circle-ir 3.48.0 → 3.49.0

package/dist/browser/circle-ir.js

@@ -4752,14 +4752,46 @@ function extractJSClassInfo(node) {
     end_line: node.endPosition.row + 1
   };
 }
+function extractDecoratorName(node) {
+  const child = node.namedChildCount > 0 ? node.namedChild(0) : null;
+  if (!child) return null;
+  if (child.type === "identifier") return getNodeText(child);
+  if (child.type === "call_expression") {
+    const fn = child.childForFieldName("function");
+    if (fn) {
+      if (fn.type === "identifier") return getNodeText(fn);
+      if (fn.type === "member_expression") {
+        const propNode = fn.childForFieldName("property");
+        if (propNode) return getNodeText(propNode);
+      }
+    }
+  }
+  if (child.type === "member_expression") {
+    const propNode = child.childForFieldName("property");
+    if (propNode) return getNodeText(propNode);
+  }
+  return null;
+}
 function extractJSMethods(body2) {
   const methods = [];
+  let pendingDecorators = [];
   for (let i2 = 0; i2 < body2.childCount; i2++) {
     const child = body2.child(i2);
     if (!child) continue;
+    if (child.type === "decorator") {
+      const name2 = extractDecoratorName(child);
+      if (name2) pendingDecorators.push(name2);
+      continue;
+    }
+    if (child.type === "comment") continue;
     if (child.type === "method_definition") {
-      methods.push(extractJSMethodInfo(child));
+      const m = extractJSMethodInfo(child);
+      if (pendingDecorators.length > 0) {
+        m.annotations = pendingDecorators;
+      }
+      methods.push(m);
     }
+    pendingDecorators = [];
   }
   return methods;
 }
@@ -4921,10 +4953,18 @@ function extractJSParameters(params) {
       if (typeNode) {
         paramType = getNodeText(typeNode).replace(/^:\s*/, "");
       }
+      const decorators = [];
+      for (let j = 0; j < child.childCount; j++) {
+        const c = child.child(j);
+        if (c && c.type === "decorator") {
+          const name2 = extractDecoratorName(c);
+          if (name2) decorators.push(name2);
+        }
+      }
       parameters.push({
         name: paramName,
         type: paramType,
-        annotations: [],
+        annotations: decorators,
         line: child.startPosition.row + 1
       });
     }
@@ -11635,6 +11675,26 @@ var DEFAULT_SINKS = [
   { method: "setQuotedArgumentsEnabled", class: "Shell", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Sandbox/script security
   { method: "onNewInstance", class: "SandboxInterceptor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Java Log Injection (slf4j / logback / java.util.logging) — CWE-117
+  // Issue #44: log.info/warn/error/debug emit the message argument and any
+  // {} format arguments to the log stream. Untrusted input forwarded into
+  // these calls allows log forging (newline injection) and downstream log
+  // analyzer pollution. Scoped to `java` so the generic method names don't
+  // collide with JS console / Python logger entries below.
+  { method: "info", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "warn", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "error", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "debug", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "trace", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  // java.util.logging.Logger uses the same class name `Logger` — same entries above cover it.
+  // Severity-tagged levels: SEVERE/WARNING/INFO/CONFIG/FINE/FINER/FINEST
+  { method: "severe", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "warning", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "config", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "fine", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finer", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finest", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "log", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1, 2, 3], languages: ["java"] },
   // =========================================================================
   // Node.js/Express Sinks
   // =========================================================================
@@ -11687,13 +11747,47 @@ var DEFAULT_SINKS = [
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInThisContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  // Node.js NoSQL Injection (MongoDB)
+  // Node.js NoSQL Injection (MongoDB native driver + mongoose) — CWE-943
+  // Issue #45: the bare `class: 'Collection'` constraint missed mongoose's
+  // fluent chains (mongoose.connection.db.collection('x').find({...})) and
+  // Model.find calls because the call-site receiver type does not resolve
+  // to `Collection`. Add classless+language-scoped entries for the
+  // MongoDB-specific method names (findOne/aggregate/updateOne/etc.) and
+  // mongoose `Model`/`Query` class entries. Bare `find` stays class-scoped
+  // to avoid colliding with Array.prototype.find.
