circle-ir 3.46.0 → 3.48.0

package/dist/browser/circle-ir.js

@@ -4127,11 +4127,13 @@ function disposeTree(tree) {
   }
 }
 function walkTree(node, visitor) {
-  visitor(node);
-  for (let i2 = 0; i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkTree(child, visitor);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    visitor(current);
+    for (let i2 = current.childCount - 1; i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child) stack.push(child);
     }
   }
 }
@@ -16032,8 +16034,10 @@ var ConstantPropagator = class _ConstantPropagator {
    * These are variables declared directly in the class body, not inside methods.
    */
   collectClassFields(root) {
-    const traverse = (n, inClass, inMethod) => {
-      if (!n) return;
+    const stack = [root];
+    while (stack.length > 0) {
+      const n = stack.pop();
+      if (!n) continue;
       if (n.type === "class_body") {
         for (const child of n.children) {
           if (child.type === "field_declaration") {
@@ -16047,32 +16051,28 @@ var ConstantPropagator = class _ConstantPropagator {
               }
             }
           }
-          if (child.type === "method_declaration" || child.type === "constructor_declaration") {
-            traverse(child, true, true);
-          } else {
-            traverse(child, true, false);
-          }
+          stack.push(child);
         }
-        return;
+        continue;
       }
       for (const child of n.children) {
-        traverse(child, inClass, inMethod);
+        stack.push(child);
       }
-    };
-    traverse(root, false, false);
+    }
   }
   findAllMethods(node) {
     const methods = [];
-    const traverse = (n) => {
-      if (!n) return;
+    const stack = [node];
+    while (stack.length > 0) {
+      const n = stack.pop();
+      if (!n) continue;
       if (n.type === "method_declaration" || n.type === "function_declaration") {
         methods.push(n);
       }
       for (const child of n.children) {
-        if (child) traverse(child);
+        if (child) stack.push(child);
       }
-    };
-    traverse(node);
+    }
     return methods;
   }
   getMethodName(method) {
@@ -16123,9 +16123,24 @@ var ConstantPropagator = class _ConstantPropagator {
   // AST Visitor
   // ===========================================================================
   visit(node) {
+    const stack = [node];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      if (this.visitOne(current)) continue;
+      for (let i2 = current.children.length - 1; i2 >= 0; i2--) {
+        stack.push(current.children[i2]);
+      }
+    }
+  }
+  /**
+   * Visit a single node. Returns true if the handler already descended into
+   * children (and the caller should NOT push them), false to fall through to
+   * the default pre-order descent.
+   */
+  visitOne(node) {
     const line = getNodeLine(node);
     if (this.unreachableLines.has(line)) {
-      return;
+      return true;
     }
     if (this.conditionStack.length > 0 && !this.lineConditions.has(line)) {
       this.lineConditions.set(line, this.conditionStack[this.conditionStack.length - 1]);
@@ -16134,43 +16149,41 @@ var ConstantPropagator = class _ConstantPropagator {
       case "method_declaration":
       case "constructor_declaration":
         this.handleMethodDeclaration(node);
-        return;
+        return true;
       // Don't visit children directly, handleMethodDeclaration does it
       case "local_variable_declaration":
         this.handleVariableDeclaration(node);
-        break;
+        return false;
       case "assignment_expression":
         this.handleAssignment(node);
-        break;
+        return false;
       case "update_expression":
         this.handleUpdateExpression(node);
-        break;
+        return false;
       case "if_statement":
         this.handleIfStatement(node);
