circle-ir 3.48.0 → 3.49.0

package/dist/core/circle-ir-core.js

@@ -4732,14 +4732,46 @@ function extractJSClassInfo(node) {
     end_line: node.endPosition.row + 1
   };
 }
+function extractDecoratorName(node) {
+  const child = node.namedChildCount > 0 ? node.namedChild(0) : null;
+  if (!child) return null;
+  if (child.type === "identifier") return getNodeText(child);
+  if (child.type === "call_expression") {
+    const fn = child.childForFieldName("function");
+    if (fn) {
+      if (fn.type === "identifier") return getNodeText(fn);
+      if (fn.type === "member_expression") {
+        const propNode = fn.childForFieldName("property");
+        if (propNode) return getNodeText(propNode);
+      }
+    }
+  }
+  if (child.type === "member_expression") {
+    const propNode = child.childForFieldName("property");
+    if (propNode) return getNodeText(propNode);
+  }
+  return null;
+}
 function extractJSMethods(body2) {
   const methods = [];
+  let pendingDecorators = [];
   for (let i2 = 0; i2 < body2.childCount; i2++) {
     const child = body2.child(i2);
     if (!child) continue;
+    if (child.type === "decorator") {
+      const name2 = extractDecoratorName(child);
+      if (name2) pendingDecorators.push(name2);
+      continue;
+    }
+    if (child.type === "comment") continue;
     if (child.type === "method_definition") {
-      methods.push(extractJSMethodInfo(child));
+      const m = extractJSMethodInfo(child);
+      if (pendingDecorators.length > 0) {
+        m.annotations = pendingDecorators;
+      }
+      methods.push(m);
     }
+    pendingDecorators = [];
   }
   return methods;
 }
@@ -4901,10 +4933,18 @@ function extractJSParameters(params) {
       if (typeNode) {
         paramType = getNodeText(typeNode).replace(/^:\s*/, "");
       }
+      const decorators = [];
+      for (let j = 0; j < child.childCount; j++) {
+        const c = child.child(j);
+        if (c && c.type === "decorator") {
+          const name2 = extractDecoratorName(c);
+          if (name2) decorators.push(name2);
+        }
+      }
       parameters.push({
         name: paramName,
         type: paramType,
-        annotations: [],
+        annotations: decorators,
         line: child.startPosition.row + 1
       });
     }
@@ -10951,6 +10991,26 @@ var DEFAULT_SINKS = [
   { method: "setQuotedArgumentsEnabled", class: "Shell", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Sandbox/script security
   { method: "onNewInstance", class: "SandboxInterceptor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Java Log Injection (slf4j / logback / java.util.logging) — CWE-117
+  // Issue #44: log.info/warn/error/debug emit the message argument and any
+  // {} format arguments to the log stream. Untrusted input forwarded into
+  // these calls allows log forging (newline injection) and downstream log
+  // analyzer pollution. Scoped to `java` so the generic method names don't
+  // collide with JS console / Python logger entries below.
+  { method: "info", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "warn", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "error", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "debug", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "trace", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  // java.util.logging.Logger uses the same class name `Logger` — same entries above cover it.
+  // Severity-tagged levels: SEVERE/WARNING/INFO/CONFIG/FINE/FINER/FINEST
+  { method: "severe", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "warning", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "config", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "fine", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finer", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finest", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "log", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1, 2, 3], languages: ["java"] },
   // =========================================================================
   // Node.js/Express Sinks
   // =========================================================================
@@ -11003,13 +11063,47 @@ var DEFAULT_SINKS = [
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInThisContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  // Node.js NoSQL Injection (MongoDB)
+  // Node.js NoSQL Injection (MongoDB native driver + mongoose) — CWE-943
+  // Issue #45: the bare `class: 'Collection'` constraint missed mongoose's
+  // fluent chains (mongoose.connection.db.collection('x').find({...})) and
+  // Model.find calls because the call-site receiver type does not resolve
+  // to `Collection`. Add classless+language-scoped entries for the
+  // MongoDB-specific method names (findOne/aggregate/updateOne/etc.) and
+  // mongoose `Model`/`Query` class entries. Bare `find` stays class-scoped
+  // to avoid colliding with Array.prototype.find.