   { method: "find", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "findOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
+  // Mongoose Model/Query class entries — Model.find/findOne/etc.
+  { method: "find", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findById", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "countDocuments", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Mongoose Query class entries — chain methods returning Query
+  { method: "where", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "equals", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Classless MongoDB-specific method names (rare outside MongoDB APIs) —
+  // language-scoped to JS/TS. Excludes plain `find` (Array.prototype.find FP).
+  { method: "findOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Node.js SSRF (HTTP clients)
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -11715,6 +11809,24 @@ var DEFAULT_SINKS = [
   { method: "post", class: "superagent", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // node-fetch
   { method: "default", class: "node-fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // Node.js / JavaScript Log Injection (console.*) — CWE-117
+  // Issue #44: console.log/warn/error/info with tainted template literals
+  // allow log forging (newline-injection) and downstream log analyzer
+  // pollution. Scoped to JS/TS so the bare class `console` doesn't collide
+  // with Python `console` module or Java identifiers.
+  { method: "log", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "warn", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "error", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "info", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  // Node.js / Express Open Redirect — CWE-601
+  // Issue #46: `res.redirect(req.query.next)` did not fire because the
+  // legacy `class: 'Response'` constraint depended on receiver type
+  // resolution of the Express `res` parameter. Mirror Python's classless
+  // pattern with a language-scoped classless entry. The method name
+  // `redirect` is rare outside HTTP frameworks so the FP risk is low.
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   // =========================================================================
   // Python Sinks
   // =========================================================================
@@ -11756,7 +11868,12 @@ var DEFAULT_SINKS = [
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python XSS / SSTI
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Issue #54: Flask's `render_template_string(template_str)` with an
+  // attacker-controlled template string is Server-Side Template Injection
+  // (Jinja2 SSTI → RCE), not reflected XSS. Classify as code_injection
+  // (CWE-94) with critical severity to match `jinja2.Template().render()`
+  // and `Template.from_string()` entries above.
+  { method: "render_template_string", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python SSRF
@@ -12119,6 +12236,13 @@ var DEFAULT_SANITIZERS = [
   { method: "secure_filename", class: "werkzeug.utils", removes: ["path_traversal"] },
   { method: "basename", class: "os.path", removes: ["path_traversal"] },
   { method: "normpath", class: "os.path", removes: ["path_traversal"] },
+  // Issue #48 part 2: realpath/abspath are canonical Python path-canonicalization
+  // functions (analogous to Java File.getCanonicalPath). Register on both
+  // `os.path` and the bare `path` receiver to cover `import os.path as path`.