-        return;
+        return true;
       case "switch_expression":
       case "switch_statement":
         this.handleSwitch(node);
-        return;
+        return true;
       case "ternary_expression":
         this.handleTernary(node);
-        break;
+        return false;
       case "expression_statement":
         this.handleExpressionStatement(node);
-        break;
+        return false;
       case "for_statement":
       case "enhanced_for_statement":
       case "while_statement":
       case "do_statement":
         this.handleLoopStatement(node);
-        return;
+        return true;
       case "synchronized_statement":
         this.handleSynchronizedStatement(node);
-        return;
+        return true;
       default:
-        for (const child of node.children) {
-          this.visit(child);
-        }
+        return false;
     }
   }
   /**
@@ -16938,6 +16951,19 @@ var ConstantPropagator = class _ConstantPropagator {
     return null;
   }
   isTaintedExpression(node) {
+    const stack = [node];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      const result = this.isTaintedExpressionStep(current);
+      if (result === true) return true;
+      if (result === false) continue;
+      for (let i2 = current.children.length - 1; i2 >= 0; i2--) {
+        stack.push(current.children[i2]);
+      }
+    }
+    return false;
+  }
+  isTaintedExpressionStep(node) {
     const text = getNodeText2(node, this.source);
     if (node.type === "method_invocation") {
       const nameNode = node.childForFieldName("name");
@@ -17197,12 +17223,7 @@ var ConstantPropagator = class _ConstantPropagator {
       }
       return isTainted;
     }
-    for (const child of node.children) {
-      if (this.isTaintedExpression(child)) {
-        return true;
-      }
-    }
-    return false;
+    return void 0;
   }
   checkCollectionTaint(node) {
     const objectNode = node.childForFieldName("object");
@@ -17526,19 +17547,17 @@ var BaseLanguagePlugin = class {
    */
   findNodes(root, type) {
     const nodes = [];
-    const cursor = root.walk();
-    const visit = () => {
-      if (cursor.nodeType === type) {
-        nodes.push(cursor.currentNode);
+    const stack = [root];
+    while (stack.length > 0) {
+      const node = stack.pop();
+      if (node.type === type) {
+        nodes.push(node);
       }
-      if (cursor.gotoFirstChild()) {
-        do {
-          visit();
-        } while (cursor.gotoNextSibling());
-        cursor.gotoParent();
+      for (let i2 = node.childCount - 1; i2 >= 0; i2--) {
+        const child = node.child(i2);
+        if (child) stack.push(child);
       }
-    };
-    visit();
+    }
     return nodes;
   }
   /**
@@ -17894,16 +17913,17 @@ var JavaPlugin = class extends BaseLanguagePlugin {
         }
       }
     };
-    const walk = (node) => {
+    const stack = [tree.rootNode];
+    while (stack.length > 0) {
+      const node = stack.pop();
       if (node.type === "field_declaration" || node.type === "local_variable_declaration") {
         collectDecl(node);
       }
       for (let i2 = 0; i2 < node.childCount; i2++) {
         const child = node.child(i2);
-        if (child) walk(child);
+        if (child) stack.push(child);
       }
-    };
-    walk(tree.rootNode);
+    }
     this._typeMapCache.set(tree, map);
     return map;
   }
@@ -20700,16 +20720,18 @@ function extractHtmlContent(rootNode) {
   return { scriptBlocks, eventHandlers };
 }
 function walkNode(node, scriptBlocks, eventHandlers) {
-  if (node.type === "script_element") {
-    extractScriptBlock(node, scriptBlocks);
-  }
-  if (node.type === "element" || node.type === "self_closing_tag") {
-    extractEventHandlers(node, eventHandlers);
-  }
