), getNodeText(typeNode));
+    }
+  }
+}
+function stripGenerics(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx === -1 ? type : type.substring(0, ltIdx);
+}
+function resolveReceiverType(receiver, context) {
+  if (!receiver) return { simpleName: null, fqn: null };
+  if (receiver === "this") {
+    return resolveFqn(context.className, context);
+  }
+  if (receiver.startsWith("this.")) {
+    const fieldName = receiver.substring("this.".length);
+    const fieldType = context.fieldTypes.get(fieldName);
+    if (fieldType) return resolveFqn(stripGenerics(fieldType), context);
+    return { simpleName: null, fqn: null };
+  }
+  if (receiver === "super") return { simpleName: null, fqn: null };
+  const declaredType = context.localVarTypes.get(receiver) ?? context.paramTypes.get(receiver) ?? context.fieldTypes.get(receiver);
+  if (declaredType) {
+    return resolveFqn(stripGenerics(declaredType), context);
+  }
+  if (/^[A-Z]/.test(receiver)) {
+    const simple = receiver.includes(".") ? receiver.substring(receiver.lastIndexOf(".") + 1) : receiver;
+    if (/^[A-Z][A-Za-z0-9_]*$/.test(simple)) {
+      return resolveFqn(simple, context);
+    }
+  }
+  return { simpleName: null, fqn: null };
+}
+function resolveFqn(simpleName, context) {
+  if (!simpleName) return { simpleName: null, fqn: null };
+  const importedFqn = context.imports.get(simpleName);
+  if (importedFqn) {
+    return { simpleName, fqn: importedFqn };
+  }
+  if (context.className === simpleName && context.packageName) {
+    return { simpleName, fqn: `${context.packageName}.${simpleName}` };
+  }
+  if (JAVA_LANG_TYPES.has(simpleName)) {
+    return { simpleName, fqn: `java.lang.${simpleName}` };
+  }
+  return { simpleName, fqn: null };
+}
+var JAVA_LANG_TYPES = /* @__PURE__ */ new Set([
+  "String",
+  "StringBuilder",
+  "StringBuffer",
+  "Object",
+  "Class",
+  "Integer",
+  "Long",
+  "Double",
+  "Float",
+  "Boolean",
+  "Character",
+  "Byte",
+  "Short",
+  "Number",
+  "Math",
+  "System",
+  "Thread",
+  "Runnable",
+  "Throwable",
+  "Exception",
+  "RuntimeException",
+  "Error",
+  "Process",
+  "ProcessBuilder",
+  "Iterable",
+  "Comparable",
+  "CharSequence",
+  "Enum"
+]);
 function extractCallInfo(node, context) {
   const nameNode = node.childForFieldName("name");
   const methodName = nameNode ? getNodeText(nameNode) : "unknown";
@@ -6097,9 +6211,12 @@ function extractCallInfo(node, context) {
   const args2 = argsNode ? extractArguments(argsNode) : [];
   const enclosingMethod = findEnclosingMethod(node);
   const { resolved, resolution } = resolveMethodCall(methodName, receiver, context);
+  const { simpleName, fqn } = resolveReceiverType(receiver, context);
   return {
     method_name: methodName,
     receiver,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -6121,10 +6238,14 @@ function extractObjectCreation(node, context) {
     status: "resolved",
     target: `${typeName}.<init>`
   };
+  const simpleType = stripGenerics(typeName);
+  const { simpleName, fqn } = resolveFqn(simpleType, context);
   return {
     method_name: typeName,
     // Constructor name is the class name
     receiver: null,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -10057,6 +10178,23 @@ var DEFAULT_SINKS = [
   { method: "queryForObject", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForList", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForLong", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // MyBatis mapper-interface methods (CWE-89, classified as mybatis_mapper_call)
+  // The actual SQL lives in the mapper's XML or @Select/@Update annotation —
+  // exploitability depends on whether the binding uses ${...} interpolation
+  // vs #{...} parameter binding. Surface as a distinct sink type so consumers
+  // can resolve the binding before reporting. See cognium-dev#24.
+  // The `class: '*Mapper'` suffix wildcard matches userMapper, OrderMapper, …
+  { method: "insert", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "insertSelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "update", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKeySelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "delete", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "deleteByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectOne", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectList", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByExample", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
   // Command Injection (CWE-78)
   { method: "exec", class: "Runtime", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
   { method: "start", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
@@ -11951,6 +12089,14 @@ function matchesAnnotation(annotations, targetAnnotation) {
   return false;
 }
 function receiverMightBeClass(receiver, className) {
+  if (className.startsWith("*") && className.length > 1) {
+    const suffix = className.slice(1).toLowerCase();
+    let simpleReceiver = receiver;
+    if (simpleReceiver.includes(".") && !simpleReceiver.endsWith(")")) {
+      simpleReceiver = simpleReceiver.substring(simpleReceiver.lastIndexOf(".") + 1);
+    }
+    return simpleReceiver.toLowerCase().endsWith(suffix);
+  }
   if (receiver === className) {
     return true;
   }
@@ -12724,7 +12870,8 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "log_injection",
   "xxe",
   "deserialization",
-  "code_injection"
+  "code_injection",
+  "mybatis_mapper_call"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);

package/dist/core/extractors/calls.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"calls.d.ts","sourceRoot":"","sources":["../../../src/core/extractors/calls.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAQ,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAgC,MAAM,sBAAsB,CAAC;AACnF,OAAO,EAA2D,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AAkEvG;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,QAAQ,EAAE,CAgDzF"}
+{"version":3,"file":"calls.d.ts","sourceRoot":"","sources":["../../../src/core/extractors/calls.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAQ,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAgC,MAAM,sBAAsB,CAAC;AACnF,OAAO,EAA2D,KAAK,SAAS,EAAE,MAAM,cAAc,CAAC;AA8EvG;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,QAAQ,EAAE,CAgDzF"}