+  { method: "realpath", class: "os.path", removes: ["path_traversal"] },
+  { method: "abspath", class: "os.path", removes: ["path_traversal"] },
+  { method: "realpath", class: "path", removes: ["path_traversal"] },
+  { method: "abspath", class: "path", removes: ["path_traversal"] },
   // Python Type coercion
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
@@ -12267,7 +12391,7 @@ var PYTHON_TAINTED_PATTERNS = [
 ];
 function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language, code) {
   const sourceLines = code !== void 0 ? code.split("\n") : void 0;
-  const sources = findSources(calls, types, config.sources, sourceLines);
+  const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
@@ -12285,7 +12409,7 @@ function attachSourceLineCode(sources, sinks, code) {
     }
   }
 }
-function findSources(calls, types, patterns, sourceLines) {
+function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -12338,23 +12462,29 @@ function findSources(calls, types, patterns, sourceLines) {
       }
     }
   }
-  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  const RUST_EXTRACTOR_KIND = /(?:^|::)(Json|Form|Query|Path|Extension|Multipart|Body|Bytes)(?:<|$)/;
   for (const type of types) {
     for (const method of type.methods) {
       for (const param of method.parameters) {
-        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
-          const paramLine = param.line ?? method.start_line;
-          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
-          if (!alreadyExists) {
-            sources.push({
-              type: "http_body",
-              location: `${param.type} ${param.name} in ${method.name}`,
-              severity: "high",
-              line: paramLine,
-              confidence: 1
-            });
-          }
-        }
+        if (!param.type) continue;
+        const kindMatch = RUST_EXTRACTOR_KIND.exec(param.type);
+        if (!kindMatch) continue;
+        const kind = kindMatch[1];
+        if (kind === "Extension") continue;
+        const sourceType = kind === "Form" || kind === "Query" || kind === "Path" ? "http_param" : "http_body";
+        const paramLine = param.line ?? method.start_line;
+        const alreadyExists = sources.some(
+          (s) => s.line === paramLine && s.variable === param.name
+        );
+        if (alreadyExists) continue;
+        sources.push({
+          type: sourceType,
+          location: `${param.type} ${param.name} in ${method.name}`,
+          severity: "high",
+          line: paramLine,
+          confidence: 1,
+          variable: param.name
+        });
       }
     }
   }
@@ -12436,6 +12566,15 @@ function findSources(calls, types, patterns, sourceLines) {
       s.code = sourceLines[s.line - 1]?.trim();
     }
   }
+  if (language === "rust" && sourceLines) {
+    const LET_BINDING = /^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0) continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = LET_BINDING.exec(lineText);
+      if (m) s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -12541,6 +12680,20 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
+function isSafePythonSubprocessCall(call, pattern, language) {
+  if (language !== "python") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "subprocess") return false;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0) return false;
+  const expr0 = (arg0.literal ?? arg0.expression ?? "").trim();
+  if (!expr0.startsWith("[")) return false;
+  for (const a of call.arguments) {
+    const e = (a.expression ?? "").trim();
+    if (/^shell\s*=\s*True\b/.test(e)) return false;
+  }
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12557,6 +12710,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
+        if (isSafePythonSubprocessCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -12959,7 +13115,12 @@ function receiverMightBeClass(receiver, className) {
     "controller",
     "task",
     "thread",
-    "job"
+    "job",
+    // Short Python DB abbreviation; would otherwise prefix-match obscure XSS
+    // sink classes like XWiki's `CurrentTimePlugin` ('current'.startsWith('cur'))
+    // via the CamelCase word prefix heuristic and produce an xss FP on every
+    // `cur.execute(...)`. Resolved via commonMappings → ['Cursor']. See #65 / #48 pt3.
+    "cur"
   ]);
   const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
   if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
@@ -12969,7 +13130,9 @@ function receiverMightBeClass(receiver, className) {
   }
   if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