-  for (let i2 = 0; i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkNode(child, scriptBlocks, eventHandlers);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current.type === "script_element") {
+      extractScriptBlock(current, scriptBlocks);
+    }
+    if (current.type === "element" || current.type === "self_closing_tag") {
+      extractEventHandlers(current, eventHandlers);
+    }
+    for (let i2 = current.childCount - 1; i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child) stack.push(child);
     }
   }
 }
@@ -20806,13 +20828,15 @@ function runHtmlAttributeSecurityChecks(rootNode, filePath) {
   return findings;
 }
 function walkForSecurityChecks(node, filePath, findings) {
-  if (node.type === "element" || node.type === "self_closing_tag" || node.type === "script_element" || node.type === "style_element") {
-    checkElement(node, filePath, findings);
-  }
-  for (let i2 = 0; i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkForSecurityChecks(child, filePath, findings);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current.type === "element" || current.type === "self_closing_tag" || current.type === "script_element" || current.type === "style_element") {
+      checkElement(current, filePath, findings);
+    }
+    for (let i2 = current.childCount - 1; i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child) stack.push(child);
     }
   }
 }
@@ -26462,6 +26486,223 @@ var ScanSecretsPass = class {
   }
 };
 
+// src/analysis/passes/spring4shell-pass.ts
+var CONTROLLER_ANNOTATIONS = /* @__PURE__ */ new Set([
+  "Controller",
+  "RestController",
+  "ControllerAdvice",
+  "RestControllerAdvice"
+]);
+var ROUTE_ANNOTATIONS = /* @__PURE__ */ new Set([
+  "RequestMapping",
+  "GetMapping",
+  "PostMapping",
+  "PutMapping",
+  "DeleteMapping",
+  "PatchMapping"
+]);
+var BINDING_ANNOTATIONS = /* @__PURE__ */ new Set([
+  "RequestBody",
+  // JSON via Jackson (no DataBinder)
+  "RequestParam",
+  // scalar binding
+  "PathVariable",
+  // scalar binding
+  "RequestHeader",
+  // scalar binding
+  "CookieValue",
+  // scalar binding
+  "MatrixVariable",
+  // scalar binding
+  "ModelAttribute",
+  // explicit form binding — user opted in
+  "Valid",
+  // typically paired with @RequestBody / @ModelAttribute
+  "Validated",
+  "RequestPart",
+  // multipart, explicit
+  "SessionAttribute",
+  "RequestAttribute"
+]);
+var FRAMEWORK_PARAM_TYPES = /* @__PURE__ */ new Set([
+  // Servlet / HTTP
+  "HttpServletRequest",
+  "HttpServletResponse",
+  "ServletRequest",
+  "ServletResponse",
+  "HttpSession",
+  "ServletContext",
+  "Cookie",
+  // Spring MVC plumbing
+  "Model",
+  "ModelMap",
+  "ModelAndView",
+  "Map",
+  "BindingResult",
+  "Errors",
+  "RedirectAttributes",
+  "SessionStatus",
+  "WebRequest",
+  "NativeWebRequest",
+  "ServletWebRequest",
+  "UriComponentsBuilder",
+  "UriBuilder",
+  "HttpEntity",
+  "RequestEntity",
+  "ResponseEntity",
+  "HttpHeaders",
+  "InputStream",
+  "OutputStream",
+  "Reader",
+  "Writer",
+  // Reactive
+  "ServerHttpRequest",
+  "ServerHttpResponse",
+  "ServerWebExchange",
+  // Security / locale
+  "Principal",
+  "Authentication",
+  "Locale",
+  "TimeZone",
+  "ZoneId",
+  // Multipart
+  "MultipartFile",
+  "Part",
+  // Misc
+  "TimeZone"
+]);
+var SIMPLE_JAVA_TYPES = /* @__PURE__ */ new Set([
+  // Primitives
+  "boolean",
+  "byte",
+  "char",
+  "short",
+  "int",
+  "long",
+  "float",
+  "double",
+  "void",
+  // Boxed primitives
+  "Boolean",
+  "Byte",
+  "Character",
+  "Short",
+  "Integer",
+  "Long",
+  "Float",
+  "Double",
+  // Standard scalar-ish types
+  "String",
+  "CharSequence",
+  "BigInteger",
+  "BigDecimal",
+  "UUID",
+  // Date/time (Spring binds these via ConversionService, not DataBinder)
+  "Date",
+  "Calendar",
+  "Instant",
+  "LocalDate",
+  "LocalTime",
+  "LocalDateTime",
+  "OffsetDateTime",
+  "OffsetTime",
+  "ZonedDateTime",
+  "Duration",
+  "Period",
