circle-ir 3.48.0 → 3.49.0

package/dist/core/circle-ir-core.cjs

@@ -4798,14 +4798,46 @@ function extractJSClassInfo(node) {
     end_line: node.endPosition.row + 1
   };
 }
+function extractDecoratorName(node) {
+  const child = node.namedChildCount > 0 ? node.namedChild(0) : null;
+  if (!child) return null;
+  if (child.type === "identifier") return getNodeText(child);
+  if (child.type === "call_expression") {
+    const fn = child.childForFieldName("function");
+    if (fn) {
+      if (fn.type === "identifier") return getNodeText(fn);
+      if (fn.type === "member_expression") {
+        const propNode = fn.childForFieldName("property");
+        if (propNode) return getNodeText(propNode);
+      }
+    }
+  }
+  if (child.type === "member_expression") {
+    const propNode = child.childForFieldName("property");
+    if (propNode) return getNodeText(propNode);
+  }
+  return null;
+}
 function extractJSMethods(body2) {
   const methods = [];
+  let pendingDecorators = [];
   for (let i2 = 0; i2 < body2.childCount; i2++) {
     const child = body2.child(i2);
     if (!child) continue;
+    if (child.type === "decorator") {
+      const name2 = extractDecoratorName(child);
+      if (name2) pendingDecorators.push(name2);
+      continue;
+    }
+    if (child.type === "comment") continue;
     if (child.type === "method_definition") {
-      methods.push(extractJSMethodInfo(child));
+      const m = extractJSMethodInfo(child);
+      if (pendingDecorators.length > 0) {
+        m.annotations = pendingDecorators;
+      }
+      methods.push(m);
     }
+    pendingDecorators = [];
   }
   return methods;
 }
@@ -4967,10 +4999,18 @@ function extractJSParameters(params) {
       if (typeNode) {
         paramType = getNodeText(typeNode).replace(/^:\s*/, "");
       }
+      const decorators = [];
+      for (let j = 0; j < child.childCount; j++) {
+        const c = child.child(j);
+        if (c && c.type === "decorator") {
+          const name2 = extractDecoratorName(c);
+          if (name2) decorators.push(name2);
+        }
+      }
       parameters.push({
         name: paramName,
         type: paramType,
-        annotations: [],
+        annotations: decorators,
         line: child.startPosition.row + 1
       });
     }
@@ -11017,6 +11057,26 @@ var DEFAULT_SINKS = [
   { method: "setQuotedArgumentsEnabled", class: "Shell", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Sandbox/script security
   { method: "onNewInstance", class: "SandboxInterceptor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Java Log Injection (slf4j / logback / java.util.logging) — CWE-117
+  // Issue #44: log.info/warn/error/debug emit the message argument and any
+  // {} format arguments to the log stream. Untrusted input forwarded into
+  // these calls allows log forging (newline injection) and downstream log
+  // analyzer pollution. Scoped to `java` so the generic method names don't
+  // collide with JS console / Python logger entries below.
+  { method: "info", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "warn", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "error", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "debug", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "trace", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  // java.util.logging.Logger uses the same class name `Logger` — same entries above cover it.
+  // Severity-tagged levels: SEVERE/WARNING/INFO/CONFIG/FINE/FINER/FINEST
+  { method: "severe", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "warning", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "config", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "fine", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finer", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finest", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "log", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1, 2, 3], languages: ["java"] },
   // =========================================================================
   // Node.js/Express Sinks
   // =========================================================================
@@ -11069,13 +11129,47 @@ var DEFAULT_SINKS = [
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInThisContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  // Node.js NoSQL Injection (MongoDB)
+  // Node.js NoSQL Injection (MongoDB native driver + mongoose) — CWE-943
+  // Issue #45: the bare `class: 'Collection'` constraint missed mongoose's
+  // fluent chains (mongoose.connection.db.collection('x').find({...})) and
+  // Model.find calls because the call-site receiver type does not resolve
+  // to `Collection`. Add classless+language-scoped entries for the
+  // MongoDB-specific method names (findOne/aggregate/updateOne/etc.) and
+  // mongoose `Model`/`Query` class entries. Bare `find` stays class-scoped
+  // to avoid colliding with Array.prototype.find.
   { method: "find", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "findOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
+  // Mongoose Model/Query class entries — Model.find/findOne/etc.
+  { method: "find", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findById", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "countDocuments", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Mongoose Query class entries — chain methods returning Query
+  { method: "where", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "equals", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Classless MongoDB-specific method names (rare outside MongoDB APIs) —
+  // language-scoped to JS/TS. Excludes plain `find` (Array.prototype.find FP).
+  { method: "findOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Node.js SSRF (HTTP clients)
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -11097,6 +11191,24 @@ var DEFAULT_SINKS = [
   { method: "post", class: "superagent", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // node-fetch
   { method: "default", class: "node-fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // Node.js / JavaScript Log Injection (console.*) — CWE-117
+  // Issue #44: console.log/warn/error/info with tainted template literals
+  // allow log forging (newline-injection) and downstream log analyzer
+  // pollution. Scoped to JS/TS so the bare class `console` doesn't collide
+  // with Python `console` module or Java identifiers.
+  { method: "log", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "warn", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "error", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "info", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  // Node.js / Express Open Redirect — CWE-601
+  // Issue #46: `res.redirect(req.query.next)` did not fire because the
+  // legacy `class: 'Response'` constraint depended on receiver type
+  // resolution of the Express `res` parameter. Mirror Python's classless
+  // pattern with a language-scoped classless entry. The method name
+  // `redirect` is rare outside HTTP frameworks so the FP risk is low.