-      return true;
+      if (lowerReceiver.length / lowerClass.length >= 0.4) {
+        return true;
+      }
     }
   }
   if (!isAmbiguous && lowerReceiver.length >= 3) {
@@ -12992,6 +13155,9 @@ function receiverMightBeClass(receiver, className) {
     ps: ["PreparedStatement"],
     rs: ["ResultSet"],
     template: ["JdbcTemplate"],
+    cur: ["Cursor"],
+    // Python DB-API cursor — see ambiguousIdentifiers note
+    cursor: ["Cursor"],
     // I/O
     writer: ["PrintWriter"],
     out: ["PrintWriter", "OutputStream"],
@@ -17394,7 +17560,7 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
-  if (result.symbols.size > 0 && !result.tainted.has(taintedVar)) {
+  if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
   return { isFalsePositive: false, reason: null };
@@ -21712,6 +21878,37 @@ function buildJavaScriptTaintedVars(sourceCode, language) {
   }
   return tainted;
 }
+function buildRustTaintedVars(sourceCode, seedVars) {
+  const derived = /* @__PURE__ */ new Map();
+  const knownTainted = new Set(seedVars);
+  const lines = sourceCode.split("\n");
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const line = lines[i2];
+      const trimmed = line.trimStart();
+      if (trimmed.startsWith("//")) continue;
+      const letMatch = line.match(
+        /^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=\s*(.+?)(?:;|$)/
+      );
+      const assignMatch = !letMatch ? line.match(/^\s*([A-Za-z_]\w*)\s*=\s*(.+?)(?:;|$)/) : null;
+      const m = letMatch ?? assignMatch;
+      if (!m) continue;
+      const lhs = m[1];
+      const rhs = m[2];
+      if (lhs === "if" || lhs === "while" || lhs === "for" || lhs === "match" || lhs === "return") continue;
+      if (knownTainted.has(lhs)) continue;
+      const ref = [...knownTainted].some((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+      if (ref) {
+        derived.set(lhs, i2 + 1);
+        knownTainted.add(lhs);
+        changed = true;
+      }
+    }
+  }
+  return derived;
+}
 var BASH_UNTRUSTED_ENV_PATTERNS = [
   /^USER_INPUT$/i,
   /^QUERY_STRING$/i,
@@ -22111,7 +22308,20 @@ function evaluateSimpleExpression(expr, symbols) {
 }
 function isStringLiteralExpression(expr) {
   const trimmed = expr.trim();
-  return trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'");
+  if (trimmed.length < 2) return false;
+  const quote = trimmed[0];
+  if (quote !== '"' && quote !== "'") return false;
+  let i2 = 1;
+  while (i2 < trimmed.length) {
+    const c = trimmed[i2];
+    if (c === "\\") {
+      i2 += 2;
+      continue;
+    }
+    if (c === quote) return i2 === trimmed.length - 1;
+    i2++;
+  }
+  return false;
 }
 function filterCleanArraySinks(sinks, calls, taintedArrayElements, symbols) {
   const callsByLine = /* @__PURE__ */ new Map();
@@ -22296,7 +22506,7 @@ var TaintPropagationPass = class {
         flows.push(f);
       }
     }
-    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
     for (const f of exprScanFlows) {
       if (flows.some(
         (x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type
@@ -22508,14 +22718,63 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   void types;
   return flows;
 }
-function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code, language) {
+function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, code, language) {
   const flows = [];
   const sourcesWithVar = sources.filter(
     (s) => typeof s.variable === "string" && s.variable.length > 0
   );
   if (sourcesWithVar.length === 0) return flows;
+  const aliasSanitizedFor = /* @__PURE__ */ new Map();
   if (language === "python" && typeof code === "string") {
     const derived = buildPythonTaintedVars(code);
+    if (derived.size > 0) {
+      let anchor = sourcesWithVar[0];
+      for (const s of sourcesWithVar) {
+        if (s.line < anchor.line) anchor = s;
+      }
+      const existingVars = new Set(sourcesWithVar.map((s) => s.variable));
+      for (const [varName] of derived) {
+        if (!varName || existingVars.has(varName)) continue;
+        sourcesWithVar.push({
+          ...anchor,
+          variable: varName
+        });
+        existingVars.add(varName);
+      }
+      if (sanitizers && sanitizers.length > 0) {
+        const sanitizersByLine = /* @__PURE__ */ new Map();
+        for (const s of sanitizers) {
+          const arr = sanitizersByLine.get(s.line) ?? [];
+          arr.push(s);
+          sanitizersByLine.set(s.line, arr);
+        }
+        const codeLines = code.split("\n");
+        for (const [varName, originLine] of derived) {