   { method: "find", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "findOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
+  // Mongoose Model/Query class entries — Model.find/findOne/etc.
+  { method: "find", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findById", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "countDocuments", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Mongoose Query class entries — chain methods returning Query
+  { method: "where", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "equals", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Classless MongoDB-specific method names (rare outside MongoDB APIs) —
+  // language-scoped to JS/TS. Excludes plain `find` (Array.prototype.find FP).
+  { method: "findOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Node.js SSRF (HTTP clients)
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -11031,6 +11125,24 @@ var DEFAULT_SINKS = [
   { method: "post", class: "superagent", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // node-fetch
   { method: "default", class: "node-fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  // Node.js / JavaScript Log Injection (console.*) — CWE-117
+  // Issue #44: console.log/warn/error/info with tainted template literals
+  // allow log forging (newline-injection) and downstream log analyzer
+  // pollution. Scoped to JS/TS so the bare class `console` doesn't collide
+  // with Python `console` module or Java identifiers.
+  { method: "log", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "warn", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "error", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "info", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  // Node.js / Express Open Redirect — CWE-601
+  // Issue #46: `res.redirect(req.query.next)` did not fire because the
+  // legacy `class: 'Response'` constraint depended on receiver type
+  // resolution of the Express `res` parameter. Mirror Python's classless
+  // pattern with a language-scoped classless entry. The method name
+  // `redirect` is rare outside HTTP frameworks so the FP risk is low.
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   // =========================================================================
   // Python Sinks
   // =========================================================================
@@ -11072,7 +11184,12 @@ var DEFAULT_SINKS = [
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python XSS / SSTI
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Issue #54: Flask's `render_template_string(template_str)` with an
+  // attacker-controlled template string is Server-Side Template Injection
+  // (Jinja2 SSTI → RCE), not reflected XSS. Classify as code_injection
+  // (CWE-94) with critical severity to match `jinja2.Template().render()`
+  // and `Template.from_string()` entries above.
+  { method: "render_template_string", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python SSRF
@@ -11435,6 +11552,13 @@ var DEFAULT_SANITIZERS = [
   { method: "secure_filename", class: "werkzeug.utils", removes: ["path_traversal"] },
   { method: "basename", class: "os.path", removes: ["path_traversal"] },
   { method: "normpath", class: "os.path", removes: ["path_traversal"] },
+  // Issue #48 part 2: realpath/abspath are canonical Python path-canonicalization
+  // functions (analogous to Java File.getCanonicalPath). Register on both
+  // `os.path` and the bare `path` receiver to cover `import os.path as path`.