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   // =========================================================================
   // Python Sinks
   // =========================================================================
@@ -11138,7 +11250,12 @@ var DEFAULT_SINKS = [
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python XSS / SSTI
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Issue #54: Flask's `render_template_string(template_str)` with an
+  // attacker-controlled template string is Server-Side Template Injection
+  // (Jinja2 SSTI → RCE), not reflected XSS. Classify as code_injection
+  // (CWE-94) with critical severity to match `jinja2.Template().render()`
+  // and `Template.from_string()` entries above.
+  { method: "render_template_string", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python SSRF
@@ -11501,6 +11618,13 @@ var DEFAULT_SANITIZERS = [
   { method: "secure_filename", class: "werkzeug.utils", removes: ["path_traversal"] },
   { method: "basename", class: "os.path", removes: ["path_traversal"] },
   { method: "normpath", class: "os.path", removes: ["path_traversal"] },
+  // Issue #48 part 2: realpath/abspath are canonical Python path-canonicalization
+  // functions (analogous to Java File.getCanonicalPath). Register on both
+  // `os.path` and the bare `path` receiver to cover `import os.path as path`.
+  { method: "realpath", class: "os.path", removes: ["path_traversal"] },
+  { method: "abspath", class: "os.path", removes: ["path_traversal"] },
+  { method: "realpath", class: "path", removes: ["path_traversal"] },
+  { method: "abspath", class: "path", removes: ["path_traversal"] },
   // Python Type coercion
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
@@ -11562,7 +11686,7 @@ var PYTHON_TAINTED_PATTERNS = [
 ];
 function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language, code) {
   const sourceLines = code !== void 0 ? code.split("\n") : void 0;
-  const sources = findSources(calls, types, config.sources, sourceLines);
+  const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
@@ -11580,7 +11704,7 @@ function attachSourceLineCode(sources, sinks, code) {
     }
   }
 }
-function findSources(calls, types, patterns, sourceLines) {
+function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -11633,23 +11757,29 @@ function findSources(calls, types, patterns, sourceLines) {
       }
     }
   }
-  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  const RUST_EXTRACTOR_KIND = /(?:^|::)(Json|Form|Query|Path|Extension|Multipart|Body|Bytes)(?:<|$)/;
   for (const type of types) {
     for (const method of type.methods) {
       for (const param of method.parameters) {
-        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
-          const paramLine = param.line ?? method.start_line;
-          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
-          if (!alreadyExists) {
-            sources.push({
-              type: "http_body",
-              location: `${param.type} ${param.name} in ${method.name}`,
-              severity: "high",
-              line: paramLine,
-              confidence: 1
-            });
-          }
-        }
+        if (!param.type) continue;
+        const kindMatch = RUST_EXTRACTOR_KIND.exec(param.type);
+        if (!kindMatch) continue;
+        const kind = kindMatch[1];
+        if (kind === "Extension") continue;
+        const sourceType = kind === "Form" || kind === "Query" || kind === "Path" ? "http_param" : "http_body";
+        const paramLine = param.line ?? method.start_line;
+        const alreadyExists = sources.some(
+          (s) => s.line === paramLine && s.variable === param.name
+        );
+        if (alreadyExists) continue;
+        sources.push({
+          type: sourceType,
+          location: `${param.type} ${param.name} in ${method.name}`,
+          severity: "high",
+          line: paramLine,
+          confidence: 1,
+          variable: param.name
+        });
       }
     }
   }
@@ -11731,6 +11861,15 @@ function findSources(calls, types, patterns, sourceLines) {
       s.code = sourceLines[s.line - 1]?.trim();
     }
   }
+  if (language === "rust" && sourceLines) {
+    const LET_BINDING = /^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0) continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = LET_BINDING.exec(lineText);
+      if (m) s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -11836,6 +11975,20 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
+function isSafePythonSubprocessCall(call, pattern, language) {
+  if (language !== "python") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "subprocess") return false;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0) return false;
+  const expr0 = (arg0.literal ?? arg0.expression ?? "").trim();
+  if (!expr0.startsWith("[")) return false;
+  for (const a of call.arguments) {
+    const e = (a.expression ?? "").trim();
+    if (/^shell\s*=\s*True\b/.test(e)) return false;
+  }
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -11852,6 +12005,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
+        if (isSafePythonSubprocessCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -12254,7 +12410,12 @@ function receiverMightBeClass(receiver, className) {
     "controller",
     "task",
     "thread",
-    "job"
+    "job",
+    // Short Python DB abbreviation; would otherwise prefix-match obscure XSS
+    // sink classes like XWiki's `CurrentTimePlugin` ('current'.startsWith('cur'))
+    // via the CamelCase word prefix heuristic and produce an xss FP on every
+    // `cur.execute(...)`. Resolved via commonMappings → ['Cursor']. See #65 / #48 pt3.
+    "cur"
   ]);
   const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
   if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
@@ -12264,7 +12425,9 @@ function receiverMightBeClass(receiver, className) {
   }
   if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
-      return true;
+      if (lowerReceiver.length / lowerClass.length >= 0.4) {
+        return true;
+      }
     }
   }
   if (!isAmbiguous && lowerReceiver.length >= 3) {
@@ -12287,6 +12450,9 @@ function receiverMightBeClass(receiver, className) {
     ps: ["PreparedStatement"],
     rs: ["ResultSet"],
     template: ["JdbcTemplate"],
+    cur: ["Cursor"],
+    // Python DB-API cursor — see ambiguousIdentifiers note
+    cursor: ["Cursor"],
     // I/O
     writer: ["PrintWriter"],
     out: ["PrintWriter", "OutputStream"],
@@ -15334,7 +15500,7 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
-  if (result.symbols.size > 0 && !result.tainted.has(taintedVar)) {
+  if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
   return { isFalsePositive: false, reason: null };