+          const lineSans = sanitizersByLine.get(originLine);
+          if (!lineSans || lineSans.length === 0) continue;
+          const lineText = codeLines[originLine - 1] ?? "";
+          const rhsMatch = lineText.match(/^\s*\w+\s*=\s*(.+)$/);
+          if (!rhsMatch) continue;
+          const rhs = rhsMatch[1];
+          for (const san of lineSans) {
+            const sanMatch = san.method.match(/^(?:(\w+)\.)?(\w+)\(\)$/);
+            if (!sanMatch) continue;
+            const sanName = sanMatch[1] ? `${sanMatch[1]}.${sanMatch[2]}` : sanMatch[2];
+            if (!rhs.includes(`${sanName}(`)) continue;
+            let set = aliasSanitizedFor.get(varName);
+            if (!set) {
+              set = /* @__PURE__ */ new Set();
+              aliasSanitizedFor.set(varName, set);
+            }
+            for (const t of san.sanitizes) set.add(t);
+          }
+        }
+      }
+    }
+  }
+  if (language === "rust" && typeof code === "string") {
+    const seedVars = new Set(sourcesWithVar.map((s) => s.variable));
+    const derived = buildRustTaintedVars(code, seedVars);
     if (derived.size > 0) {
       let anchor = sourcesWithVar[0];
       for (const s of sourcesWithVar) {
@@ -22561,6 +22820,9 @@ function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code
           if (flows.some(
             (f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type
           )) continue;
+          if (aliasSanitizedFor.get(source.variable)?.has(sink.type)) {
+            break;
+          }
           flows.push({
             source_line: source.line,
             sink_line: sink.line,
@@ -22705,6 +22967,9 @@ var InterproceduralPass = class {
         }
       }
     }
+    if (additionalSinks.length > 0) {
+      attachSourceLineCode([], additionalSinks, ctx.code);
+    }
     return { additionalSinks, additionalFlows, interprocedural };
   }
 };
@@ -26703,6 +26968,70 @@ function isPotentialPojo(type) {
   return first >= 65 && first <= 90;
 }
 
+// src/analysis/passes/insecure-cookie-pass.ts
+var COOKIE_RESPONSE_RECEIVERS = /* @__PURE__ */ new Set([
+  "res",
+  "response",
+  "reply"
+]);
+var SECURE_TRUE_RE = /\bsecure\s*:\s*true\b/;
+var HTTPONLY_TRUE_RE = /\bhttpOnly\s*:\s*true\b/i;
+var InsecureCookiePass = class {
+  name = "insecure-cookie";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "javascript" && language !== "typescript") {
+      return { insecureCookies: [] };
+    }
+    const file = graph.ir.meta.file;
+    const insecureCookies = [];
+    for (const call of graph.ir.calls) {
+      if (call.method_name !== "cookie") continue;
+      const receiver = call.receiver ?? "";
+      if (!COOKIE_RESPONSE_RECEIVERS.has(receiver)) continue;
+      if (call.arguments.length < 2) continue;
+      const opts = call.arguments.find((a) => a.position === 2);
+      const optsExpr = (opts?.expression ?? "").trim();
+      const optionsPresent = optsExpr.length > 0;
+      const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
+      const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
+      if (!missingSecure && !missingHttpOnly) continue;
+      const line = call.location.line;
+      insecureCookies.push({
+        line,
+        receiver,
+        missingSecure,
+        missingHttpOnly,
+        optionsPresent
+      });
+      const missing = [];
+      if (missingSecure) missing.push("`secure: true`");
+      if (missingHttpOnly) missing.push("`httpOnly: true`");
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-614",
+        severity: "medium",
+        level: "warning",
+        message: `Cookie set without ${missing.join(" and ")} \u2014 vulnerable to cleartext transmission (CWE-614) and client-side JS access (CWE-1004).`,
+        file,
+        line,
+        fix: 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.',
+        evidence: {
+          receiver,
+          options_present: optionsPresent,
+          missing_secure: missingSecure,
+          missing_http_only: missingHttpOnly
+        }
+      });
+    }
+    return { insecureCookies };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -27599,6 +27928,7 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("naming-convention")) pipeline.add(new NamingConventionPass(passOpts.namingConvention));
     if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
     if (!disabledPasses.has("spring4shell")) pipeline.add(new Spring4ShellPass());
+    if (!disabledPasses.has("insecure-cookie")) pipeline.add(new InsecureCookiePass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");