+  { method: "realpath", class: "os.path", removes: ["path_traversal"] },
+  { method: "abspath", class: "os.path", removes: ["path_traversal"] },
+  { method: "realpath", class: "path", removes: ["path_traversal"] },
+  { method: "abspath", class: "path", removes: ["path_traversal"] },
   // Python Type coercion
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
@@ -11496,7 +11620,7 @@ var PYTHON_TAINTED_PATTERNS = [
 ];
 function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language, code) {
   const sourceLines = code !== void 0 ? code.split("\n") : void 0;
-  const sources = findSources(calls, types, config.sources, sourceLines);
+  const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
@@ -11514,7 +11638,7 @@ function attachSourceLineCode(sources, sinks, code) {
     }
   }
 }
-function findSources(calls, types, patterns, sourceLines) {
+function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -11567,23 +11691,29 @@ function findSources(calls, types, patterns, sourceLines) {
       }
     }
   }
-  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  const RUST_EXTRACTOR_KIND = /(?:^|::)(Json|Form|Query|Path|Extension|Multipart|Body|Bytes)(?:<|$)/;
   for (const type of types) {
     for (const method of type.methods) {
       for (const param of method.parameters) {
-        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
-          const paramLine = param.line ?? method.start_line;
-          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
-          if (!alreadyExists) {
-            sources.push({
-              type: "http_body",
-              location: `${param.type} ${param.name} in ${method.name}`,
-              severity: "high",
-              line: paramLine,
-              confidence: 1
-            });
-          }
-        }
+        if (!param.type) continue;
+        const kindMatch = RUST_EXTRACTOR_KIND.exec(param.type);
+        if (!kindMatch) continue;
+        const kind = kindMatch[1];
+        if (kind === "Extension") continue;
+        const sourceType = kind === "Form" || kind === "Query" || kind === "Path" ? "http_param" : "http_body";
+        const paramLine = param.line ?? method.start_line;
+        const alreadyExists = sources.some(
+          (s) => s.line === paramLine && s.variable === param.name
+        );
+        if (alreadyExists) continue;
+        sources.push({
+          type: sourceType,
+          location: `${param.type} ${param.name} in ${method.name}`,
+          severity: "high",
+          line: paramLine,
+          confidence: 1,
+          variable: param.name
+        });
       }
     }
   }
@@ -11665,6 +11795,15 @@ function findSources(calls, types, patterns, sourceLines) {
       s.code = sourceLines[s.line - 1]?.trim();
     }
   }
+  if (language === "rust" && sourceLines) {
+    const LET_BINDING = /^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0) continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = LET_BINDING.exec(lineText);
+      if (m) s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -11770,6 +11909,20 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
+function isSafePythonSubprocessCall(call, pattern, language) {
+  if (language !== "python") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "subprocess") return false;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0) return false;
+  const expr0 = (arg0.literal ?? arg0.expression ?? "").trim();
+  if (!expr0.startsWith("[")) return false;
+  for (const a of call.arguments) {
+    const e = (a.expression ?? "").trim();
+    if (/^shell\s*=\s*True\b/.test(e)) return false;
+  }
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -11786,6 +11939,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
+        if (isSafePythonSubprocessCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -12188,7 +12344,12 @@ function receiverMightBeClass(receiver, className) {
     "controller",
     "task",
     "thread",
-    "job"
+    "job",
+    // Short Python DB abbreviation; would otherwise prefix-match obscure XSS
+    // sink classes like XWiki's `CurrentTimePlugin` ('current'.startsWith('cur'))
+    // via the CamelCase word prefix heuristic and produce an xss FP on every
+    // `cur.execute(...)`. Resolved via commonMappings → ['Cursor']. See #65 / #48 pt3.
+    "cur"
   ]);
   const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
   if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
@@ -12198,7 +12359,9 @@ function receiverMightBeClass(receiver, className) {
   }
   if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
-      return true;
+      if (lowerReceiver.length / lowerClass.length >= 0.4) {
+        return true;
+      }
     }
   }
   if (!isAmbiguous && lowerReceiver.length >= 3) {
@@ -12221,6 +12384,9 @@ function receiverMightBeClass(receiver, className) {
     ps: ["PreparedStatement"],
     rs: ["ResultSet"],
     template: ["JdbcTemplate"],
+    cur: ["Cursor"],
+    // Python DB-API cursor — see ambiguousIdentifiers note
+    cursor: ["Cursor"],
     // I/O
     writer: ["PrintWriter"],
     out: ["PrintWriter", "OutputStream"],
@@ -15268,7 +15434,7 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
-  if (result.symbols.size > 0 && !result.tainted.has(taintedVar)) {
+  if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
   return { isFalsePositive: false, reason: null };

package/dist/core/extractors/types.js

@@ -560,18 +560,90 @@ function extractJSClassInfo(node) {
         end_line: node.endPosition.row + 1,
     };
 }
+/**
+ * Extract the name of a `decorator` node (TypeScript / NestJS / Angular etc).