+  // Collections — first-class scalar list binding (?names=a&names=b)
+  "List",
+  "Set",
+  "Collection",
+  "Iterable",
+  "Optional"
+  // Arrays (handled by suffix check below)
+]);
+var Spring4ShellPass = class {
+  name = "spring4shell";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") {
+      return { controllerMethodsScanned: 0, findingsEmitted: 0 };
+    }
+    const file = graph.ir.meta.file;
+    let scanned = 0;
+    let emitted = 0;
+    for (const type of graph.ir.types) {
+      if (!isController(type)) continue;
+      for (const method of type.methods) {
+        if (!isRouteHandler(method)) continue;
+        scanned++;
+        for (const param of method.parameters) {
+          if (!isVulnerableParameter(param)) continue;
+          ctx.addFinding({
+            id: `${this.name}-${file}-${method.start_line}-${param.name}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-94",
+            severity: "high",
+            level: "error",
+            message: `Spring MVC controller method '${type.name}.${method.name}' binds parameter '${param.name}' of type '${param.type ?? "?"}' via implicit form-data binding (no @RequestBody / @RequestParam / @ModelAttribute) \u2014 vulnerable to Spring4Shell (CVE-2022-22965) class-graph RCE on Spring < 5.3.18 / 5.2.20`,
+            file,
+            line: param.line ?? method.start_line,
+            fix: "Annotate the parameter with @RequestBody (JSON) or @ModelAttribute + @InitBinder/setAllowedFields whitelisting, upgrade Spring to \u2265 5.3.18 / 5.2.20, and ensure JDK is patched.",
+            evidence: {
+              controller_class: type.name,
+              controller_annotations: type.annotations,
+              method: method.name,
+              method_annotations: method.annotations,
+              parameter_name: param.name,
+              parameter_type: param.type
+            }
+          });
+          emitted++;
+        }
+      }
+    }
+    return { controllerMethodsScanned: scanned, findingsEmitted: emitted };
+  }
+};
+function annotationHead(annotation) {
+  const parenIdx = annotation.indexOf("(");
+  return parenIdx >= 0 ? annotation.slice(0, parenIdx) : annotation;
+}
+function hasAnnotation(annotations, names) {
+  for (const a of annotations) {
+    if (names.has(annotationHead(a))) return true;
+  }
+  return false;
+}
+function isController(type) {
+  return hasAnnotation(type.annotations, CONTROLLER_ANNOTATIONS);
+}
+function isRouteHandler(method) {
+  return hasAnnotation(method.annotations, ROUTE_ANNOTATIONS);
+}
+function isVulnerableParameter(param) {
+  if (hasAnnotation(param.annotations, BINDING_ANNOTATIONS)) return false;
+  if (!param.type) return false;
+  const type = stripGenerics2(param.type).trim();
+  if (!type) return false;
+  if (type.endsWith("[]")) {
+    const elem = type.slice(0, -2).trim();
+    return !SIMPLE_JAVA_TYPES.has(elem) && isPotentialPojo(elem);
+  }
+  if (SIMPLE_JAVA_TYPES.has(type)) return false;
+  if (FRAMEWORK_PARAM_TYPES.has(type)) return false;
+  if (!isPotentialPojo(type)) return false;
+  return true;
+}
+function stripGenerics2(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx >= 0 ? type.slice(0, ltIdx) : type;
+}
+function isPotentialPojo(type) {
+  if (type.length === 0) return false;
+  const first = type.charCodeAt(0);
+  return first >= 65 && first <= 90;
+}
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -27357,6 +27598,7 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("god-class")) pipeline.add(new GodClassPass());
     if (!disabledPasses.has("naming-convention")) pipeline.add(new NamingConventionPass(passOpts.namingConvention));
     if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    if (!disabledPasses.has("spring4shell")) pipeline.add(new Spring4ShellPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");