+ *
+ * The grammar permits three shapes:
+ *   @Foo            → decorator > identifier
+ *   @Foo('bar')     → decorator > call_expression > identifier
+ *   @ns.Foo         → decorator > member_expression (use .property)
+ *   @ns.Foo('bar')  → decorator > call_expression > member_expression
+ */
+function extractDecoratorName(node) {
+    // tree-sitter-typescript stores the decorator expression as namedChild(0)
+    const child = node.namedChildCount > 0 ? node.namedChild(0) : null;
+    if (!child)
+        return null;
+    if (child.type === 'identifier')
+        return getNodeText(child);
+    if (child.type === 'call_expression') {
+        const fn = child.childForFieldName('function');
+        if (fn) {
+            if (fn.type === 'identifier')
+                return getNodeText(fn);
+            if (fn.type === 'member_expression') {
+                const propNode = fn.childForFieldName('property');
+                if (propNode)
+                    return getNodeText(propNode);
+            }
+        }
+    }
+    if (child.type === 'member_expression') {
+        const propNode = child.childForFieldName('property');
+        if (propNode)
+            return getNodeText(propNode);
+    }
+    return null;
+}
 /**
  * Extract JavaScript methods from a class body.
+ *
+ * Method-level decorators (TS / NestJS / Angular) appear as preceding
+ * `decorator` siblings of `method_definition` inside `class_body`. We accumulate
+ * them as we walk children and attach to the very next `method_definition`.
+ *
+ * IMPORTANT: `pendingDecorators` is reset on ANY non-decorator class member
+ * (field, accessor, abstract signature, …), not just method_definition. A
+ * decorator preceding a field like
+ *
+ *   @Inject('USER_REPO') private repo: Repository<User>;
+ *   @Get('search') async search(...) { ... }
+ *
+ * belongs to the field, not the method below. Failing to reset after the
+ * field_definition would silently transfer `Inject` onto `search.annotations`,
+ * polluting the IR consumed by taint-matcher.ts (`matchesAnnotation` against
+ * `pattern.method_annotation`).
  */
 function extractJSMethods(body) {
     const methods = [];
+    let pendingDecorators = [];
     for (let i = 0; i < body.childCount; i++) {
         const child = body.child(i);
         if (!child)
             continue;
+        if (child.type === 'decorator') {
+            const name = extractDecoratorName(child);
+            if (name)
+                pendingDecorators.push(name);
+            continue;
+        }
+        // Tree-sitter emits comments as anonymous children of `class_body`.
+        // A `// note` line between a decorator and its method must NOT clear
+        // the pending decorator list — skip without resetting.
+        if (child.type === 'comment')
+            continue;
         if (child.type === 'method_definition') {
-            methods.push(extractJSMethodInfo(child));
+            const m = extractJSMethodInfo(child);
+            if (pendingDecorators.length > 0) {
+                m.annotations = pendingDecorators;
+            }
+            methods.push(m);
         }
+        // Reset pending decorators on ANY non-decorator, non-comment child
+        // (method, field, accessor, abstract_method_signature,
+        // public_field_definition, …). Decorators only ever apply to the
+        // immediately-following member.
+        pendingDecorators = [];
     }
     return methods;
 }
@@ -776,10 +848,21 @@ function extractJSParameters(params) {
                 // type_annotation includes the leading ':'; strip it for storage parity with other languages
                 paramType = getNodeText(typeNode).replace(/^:\s*/, '');
             }
+            // Parameter decorators (NestJS @Query/@Param/@Body, Angular @Inject, etc.)
+            // appear as `decorator` children of the required_parameter node itself.
+            const decorators = [];
+            for (let j = 0; j < child.childCount; j++) {
+                const c = child.child(j);
+                if (c && c.type === 'decorator') {
+                    const name = extractDecoratorName(c);
+                    if (name)
+                        decorators.push(name);
+                }
+            }
             parameters.push({
                 name: paramName,
                 type: paramType,
-                annotations: [],
+                annotations: decorators,
                 line: child.startPosition.row + 1,
             });
         }